Firewall & IDS/IPS
🔥 Vibe Prompt
"Set up iptables firewall rules. Configure Snort IDS for SQLi detection."
Iptables Firewall
# Default policies (drop all)
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow SSH (rate limited)
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow web traffic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Log dropped packets
iptables -A INPUT -j LOG --log-prefix "iptables: " --log-level 4
# Save
iptables-save > /etc/iptables/rules.v4
Snort IDS Rules
# SQLi detection
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (
msg: "SQL Injection - UNION";
content: "UNION"; nocase;
content: "SELECT"; nocase; within: 30;
classtype: web-application-attack;
sid: 1000001;
)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (
msg: "SQL Injection - OR true";
content: "OR"; nocase;
pcre: "/(\d+|')\s*OR\s*[\d=]+"/i;
classtype: web-application-attack;
sid: 1000002;
)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (
msg: "XSS Attempt";
content: "<script>"; nocase;
classtype: web-application-attack;
sid: 1000003;
)
Fail2Ban
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
[nginx-botsearch]
enabled = true
filter = nginx-botsearch
logpath = /var/log/nginx/access.log
maxretry = 5
bantime = 86400
Defense Layers
Internet → WAF (Layer 7, app-level)
↓
Firewall (Layer 3/4, IP/port)
↓
IDS/IPS (Layer 7, signatures + anomaly)
↓
HIDS (host-level, file integrity)
Best Practices
- Defense in depth: never rely on single layer
- Default deny all inbound
- Log all blocked traffic
- Regular rule review (eliminate stale rules)
- Automate with IaC (Ansible, Terraform)
Key Points
- Understand the core concepts thoroughly
- Practice with hands-on code examples
- Apply knowledge to real-world problems
- Review and reinforce through exercises
Further Learning
- Official documentation
- Open source projects on GitHub
- Community forums and discussions
- Related courses and tutorials
防火牆:網路的守門員
防火牆是網路安全的第一道防線。它根據規則決定哪些流量可以通過。
防火牆類型
| 類型 | 層級 | 功能 | |:----|:----|:----| | Stateless(無狀態) | L3/L4 | 只檢查封包頭 | | Stateful(有狀態) | L3/L4 | 追蹤連線狀態 | | NGFW(次世代) | L7 | 應用層過濾 + IDS/IPS |
IDS vs IPS
| 系統 | 偵測後的反應 | |:----|:----------| | IDS(Snort) | 發出警報,不擋流量 | | IPS(Suricata) | 自動阻擋惡意流量 |
下一章預告:VPN 與遠端存取
防火牆管理內部流量。下一章的 VPN 管理的是外部使用者如何安全地連進內部網路。