Irƙiri bango na kanku tare da kayan aiki mai amfani ta amfani da wannan rubutun mai sauƙi

Na ɗan ɗauki lokaci ina tunani game da abubuwa biyu game da wannan abin birgewa: mafi yawan waɗanda suke neman waɗannan koyarwar fara ne kuma abu na biyu, da yawa sun riga sun nemi wani abu mai sauƙi kuma an riga an fadada shi.

Wannan misali shine don sabar yanar gizo, amma cikin sauƙin ƙara ƙarin dokoki kuma daidaita shi da bukatunku.

Lokacin da ka ga "x" canza maka ip's


#!/bin/bash

# Muna tsaftace tebura mai kyau -F kayan aiki masu kyau -X # Muna tsaftace kayan aikin NAT -t nat -F iptables -t nat -X # mangle table don abubuwa kamar PPPoE, PPP, da ATM iptables -t mangle -F iptables -t mangle -X # Policies Ina tsammanin wannan ita ce hanya mafi kyau ga masu farawa kuma # har yanzu ba mara kyau, zanyi bayanin fitarwa (fitarwa) duk saboda suna haɗuwa da haɗuwa #, shigarwa mun watsar da komai, kuma babu sabar da zata ci gaba. iptables -P INPUT DOP iptables -P OUTPUT ACCEPT iptables -P GABA DROP #Intranet LAN intranet = eth0 #Extranet wan extranet = eth1 # Kiyaye jihar. Duk abin da ya riga ya haɗu (an kafa shi) an barshi kamar haka: iptables -A INPUT -m state -state ESTABLISHED, RELATED -j ACCEPT # Loop device. iptables -A INPUT -i lo -j ACCEPT # http, https, ba ma fayyace aikin dubawa saboda # muna son ya zama duka masu kyawu -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp - dport 443 -j ACCEPT # ssh kawai a ciki kuma daga wannan keɓaɓɓiyar ip ta ippt -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 7659 -j ACCEPT # saka idanu misali idan suna da zabbix ko wani snmp sabis iptables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 10050 -j ACCEPT # icmp, ping da kyau ya rage naka iptables -A INPUT -p icmp -s 192.168.xx / 24 - i $ intranet -j ACCEPT #mysql with postgres is port 5432 iptables -A INPUT -p tcp -s 192.168.xx --sport 3306 -i $ intranet -j ACCEPT #sendmail bueeeh idan kanaso ka aika da wasu wasika #daptables -Ana Sakawa -p tcp --dport 25 -j ACCEPT # Anti-SPOOFING 09/07/2014 # SERVER_IP = "190.xxx" # server IP - the real wan ip of your server LAN_RANGE = "192.168.xx / 21" # LAN range na cibiyar sadarwar ka ko vlan # Ip's din ka wanda bai kamata ya shigo da kayan ba,shine ayi amfani da wata 'yar ma'ana idan har muna da tsarin WAN kawai, bai kamata a sanya hanyar # LAN ta hanyar wannan hanyar ba SPOOF_IPS = "0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0 / 16 "# Aikace-aikacen tsoho - da za'ayi lokacin da kowace doka tayi daidai da ACTION =" DATSA "# Fakitoci tare da ip iri ɗaya na sabar ta hanyar wan iptables -A INPUT -i $ extranet -s $ SERVER_IP -j $ ACTION # iptables -A OUTPUT -o $ extranet -s $ SERVER_IP -j $ ACTION # Packets with the LAN Range for the wan, Na sanya shi haka idan har kuna da # kowace hanyar sadarwa ta musamman, amma wannan ba shi da kyau tare da bin # doka a cikin madauki " don "iptables -A INPUT -i $ extranet -s $ LAN_RANGE -j $ ACTION iptables -A OUTPUT -o $ extranet -s $ LAN_RANGE -j $ ACTION ## Duk hanyoyin sadarwa na SPOOF ba a basu izinin wan don ip a $ SPOOF_IPS yi iptables -A INPUT -i $ extranet -s $ ip -j $ ACTION iptables -A OUTPUT -o $ extranet -s $ ip -j $ ACTION aikata

Kamar koyaushe ina jiran bayanan ku, ku kasance damu a wannan shafin, Na gode


12 comments, bar naka

Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.

