最近一次检查服务器应用运行情况时在应用 log 中发现大量不寻常的指向访问(大量某皇家 xx 流量),同时网卡出口方向负载异常。于是通过 netstat 排查出入流量,同时使用 iptables 将垃圾流量地址屏蔽,减轻应用运行负载,提高运行体验。(也可自行编写 shell 将大流量相同访问自动屏蔽,但可能影响用户访问,本文介绍应对普通攻击时的手动操作方法)
演示环境为 Ubuntu 18.04
$ apt-get install iptables -y
查看 iptables 版本
$ iptables -V
以应用运行在 80 端口为例 列出 80 端口正被哪些 ip 访问
$ netstat -tun | grep ":80"
列出访问 80 端口前 10 的 ip 地址,并显示连接数
$ netstat -antp | awk '$4 ~ /:80$/ {print $4" "$5}' | awk '{print $2}'|awk -F : {'print $1'} | uniq -c | sort -nr | head -n 10
列出所有访问 80 端口的 ip 地址,并显示连接数
$ netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
显示所有的网络活动
$ netstat -na
显示连接数多的 ip
$ netstat -an|awk -F: '{print $2}'|sort|uniq -c|sort -nr|head
列出所有经过的 ip
$ netstat -n -p | grep SYN_REC | sort -u
计算每个 ip 发起的连接数
$ netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
以主机名方式显示规则
$ iptables -L
以 ip 显示显示规则
$ iptables -L -n
$ iptables -I INPUT -s ***.***.***.*** -j DROP
例如
$ iptables -I INPUT -s 202.60.228.135 -j DROP
$ iptables -I INPUT -s 47.112.148.83 -j DROP
$ iptables -I INPUT -s 208.115.232.242 -j DROP
$ iptables -I INPUT -s 63.143.61.22 -j DROP
如果恶意访问的 ip 来自同一机房,可直接将机房 ip 段屏蔽
$ iptables -I INPUT -s ***.***.***.***/24 -j DROP
例如
$ iptables -I INPUT -s 1.2.3.0/24 -j DROP
$ iptables -D INPUT -s ***.***.***.*** -j DROP
同上
配置完成后可使用
iptables -L -n
检查规则
使用iptables-save
保存此次修改
配置每次启动自动生效上一次的防火墙规则
$ iptables-save > /etc/iptables.rules
编辑/etc/network/interfaces
文件,在末尾加上
pre-up iptables-restore < /etc/iptables.rules
每次修改 iptables 规则后,执行一次iptables-save > /etc/iptables.rules
来保存规则。
$ iptables --help
iptables v1.6.1
Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--wait -w [seconds] maximum wait to acquire xtables lock before give up
--wait-interval -W [usecs] wait time to try to acquire xtables lock
default is 1 second
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.