Na ɗan ɗauki lokaci ina tunani game da abubuwa biyu game da wannan abin birgewa: mafi yawan waɗanda suke neman waɗannan koyarwar fara ne kuma abu na biyu, da yawa sun riga sun nemi wani abu mai sauƙi kuma an riga an fadada shi.
Wannan misali shine don sabar yanar gizo, amma cikin sauƙin ƙara ƙarin dokoki kuma daidaita shi da bukatunku.
Lokacin da ka ga "x" canza maka ip's
#!/bin/bash
# Muna tsaftace tebura mai kyau -F kayan aiki masu kyau -X # Muna tsaftace kayan aikin NAT -t nat -F iptables -t nat -X # mangle table don abubuwa kamar PPPoE, PPP, da ATM iptables -t mangle -F iptables -t mangle -X # Policies Ina tsammanin wannan ita ce hanya mafi kyau ga masu farawa kuma # har yanzu ba mara kyau, zanyi bayanin fitarwa (fitarwa) duk saboda suna haɗuwa da haɗuwa #, shigarwa mun watsar da komai, kuma babu sabar da zata ci gaba. iptables -P INPUT DOP iptables -P OUTPUT ACCEPT iptables -P GABA DROP #Intranet LAN intranet = eth0 #Extranet wan extranet = eth1 # Kiyaye jihar. Duk abin da ya riga ya haɗu (an kafa shi) an barshi kamar haka: iptables -A INPUT -m state -state ESTABLISHED, RELATED -j ACCEPT # Loop device. iptables -A INPUT -i lo -j ACCEPT # http, https, ba ma fayyace aikin dubawa saboda # muna son ya zama duka masu kyawu -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp - dport 443 -j ACCEPT # ssh kawai a ciki kuma daga wannan keɓaɓɓiyar ip ta ippt -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 7659 -j ACCEPT # saka idanu misali idan suna da zabbix ko wani snmp sabis iptables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 10050 -j ACCEPT # icmp, ping da kyau ya rage naka iptables -A INPUT -p icmp -s 192.168.xx / 24 - i $ intranet -j ACCEPT #mysql with postgres is port 5432 iptables -A INPUT -p tcp -s 192.168.xx --sport 3306 -i $ intranet -j ACCEPT #sendmail bueeeh idan kanaso ka aika da wasu wasika #daptables -Ana Sakawa -p tcp --dport 25 -j ACCEPT # Anti-SPOOFING 09/07/2014 # SERVER_IP = "190.xxx" # server IP - the real wan ip of your server LAN_RANGE = "192.168.xx / 21" # LAN range na cibiyar sadarwar ka ko vlan # Ip's din ka wanda bai kamata ya shigo da kayan ba,shine ayi amfani da wata 'yar ma'ana idan har muna da tsarin WAN kawai, bai kamata a sanya hanyar # LAN ta hanyar wannan hanyar ba SPOOF_IPS = "0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0 / 16 "# Aikace-aikacen tsoho - da za'ayi lokacin da kowace doka tayi daidai da ACTION =" DATSA "# Fakitoci tare da ip iri ɗaya na sabar ta hanyar wan iptables -A INPUT -i $ extranet -s $ SERVER_IP -j $ ACTION # iptables -A OUTPUT -o $ extranet -s $ SERVER_IP -j $ ACTION # Packets with the LAN Range for the wan, Na sanya shi haka idan har kuna da # kowace hanyar sadarwa ta musamman, amma wannan ba shi da kyau tare da bin # doka a cikin madauki " don "iptables -A INPUT -i $ extranet -s $ LAN_RANGE -j $ ACTION iptables -A OUTPUT -o $ extranet -s $ LAN_RANGE -j $ ACTION ## Duk hanyoyin sadarwa na SPOOF ba a basu izinin wan don ip a $ SPOOF_IPS yi iptables -A INPUT -i $ extranet -s $ ip -j $ ACTION iptables -A OUTPUT -o $ extranet -s $ ip -j $ ACTION aikata
Kamar koyaushe ina jiran bayanan ku, ku kasance damu a wannan shafin, Na gode
12 comments, bar naka
Yana taimaka mini don ci gaba da koyo ɗan ƙarin godiya da aka kwafa.
barka da zuwa, farin cikin kasancewa cikin taimako
Na yi nadama kwarai da gaske, amma ina da tambayoyi guda biyu (daya kuma a matsayin kyauta 😉):
Shin zaku iya isowa da wannan tsarin don Apache na gudana kuma ku rufe sauran banda SSH?