  1.   HO2 Gi m

    Yana taimaka mini don ci gaba da koyo ɗan ƙarin godiya da aka kwafa.

    1.    Rariya m

      barka da zuwa, farin cikin kasancewa cikin taimako

  2.   Javier m

    Na yi nadama kwarai da gaske, amma ina da tambayoyi guda biyu (daya kuma a matsayin kyauta 😉):

    Shin zaku iya isowa da wannan tsarin don Apache na gudana kuma ku rufe sauran banda SSH?

    #Muna tsaftace tebur
    iptable -F
    iptable -X

    Muna tsaftace NAT

    iptables -t nat -F
    iptables -t nat -X

    iptables -A INPUT -p tcp -dport 80 -j KARBAR

    ssh kawai a ciki kuma daga wannan kewayon ip's

    iptables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet -dport 7659 -j ACCEPT

    Tambaya ta biyu: Shin tashar 7659 ana amfani da ita a cikin SSH a cikin wannan misalin?

    Na uku kuma na ƙarshe: a wane fayil yakamata a sami wannan daidaiton?

    Na gode sosai da darasin, abin kunya ne kasancewar kai sabon shiga ne kuma baka iya cin gajiyar sa da kyau.

    1.    Rariya m

      wannan shine dokar da kuke buƙata don http daga apache
      iptables -A INPUT -p tcp -dport 80 -j KARBAR

      amma kuma kuna buƙatar bayyana ƙa'idodin tsoffin manufofin (yana cikin rubutun)
      iptables -P INPUT DOP
      iptables -P KYAUTATA KYAUTA
      iptables -P GABA DAYA

      kuma wannan saboda idan kana nesa, zai jefa ka.
      iptables -A shigar da -m jihar –hallin da aka kafa, RELATED -j ACCEPT

      idan 7659 shine tashar wannan ssh a cikin misali, a tsoho yana da 22, kodayake ina ba da shawarar ku canza zuwa tashar jiragen ruwa "ba sanannun sananne ba"
      mutum ban sani ba, kamar yadda kake so ... firewall.sh kuma ka sanya shi a rc.local (sh firewall.sh) don ya fara aiki kai tsaye, ya dogara da wane tsarin aiki kake da shi, akwai fayilolin da zaka sanya dokokin kai tsaye.

  3.   jge m

    Eii yayi kyau sosai dan rubutunka, kana nazarin shi…. Shin ka san yadda zan iya hana duk buƙatun masu amfani da ni ga wani gidan yanar gizo?…. amma wannan gidan yanar gizon yana da sabobin yawa….

    1.    Rariya m

      Ina ba da shawarar wasu zaɓuɓɓuka:
      1) Zaka iya ƙirƙirar yankin karya a cikin dns dinka ...
      2) Zaka iya sanya wakili tare da acl
      zunubi takunkumi
      Don kayan kwalliya zaku iya son wannan ... ba koyaushe shine mafi kyawun zaɓi ba (akwai ƙarin hanyoyi)
      iptables -A INPUT -s blog.desdelinux.ne -j DROP
      iptables -A OUTPUT -d blog.desdelinux.net -j DROP

      Faɗa mini idan ya yi aiki

  4.   Javier m

    Godiya ga amsa, komai ya tsarkaka. Ina tambaya game da tashar jirgin ruwa saboda nayi mamakin amfani da 7659, tunda tashoshi masu zaman kansu sun fara a cikin 49152, kuma yana iya tsoma baki tare da wasu sabis ko wani abu.
    Bugu da ƙari, godiya ga komai, yana da kyau!

    Na gode.

  5.   sic m

    BrodyDalle, ta yaya zan iya tuntuɓarku? Sha'awar rubutunku sosai.

  6.   Carlos m

    Shin layin da ya gabata shine "abubuwan amfani -AUTUTUN -o $ kari -s $ ip -j $ ACTION" don hana injin ka yin fallasa? Ko kuwa zai yuwu cewa wasu fakiti mai guba sun shiga kuma zasu iya fita da waccan majiya mai guba kuma wannan shine dalilin da ya sa aka haɗa ƙa'idar tare da FITARWA?
    Na gode sosai da bayani !!!

