对于这个问题,IPTABLES应该如何设置?

dAVIY

机器的WEB服务好象没有反映,IPTABLES已经设置了:
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP

用netstat -an看了一下,如下:
tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:32777 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:32778 0.0.0.0:* LISTEN
tcp 0 0 172.16.0.4:80 202.160.180.45:35342 SYN_RECV
tcp 0 0 172.16.0.4:80 60.210.127.89:4365 SYN_RECV
tcp 0 0 172.16.0.4:80 218.91.94.231:4531 SYN_RECV
tcp 0 0 172.16.0.4:80 60.210.127.89:4368 SYN_RECV
tcp 0 0 172.16.0.4:80 220.181.18.85:50842 SYN_RECV
tcp 0 0 172.16.0.4:80 218.56.99.23:14237 SYN_RECV
tcp 0 0 172.16.0.4:80 202.160.178.166:48549 SYN_RECV
tcp 0 0 172.16.0.4:80 58.61.33.230:52123 SYN_RECV
tcp 0 0 172.16.0.4:80 60.26.227.81:3421 SYN_RECV
tcp 0 0 172.16.0.4:80 202.108.23.93:58978 SYN_RECV
tcp 0 0 172.16.0.4:80 60.208.223.191:3349 SYN_RECV
tcp 0 0 172.16.0.4:80 219.135.207.153:1104 SYN_RECV
tcp 0 0 172.16.0.4:80 60.210.127.89:4379 SYN_RECV
tcp 0 0 172.16.0.4:80 60.210.127.89:4374 SYN_RECV
tcp 0 0 172.16.0.4:80 60.26.227.81:3420 SYN_RECV
tcp 0 0 172.16.0.4:80 202.160.179.55:43501 SYN_RECV
tcp 0 0 172.16.0.4:80 202.160.179.210:58612 SYN_RECV
tcp 0 0 172.16.0.4:80 66.249.72.79:61360 SYN_RECV
tcp 0 0 172.16.0.4:80 74.6.74.37:38882 SYN_RECV
tcp 0 0 172.16.0.4:80 218.195.62.11:1517 SYN_RECV
tcp 0 0 172.16.0.4:80 60.210.127.89:4389 SYN_RECV
tcp 0 0 172.16.0.4:80 72.30.252.134:52828 SYN_RECV
tcp 0 0 172.16.0.4:80 211.158.73.231:62517 SYN_RECV
tcp 0 0 172.16.0.4:80 60.210.127.89:4387 SYN_RECV
tcp 0 0 172.16.0.4:80 220.181.18.85:33546 SYN_RECV
tcp 0 0 172.16.0.4:80 218.91.94.231:4178 SYN_RECV
tcp 0 0 172.16.0.4:80 218.195.62.11:1533 SYN_RECV
tcp 0 0 172.16.0.4:80 60.208.223.191:3291 SYN_RECV
tcp 0 0 172.16.0.4:80 60.208.223.191:3593 SYN_RECV
tcp 0 0 172.16.0.4:80 60.26.227.81:3428 SYN_RECV
tcp 0 0 172.16.0.4:1521 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 172.16.0.4:1521 172.16.0.4:32828 ESTABLISHED
tcp 0 0 172.16.0.4:1521 172.16.0.4:32858 ESTABLISHED
tcp 0 0 ::ffff:127.0.0.1:8005 :::* LISTEN
tcp 0 0 :::8009 :::* LISTEN
tcp 0 0 :::80 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 13020 ::ffff:172.16.0.4:80 ::ffff:121.16.252.104:2800 CLOSE_WAIT
tcp 0 13020 ::ffff:172.16.0.4:80 ::ffff:121.16.252.104:2801 CLOSE_WAIT
tcp 0 13020 ::ffff:172.16.0.4:80 ::ffff:121.16.252.104:2802 CLOSE_WAIT
tcp 0 13020 ::ffff:172.16.0.4:80 ::ffff:121.16.252.104:2803 CLOSE_WAIT
tcp 193 0 ::ffff:172.16.0.4:80 ::ffff:74.6.85.173:44389 CLOSE_WAIT
tcp 0 0 ::ffff:172.16.0.4:32858 ::ffff:172.16.0.4:1521 ESTABLISHED
tcp 0 0 ::ffff:172.16.0.4:32828 ::ffff:172.16.0.4:1521 ESTABLISHED
tcp 275 0 ::ffff:172.16.0.4:80 ::ffff:74.6.69.113:55388 CLOSE_WAIT
tcp 0 13020 ::ffff:172.16.0.4:80 ::ffff:121.16.252.104:2795 CLOSE_WAIT
tcp 0 13020 ::ffff:172.16.0.4:80 ::ffff:121.16.252.104:2796 CLOSE_WAIT
tcp 0 13020 ::ffff:172.16.0.4:80 ::ffff:121.16.252.104:2797 CLOSE_WAIT
tcp 0 13020 ::ffff:172.16.0.4:80 ::ffff:121.16.252.104:2798 CLOSE_WAIT
tcp 0 13020 ::ffff:172.16.0.4:80 ::ffff:121.16.252.104:2799 CLOSE_WAIT

[ 本帖最后由 dAVIY 于 2006-12-12 09:55 编辑 ]

ssffzz1

愣没看懂你要干什么

dAVIY

看NETSTAT的查看结果,好象是洪水攻击导致服务没反应,我就是想怎么能防御?

platinum

-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
你为什么这么设？
你是否明白这个的意思？

dAVIY

阻止所有SYN,RST,ACK SYN 的连接，这样设置不对吗？

platinum

那么 SYN,RST,ACK SYN 代表什么意思？
换句话说，SYN,RST,ACK 中只有 SYN 为 1，其他两个为 0 的时候是什么时候呢？

铁钉

建议你看一下TCP/IP,里面有 SYN, RST,ACK的说明.

dAVIY

不太明白，请指教一下。。。

5iwww

INPUT SYN DROP .... 这是应用于WEB服务器？？？

dAVIY

那应该如何避免SYN攻击呢？