#Muna tsaftace tebur
iptable -F
iptable -X
Muna tsaftace NAT
iptables -t nat -F
iptables -t nat -X
iptables -A INPUT -p tcp -dport 80 -j KARBAR
ssh kawai a ciki kuma daga wannan kewayon ip's
iptables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet -dport 7659 -j ACCEPT
Tambaya ta biyu: Shin tashar 7659 ana amfani da ita a cikin SSH a cikin wannan misalin?
Na uku kuma na ƙarshe: a wane fayil yakamata a sami wannan daidaiton?
Na gode sosai da darasin, abin kunya ne kasancewar kai sabon shiga ne kuma baka iya cin gajiyar sa da kyau.
wannan shine dokar da kuke buƙata don http daga apache
iptables -A INPUT -p tcp -dport 80 -j KARBAR
amma kuma kuna buƙatar bayyana ƙa'idodin tsoffin manufofin (yana cikin rubutun)
iptables -P INPUT DOP
iptables -P KYAUTATA KYAUTA
iptables -P GABA DAYA
kuma wannan saboda idan kana nesa, zai jefa ka.
iptables -A shigar da -m jihar –hallin da aka kafa, RELATED -j ACCEPT
idan 7659 shine tashar wannan ssh a cikin misali, a tsoho yana da 22, kodayake ina ba da shawarar ku canza zuwa tashar jiragen ruwa "ba sanannun sananne ba"
mutum ban sani ba, kamar yadda kake so ... firewall.sh kuma ka sanya shi a rc.local (sh firewall.sh) don ya fara aiki kai tsaye, ya dogara da wane tsarin aiki kake da shi, akwai fayilolin da zaka sanya dokokin kai tsaye.
Eii yayi kyau sosai dan rubutunka, kana nazarin shi…. Shin ka san yadda zan iya hana duk buƙatun masu amfani da ni ga wani gidan yanar gizo?…. amma wannan gidan yanar gizon yana da sabobin yawa….
Ina ba da shawarar wasu zaɓuɓɓuka:
1) Zaka iya ƙirƙirar yankin karya a cikin dns dinka ...
2) Zaka iya sanya wakili tare da acl
zunubi takunkumi
Don kayan kwalliya zaku iya son wannan ... ba koyaushe shine mafi kyawun zaɓi ba (akwai ƙarin hanyoyi)
iptables -A shigarwar -s blog.desdelinux.ne -j DROP
iptables -AmUTUTUT -d blog.fromlinux.net -j DROP
Faɗa mini idan ya yi aiki
Godiya ga amsa, komai ya tsarkaka. Ina tambaya game da tashar jirgin ruwa saboda nayi mamakin amfani da 7659, tunda tashoshi masu zaman kansu sun fara a cikin 49152, kuma yana iya tsoma baki tare da wasu sabis ko wani abu.
Bugu da ƙari, godiya ga komai, yana da kyau!
Na gode.
BrodyDalle, ta yaya zan iya tuntuɓarku? Sha'awar rubutunku sosai.
soulofmarionet_1@hotmail.com
Shin layin da ya gabata shine "abubuwan amfani -AUTUTUN -o $ kari -s $ ip -j $ ACTION" don hana injin ka yin fallasa? Ko kuwa zai yuwu cewa wasu fakiti mai guba sun shiga kuma zasu iya fita da waccan majiya mai guba kuma wannan shine dalilin da ya sa aka haɗa ƙa'idar tare da FITARWA?
Na gode sosai da bayani !!!