  7.   fran m

    Wannan rubutun kaina ne, ya cika sosai:

    # franes.iptables.airy
    # doc.iptables.airoso: kayan kwalliya don gado da kuma don nft
    #
    # tashar tashar wuta
    ##############################
    #! / bin / bash
    #
    # share allo
    ################################ farawa na /etc/f-iptables/default.cfg |||||
    bayyananne
    # bar layin fanko
    Kira
    fitarwa eh = »» no = »amsa kuwwa»
    # masu canji da zaku iya canzawa don ba da damar shiga
    ########################## mai canzawa ta canza tare da $ eh ko $ a'a
    fitarwa hayexcepciones = »$ no»
    # akwai keɓaɓɓu: $ ee don ba da izini na musamman da $ ba a kashe
    fitarwa ta hayping = »$ no»
    # hayping: $ ee don ba da izinin pings na uku da $ a'a don musantawa
    fitarwa haylogserver = »$ no»
    # haylogeosserver: $ eh don iya shiga tcp $ a'a ba za a iya shiga tcp ba
    ######
    ############################## Mai canzawa masu sauyawa don ƙara ƙara "," ko tare da jeri na ":"
    keɓance fitarwa = »baldras.wesnoth.org»
    # keɓaɓɓu suna ba da izinin rukuni ɗaya ko masu yawa daga Tacewar zaɓi ko babu ƙima
    fitarwa mai shigowa = jefar, ipp, dict, ssh
    # tashoshin sabar # tcp waɗanda aka shiga lokacin da fakiti suka shigo
    fitarwa mai sauyawa = 0/0
    # redserver: cibiyar sadarwar don tashoshin uwar garke mafi kyawu cibiyar sadarwar gida ko ips da yawa
    fitarwa abokin ciniki ja = 0/0
    #clientnet: cibiyar sadarwar tashar masarufi ta fi dacewa ga duk cibiyoyin sadarwa
    fitarwa servidortcp = jefar, ipp, dict, 6771
    # servidortcp: takamaiman tashoshin uwar garken tcp
    export serverudp = a jefar
    #udpserver: ƙayyadaddun tashoshin uwar garken udp
    fitarwa clientudp = yanki, bootpc, bootps, ntp, 20000: 45000
    #udp abokin ciniki: takamaiman udp mashigai
    fitarwa clienttcp = yanki, http, https, ipp, git, dict, 14999: 15002
    # abokin ciniki tcp: takamaiman tashoshin abokin ciniki tcp
    ############################### na ƙarshe na /etc/f-iptables/default.cfg ||||||
    ################################# mai zuwa karshen masu canji ne
    fitarwa ta Firewall = $ 1 masu canji = $ 2
    idan ["$ masu canji" = "$ NULL"]; to tushen /etc/f-iptables/default.cfg;
    wani tushe / sauransu / f-iptables / $ 2; fi
    ################################ ko kuma zai sake rubuta masu canjin tare da fayil din .cfg
    ############################# ############################
    fitilun fitarwa = $ 1 masu canjin fitarwa = $ 2
    ######################################### mai sauyawa
    idan ["$ firewall" = "an cire haɗin"]; sai kuma amsa kuwwa GANGAN BAYA KASANCE;
    fitarwa activateserver = »$ no» activateclient = »$ no» wet = »$ no»;
    elif ""
    fitarwa activateserver = »$ no» activateclient = »» wet = »$ no»;
    elif ["$ Firewall" = "uwar garke"]; sai kuma amsa kuwwa a FIREWALL SERVER;
    fitarwa activateserver = »» activateclient = »$ no» rigar = »$ no»;
    elif ["$ Firewall" = "abokin ciniki da sabar"]; to amsa kuwwa INGANTA KWAYOYI DA SERVER;
    fitarwa kunna sabar = »»; fitad da mai kunnawa = »»; fitarwa a jika = »$ no»;
    elif ["$ Firewall" = "halatta"]; sa'annan ka rinka amsa kuwwa a GANGAN MULKI;
    fitarwa activateserver = »$ no» activateclient = »$ no» wet = »»;
    wani
    $ duba sudo echo iptables-legacy:
    $ bincika sudo iptables-legacy -v -L INPUT
    $ bincika sudo iptables-legacy -v -L OUTPUT
    $ bincika sudo amsa kuwwa-nft:
    $ bincika sudo iptables-nft -v -L INPUT
    $ duba sudo iptables-nft -v -L KYAUTATA
    amsa kuwwa _____parameters____ $ 0 $ 1 $ 2
    amsa kuwwa "jefa ba tare da sigogi ba ne don lissafa abubuwan da za a iya amfani da su."