Wannan rubutun kaina ne, ya cika sosai:
# franes.iptables.airy
# doc.iptables.airoso: kayan kwalliya don gado da kuma don nft
#
# tashar tashar wuta
##############################
#! / bin / bash
#
# share allo
################################ farawa na /etc/f-iptables/default.cfg |||||
bayyanannu
# bar layin fanko
Kira
fitarwa eh = »» no = »amsa kuwwa»
# masu canji da zaku iya canzawa don ba da damar shiga
########################## mai canzawa ta canza tare da $ eh ko $ a'a
fitarwa hayexcepciones = »$ no»
# akwai keɓaɓɓu: $ ee don ba da izini na musamman da $ ba a kashe
fitarwa ta hayping = »$ no»
# hayping: $ ee don ba da izinin pings na uku da $ a'a don musantawa
fitarwa haylogserver = »$ no»
# haylogeosserver: $ eh don iya shiga tcp $ a'a ba za a iya shiga tcp ba
######
############################## Mai canzawa masu sauyawa don ƙara ƙara "," ko tare da jeri na ":"
keɓance fitarwa = »baldras.wesnoth.org»
# keɓaɓɓu suna ba da izinin rukuni ɗaya ko masu yawa daga Tacewar zaɓi ko babu ƙima
fitarwa mai shigowa = jefar, ipp, dict, ssh
# tashoshin sabar # tcp waɗanda aka shiga lokacin da fakiti suka shigo
fitarwa mai sauyawa = 0/0
# redserver: cibiyar sadarwar don tashoshin uwar garke mafi kyawu cibiyar sadarwar gida ko ips da yawa
fitarwa abokin ciniki ja = 0/0
#clientnet: cibiyar sadarwar tashar masarufi ta fi dacewa ga duk cibiyoyin sadarwa
fitarwa servidortcp = jefar, ipp, dict, 6771
# servidortcp: takamaiman tashoshin uwar garken tcp
export serverudp = a jefar
#udpserver: ƙayyadaddun tashoshin uwar garken udp
fitarwa clientudp = yanki, bootpc, bootps, ntp, 20000: 45000
#udp abokin ciniki: takamaiman udp mashigai
fitarwa clienttcp = yanki, http, https, ipp, git, dict, 14999: 15002
# abokin ciniki tcp: takamaiman tashoshin abokin ciniki tcp
############################### na ƙarshe na /etc/f-iptables/default.cfg ||||||
################################# mai zuwa karshen masu canji ne
fitarwa ta Firewall = $ 1 masu canji = $ 2
idan ["$ masu canji" = "$ NULL"]; to tushen /etc/f-iptables/default.cfg;
wani tushe / sauransu / f-iptables / $ 2; fi
################################ ko kuma zai sake rubuta masu canjin tare da fayil din .cfg
############################# ############################
fitilun fitarwa = $ 1 masu canjin fitarwa = $ 2
######################################### mai sauyawa
idan ["$ firewall" = "an cire haɗin"]; sai kuma amsa kuwwa GANGAN BAYA KASANCE;
fitarwa activateserver = »$ no» activateclient = »$ no» wet = »$ no»;
elif ""
fitarwa activateserver = »$ no» activateclient = »» wet = »$ no»;
elif ["$ Firewall" = "uwar garke"]; sai kuma amsa kuwwa a FIREWALL SERVER;
fitarwa activateserver = »» activateclient = »$ no» rigar = »$ no»;
elif ["$ Firewall" = "abokin ciniki da sabar"]; to amsa kuwwa INGANTA KWAYOYI DA SERVER;
fitarwa kunna sabar = »»; fitad da mai kunnawa = »»; fitarwa a jika = »$ no»;
elif ["$ Firewall" = "halatta"]; sa'annan ka rinka amsa kuwwa a GANGAN MULKI;
fitarwa activateserver = »$ no» activateclient = »$ no» wet = »»;
kuma
$ duba sudo echo iptables-legacy:
$ bincika sudo iptables-legacy -v -L INPUT
$ bincika sudo iptables-legacy -v -L OUTPUT
$ bincika sudo amsa kuwwa-nft:
$ bincika sudo iptables-nft -v -L INPUT
$ duba sudo iptables-nft -v -L KYAUTATA
amsa kuwwa _____parameters____ $ 0 $ 1 $ 2
amsa kuwwa "jefa ba tare da sigogi ba ne don lissafa abubuwan da za a iya amfani da su."
amsa kuwwa "Sigogi na farko (kunna iptables): cire haɗin ko abokin ciniki ko sabar ko abokin ciniki da sabar ko halatta."
amsa kuwwa "Na biyu siga: (na zabi): tsoho .cfg fayil ya zaɓi /etc/f-iptables/default.cfg"
amsa kuwwa "Sauye-sauye masu sauyawa:" $ (ls / sauransu / f-iptables /)
fita 0; fi
##################
Kira
amsa kuwwa Ya jefa $ 0 katsewa ko abokin ciniki ko uwar garken ko abokin ciniki da abokin ciniki da sabar ko halattawa ko masu canji ko kuma ba tare da amfani da ma'auni ba don lissafa iptables.
amsa kuwwa Fayil $ 0 na dauke da wasu masu canji da za'a iya daidaita su a ciki.
################################
#############################
amsa kuwwa saitin masu canzawa iptables
amsa kuwwa kunna masu canji
Kira
############################
amsa kuwwa Kafa iptables-gado
sudo / usr / sbin / iptables-legacy -t tace -F
sudo / usr / sbin / kayan kwalliya -t nat -F
sudo / usr / sbin / kayan ado-gado -t mangle -F
sudo / usr / sbin / ip6table-legacy -t tace -F
sudo / usr / sbin / ip6table-legacy -t nat -F
sudo / usr / sbin / ip6table-legacy -t mangle -F
sudo / usr / sbin / ip6table-legacy -A INPUT -j DROP
sudo / usr / sbin / ip6table-legacy -AUTUTUN -j DROP
sudo / usr / sbin / ip6tababbun-gado-GABA -j DROP
sudo / usr / sbin / iptables-legacy -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ haylogserver sudo / usr / sbin / iptables-legacy -A INPUT -p tcp -m multiport –dports $ logserver -j LOG> / dev / null
$ hayeexcepts sudo / usr / sbin / iptables-legacy -A INPUT -s $ ban -j ACCEPT> / dev / null
$ kunna sabar sudo / usr / sbin / iptables-Legacy -A INPUT -p udp -m multiport –dports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ kunna sabar sudo / usr / sbin / iptables-Legacy -A INPUT -p tcp -m multiport –dports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-legacy -A INPUT -p udp -m multiport –sports $ clientudp -m state –state kafa -s $ abokin ciniki -d $ clientnet -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-legacy -A INPUT -p tcp -m multiport –sports $ clienttcp -m state –state kafa -s $ abokin ciniki -d $ clientnet -j ACCEPT> / dev / null
$ hayping sudo / usr / sbin / iptables-legacy -A INPUT -p icmp -icmp-type echo-reply -j ACCEPT> / dev / null
sudo / usr / sbin / iptables-legacy -A INPUT -j DROP> / dev / null
sudo / usr / sbin / iptables-legacy -A KYAUTA -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ hayeexcepts sudo / usr / sbin / iptables-legacy -A OUTPUT -d $ banda -j ACCEPT> / dev / null
$ kunna sudo server / usr / sbin / iptables-legacy -A OUTPUT -p udp -m multiport –sports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ kunna sabar sudo / usr / sbin / iptables-legacy -A OUTPUT -p tcp -m multiport –sports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-legacy -A OUTPUT -p udp -m multiport –dports $ clientudp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ activationclient sudo / usr / sbin / iptables-legacy -A OUTPUT -p tcp -m multiport –dports $ clienttcp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ hayping sudo / usr / sbin / iptables-legacy -A OUTPUT -p icmp -icmp-type echo-request -j ACCEPT> / dev / null
sudo / usr / sbin / iptables-legacy -A FITOWA -j SAURO
sudo / usr / sbin / iptables-legacy -A GABA -j SAURI
amsa kuwwa iptables-Legacy kunna
Kira
amsa kuwwa Kafa iptables-nft
sudo / usr / sbin / iptables-nft -t tace -F
sudo / usr / sbin / iptables-nft -t nat -F