    amsa kuwwa "Sigogi na farko (kunna iptables): cire haɗin ko abokin ciniki ko sabar ko abokin ciniki da sabar ko halatta."
    amsa kuwwa "Na biyu siga: (na zabi): tsoho .cfg fayil ya zaɓi /etc/f-iptables/default.cfg"
    amsa kuwwa "Sauye-sauye masu sauyawa:" $ (ls / sauransu / f-iptables /)
    fita 0; fi
    ##################
    Kira
    amsa kuwwa Ya jefa $ 0 katsewa ko abokin ciniki ko uwar garken ko abokin ciniki da abokin ciniki da sabar ko halattawa ko masu canji ko kuma ba tare da amfani da ma'auni ba don lissafa iptables.
    amsa kuwwa Fayil $ 0 na dauke da wasu masu canji da za'a iya daidaita su a ciki.
    ################################
    #############################
    amsa kuwwa saitin masu canzawa iptables
    amsa kuwwa kunna masu canji
    Kira
    ############################
    amsa kuwwa Kafa iptables-gado
    sudo / usr / sbin / iptables-legacy -t tace -F
    sudo / usr / sbin / kayan kwalliya -t nat -F
    sudo / usr / sbin / kayan ado-gado -t mangle -F
    sudo / usr / sbin / ip6table-legacy -t tace -F
    sudo / usr / sbin / ip6table-legacy -t nat -F
    sudo / usr / sbin / ip6table-legacy -t mangle -F
    sudo / usr / sbin / ip6table-legacy -A INPUT -j DROP
    sudo / usr / sbin / ip6table-legacy -AUTUTUN -j DROP
    sudo / usr / sbin / ip6tababbun-gado-GABA -j DROP
    sudo / usr / sbin / iptables-legacy -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
    $ haylogserver sudo / usr / sbin / iptables-legacy -A INPUT -p tcp -m multiport –dports $ logserver -j LOG> / dev / null
    $ hayeexcepts sudo / usr / sbin / iptables-legacy -A INPUT -s $ ban -j ACCEPT> / dev / null
    $ kunna sabar sudo / usr / sbin / iptables-Legacy -A INPUT -p udp -m multiport –dports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ kunna sabar sudo / usr / sbin / iptables-Legacy -A INPUT -p tcp -m multiport –dports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ activateclient sudo / usr / sbin / iptables-legacy -A INPUT -p udp -m multiport –sports $ clientudp -m state –state kafa -s $ abokin ciniki -d $ clientnet -j ACCEPT> / dev / null
    $ activateclient sudo / usr / sbin / iptables-legacy -A INPUT -p tcp -m multiport –sports $ clienttcp -m state –state kafa -s $ abokin ciniki -d $ clientnet -j ACCEPT> / dev / null
    $ hayping sudo / usr / sbin / iptables-legacy -A INPUT -p icmp -icmp-type echo-reply -j ACCEPT> / dev / null
    sudo / usr / sbin / iptables-legacy -A INPUT -j DROP> / dev / null
    sudo / usr / sbin / iptables-legacy -A KYAUTA -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
    $ hayeexcepts sudo / usr / sbin / iptables-legacy -A OUTPUT -d $ banda -j ACCEPT> / dev / null
    $ kunna sudo server / usr / sbin / iptables-legacy -A OUTPUT -p udp -m multiport –sports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ kunna sabar sudo / usr / sbin / iptables-legacy -A OUTPUT -p tcp -m multiport –sports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ activateclient sudo / usr / sbin / iptables-legacy -A OUTPUT -p udp -m multiport –dports $ clientudp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
    $ activationclient sudo / usr / sbin / iptables-legacy -A OUTPUT -p tcp -m multiport –dports $ clienttcp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
    $ hayping sudo / usr / sbin / iptables-legacy -A OUTPUT -p icmp -icmp-type echo-request -j ACCEPT> / dev / null
    sudo / usr / sbin / iptables-legacy -A FITOWA -j SAURO
    sudo / usr / sbin / iptables-legacy -A GABA -j SAURI
    amsa kuwwa iptables-Legacy kunna
    Kira
    amsa kuwwa Kafa iptables-nft
    sudo / usr / sbin / iptables-nft -t tace -F
    sudo / usr / sbin / iptables-nft -t nat -F
    sudo / usr / sbin / iptables-nft -t mangle -F
    sudo / usr / sbin / ip6table-nft -t tace -F
    sudo / usr / sbin / ip6table-nft -t nat -F
    sudo / usr / sbin / ip6table-nft -t mangle -F
    sudo / usr / sbin / ip6table-nft -A INPUT -j DROP
    sudo / usr / sbin / ip6table-nft -A OUTPUT -j DROP
    sudo / usr / sbin / ip6table-nft -A GABA -j DROP
    sudo / usr / sbin / iptables-nft -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
    $ haylogserver sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport –dports $ logserver -j LOG> / dev / null
    $ hayeexcepts sudo / usr / sbin / iptables-nft -A INPUT -s $ banda -j ACCEPT> / dev / null
    $ kunna sabar sudo / usr / sbin / iptables-nft -A INPUT -p udp -m multiport –dports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ kunna sabar sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport –dports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ activateclient sudo / usr / sbin / iptables-nft -A INPUT -p udp -m multiport –sports $ clientudp -m state –state kafa -s $ abokin ciniki -d $ clientnet -j ACCEPT> / dev / null
    $ activateclient sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport –sports $ clienttcp -m state –state kafa -s $ abokin ciniki -d $ clientnet -j ACCEPT> / dev / null
    $ hayping sudo / usr / sbin / iptables-nft -A INPUT -p icmp -icmp-type echo-reply -j ACCEPT> / dev / null
    sudo / usr / sbin / iptables-nft -A INPUT -j DROP> / dev / null
    sudo / usr / sbin / iptables-nft -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
    $ hayeexcepts sudo / usr / sbin / iptables-nft -A KYAUTA -d $ banda -j ACCEPT> / dev / null
    $ kunna sudo server / usr / sbin / iptables-nft -A OUTPUT -p udp -m multiport –sports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ kunna sabar sudo / usr / sbin / iptables-nft -A OUTPUT -p tcp -m multiport –sports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ activateclient sudo / usr / sbin / iptables-nft -A OUTPUT -p udp -m multiport –dports $ clientudp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
    $ activateclient sudo / usr / sbin / iptables-nft -A OUTPUT -p tcp -m multiport –dports $ clienttcp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
    $ hayping sudo / usr / sbin / iptables-nft -A OUTPUT -p icmp -icmp-type echo-request -j ACCEPT> / dev / null
    sudo / usr / sbin / iptables-nft -A KYAUTA -j DROP
    sudo / usr / sbin / iptables-nft -A GABA -j SAURI
    amsa kuwwa iptables-nft kunna
    Kira
    $ rigar sudo / usr / sbin / iptables-legacy -F> / dev / null
    $ wet sudo / usr / sbin / iptables-legacy -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
    $ wet sudo / usr / sbin / iptables-legacy -A INPUT -m state -state kafa -j ACCEPT> / dev / null
    $ wet sudo / usr / sbin / iptables-legacy -A INPUT -j DROP> / dev / null
    $ wet sudo / usr / sbin / iptables-legacy -AUTUTUT -j ACCEPT> / dev / null
    $ wet sudo / usr / sbin / iptables-legacy -A GABA -j DROP> / dev / null
    $ rigar sudo / usr / sbin / iptables-nft -F> / dev / null
    $ wet sudo / usr / sbin / iptables-nft -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
    $ wet sudo / usr / sbin / iptables-nft -A INPUT -m jihar -hannun da aka kafa -j ACCEPT> / dev / null
    $ wet sudo / usr / sbin / iptables-nft -A INPUT -j DROP> / dev / null
    $ rigar sudo / usr / sbin / iptables-nft -A KYAUTA -j GASKIYA> / dev / null
    $ wet sudo / usr / sbin / iptables-nft -A GABA -j DROP> / dev / null
    ############################
    amsa kuwwa da ka jefa $ 0 $ 1 $ 2
    # fita daga rubutun
    fita 0

  8.   louis duran m

    Ta yaya zan kafa doka idan wannan katangar ta yi amfani da ita don ƙofata kuma tana da squid a cikin LAN ???