sudo / usr / sbin / iptables-nft -t mangle -F
sudo / usr / sbin / ip6table-nft -t tace -F
sudo / usr / sbin / ip6table-nft -t nat -F
sudo / usr / sbin / ip6table-nft -t mangle -F
sudo / usr / sbin / ip6table-nft -A INPUT -j DROP
sudo / usr / sbin / ip6table-nft -A OUTPUT -j DROP
sudo / usr / sbin / ip6table-nft -A GABA -j DROP
sudo / usr / sbin / iptables-nft -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ haylogserver sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport –dports $ logserver -j LOG> / dev / null
$ hayeexcepts sudo / usr / sbin / iptables-nft -A INPUT -s $ banda -j ACCEPT> / dev / null
$ kunna sabar sudo / usr / sbin / iptables-nft -A INPUT -p udp -m multiport –dports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ kunna sabar sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport –dports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-nft -A INPUT -p udp -m multiport –sports $ clientudp -m state –state kafa -s $ abokin ciniki -d $ clientnet -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport –sports $ clienttcp -m state –state kafa -s $ abokin ciniki -d $ clientnet -j ACCEPT> / dev / null
$ hayping sudo / usr / sbin / iptables-nft -A INPUT -p icmp -icmp-type echo-reply -j ACCEPT> / dev / null
sudo / usr / sbin / iptables-nft -A INPUT -j DROP> / dev / null
sudo / usr / sbin / iptables-nft -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ hayeexcepts sudo / usr / sbin / iptables-nft -A KYAUTA -d $ banda -j ACCEPT> / dev / null
$ kunna sudo server / usr / sbin / iptables-nft -A OUTPUT -p udp -m multiport –sports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ kunna sabar sudo / usr / sbin / iptables-nft -A OUTPUT -p tcp -m multiport –sports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-nft -A OUTPUT -p udp -m multiport –dports $ clientudp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-nft -A OUTPUT -p tcp -m multiport –dports $ clienttcp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ hayping sudo / usr / sbin / iptables-nft -A OUTPUT -p icmp -icmp-type echo-request -j ACCEPT> / dev / null
sudo / usr / sbin / iptables-nft -A KYAUTA -j DROP
sudo / usr / sbin / iptables-nft -A GABA -j SAURI
amsa kuwwa iptables-nft kunna
Kira
$ rigar sudo / usr / sbin / iptables-legacy -F> / dev / null
$ wet sudo / usr / sbin / iptables-legacy -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ wet sudo / usr / sbin / iptables-legacy -A INPUT -m state -state kafa -j ACCEPT> / dev / null
$ wet sudo / usr / sbin / iptables-legacy -A INPUT -j DROP> / dev / null
$ wet sudo / usr / sbin / iptables-legacy -AUTUTUT -j ACCEPT> / dev / null
$ wet sudo / usr / sbin / iptables-legacy -A GABA -j DROP> / dev / null
$ rigar sudo / usr / sbin / iptables-nft -F> / dev / null
$ wet sudo / usr / sbin / iptables-nft -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ wet sudo / usr / sbin / iptables-nft -A INPUT -m jihar -hannun da aka kafa -j ACCEPT> / dev / null
$ wet sudo / usr / sbin / iptables-nft -A INPUT -j DROP> / dev / null
$ rigar sudo / usr / sbin / iptables-nft -A KYAUTA -j GASKIYA> / dev / null
$ wet sudo / usr / sbin / iptables-nft -A GABA -j DROP> / dev / null
############################
amsa kuwwa da ka jefa $ 0 $ 1 $ 2
# fita daga rubutun
fita 0
Ta yaya zan kafa doka idan wannan katangar ta yi amfani da ita don ƙofata kuma tana da squid a cikin LAN ???