Moni nonse, lero ndikubweretserani gawo lachiwiri la maphunzirowa pa firewall okhala ndi ma iptables, ophweka kwambiri kuti mutha kukopera ndikunama, ndikuganiza kuti kumapeto kwa tsiku ndizomwe oyamba kumene amayang'ana kapena ngakhale ambiri wodziwa zambiri, chifukwa chiyani tiyenera kuyambiranso gudumu nthawi 100, sichoncho?
Nthawi ino ndikuwauza kuti ayesetse kuganizira kwambiri ngati tikufuna kuti zida zathu zozimitsira moto zizikhala zankhanza kwambiri ndi mfundo za OUTPUT DROP. Izi ndizofunsidwanso ndi wowerenga masambawa ndi zolemba zanga. (M'kati mwa malingaliro anga wiiiiiiiiiiiii)
Tiyeni tikambirane pang'ono za "zabwino ndi zoyipa" zokhazikitsira mfundo za Output Drop, zomwe ndingakuuzeni ndikuti zimapangitsa ntchitoyi kukhala yotopetsa komanso yotopetsa, komabe chidziwikire ndichakuti pamanetiweki mudzakhala ndi chitetezo kuposa mutakhala pansi Kuganizira, kupanga ndi kukonza ndalamazo bwino, mudzakhala ndi seva yotetezeka kwambiri.
Pofuna kuti musasokoneze kapena kuchoka pamutu, ndikufotokozerani mwachidule ndi momwe malamulo anu ayenera kukhalira
iptables -AUTPUT -o eth0 -p tcp -port 80 -m state-boma LABWINO -j LANDIRA
-A chifukwa tidawonjezera lamuloli
-o amatanthauza kuchuluka kwa magalimoto, ndiye kuti mawonekedwewo amaikidwa ngati sanatchulidwe chifukwa amafanana ndi onse.
-masewera doko loyambira, limagwira gawo lofunikira chifukwa nthawi zambiri sitikudziwa kuti apemphe doko liti, ngati tingagwiritse ntchito dport
-Tumiza doko lolowera komwe tikupita, pomwe timadziwa pasadakhale kuti kulumikizana kotuluka kuyenera kupita kudoko linalake. Iyenera kukhala pachinthu chodziwika bwino ngati seva yakutali ya mysql mwachitsanzo.
-m boma -DZIKO LABWINO Ichi ndiye chokongoletsa chokhazikitsa kulumikizana komwe kwakhazikitsidwa kale, titha kukulitsa mtsogolo
-d kuyankhula komwe akupita, ngati zingafotokozeredwe, mwachitsanzo ssh pamakina ena ake ndi ip
#!/bin/bash
# Timatsuka matebulo apamwamba -F iptables -X # Timatsuka ma iptables a NAT -t nat -F iptables -t nat -X # mangle tebulo la zinthu monga PPPoE, PPP, ndi ATM iptables -t mangle -F iptables -t mangle -X # Ndondomeko ndikuganiza kuti iyi ndiye njira yabwino kwambiri kwa oyamba kumene ndipo # akadalibe zoyipa, ndifotokozera zonse (zotulutsa) zonse chifukwa ndizolumikizana zotuluka #, zolowetsa timataya zonse, ndipo palibe seva yomwe iyenera kupita patsogolo. iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #Intranet LAN intranet = eth0 #Extranet wan extranet = eth1 # Sungani dziko. Chilichonse chomwe chalumikizidwa kale (chakhazikitsidwa) timachisiya ngati izi iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
iptables -OUTPUT -m state -state Kukhazikitsidwa, YOKHUDZA -j KULANDIRA
# Chida chozungulira. iptables -A INPUT -i lo -j ACCEPT
# Iptables loopback zotulutsa -A OUTPUT -o lo -j ACCEPT
# http, https, sitikufotokozera mawonekedwe ake chifukwa # tikufuna kuti zonse zikhale zotheka -A INPUT -p tcp -dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# kunyamuka
# http, https, sitikutanthauza mawonekedwe chifukwa
# tikufuna kuti ikhale ya onse koma ngati tifotokozera doko lotulutsa
iptables -A OUTPUT -p tcp -sport 80 -j ACCEPT iptables -A OUTPUT -p tcp -sport 443 -j ACCEPT
# ssh kokha mkati ndi kuchokera pamitundu iyi ya iptables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 7659 -j ACCEPT
# zotulutsa # ssh zokha mkati komanso kuchokera muma ip awa
iptables -A OUTPUT -p tcp -d 192.168.xx / 24 -o $ intranet -sport 7659 -j ACCEPT
# kuwunika mwachitsanzo ngati ali ndi zabbix kapena zida zina za snmp -A INPUT -p tcp -s 192.168.1.1 -i $ intranet --dport 10050 -j ACCEPT
# kunyamuka
# kuwunika mwachitsanzo ngati ali ndi zabbix kapena ntchito ina ya snmp
iptables -A OUTPUT -p tcp -d 192.168.1.1 -o $ intranet - kutumiza 10050 -j ACCEPT
# icmp, ping chabwino ndi chisankho chanu iptables -A INPUT -p icmp -s 192.168.xx / 24 -i $ intranet -j ACCEPT
# kunyamuka
# icmp, ping chabwino ndiye chisankho chanu
iptables -OUTPUT -p icmp -d 192.168.xx / 24 -o $ intranet -j ACCEPT
#mysql yokhala ndi postgres ndi port 5432 iptables -A INPUT -p tcp -s 192.168.xx -sport 3306 -i $ intranet -j ACCEPT
# zotuluka - funso lofunsidwanso ndi wogwiritsa ntchito kuti apange seva yapadera # #: 192.168.1.2 mysql: 192.168.1.3
#mysql yokhala ndi postgres ndi doko 5432
iptables -A OUTPUT -p tcp -s 192.168.1.2 -d 192.168.1.3 - kutumiza 3306 -o $ intranet -j ACCEPT
#sendmail bueeeh ngati mukufuna kutumiza makalata # zotheka -ZOKUTHANDIZA -p tcp -dport 25 -j LANDIRANI # KUSANTHULA NKHANI 09/07/2014 # SERVER_IP = "190.xxx" # seva IP - wan wan ip weniweni ya seva yanu LAN_RANGE = "192.168.xx / 21" # LAN ma netiweki anu kapena ma vlan # IP anu omwe sayenera kulowa mu extranet, ndiyoti mugwiritse ntchito malingaliro # ngati tili ndi mawonekedwe a WAN basi, sayenera lowetsani # traffic LAN mtundu kudzera pa mawonekedwe SPOOF_IPS = "0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" # Zomwe mungachite - zizichitidwa ngati lamulo lililonse lifanana ndi ACTION = "DROP" # Mapaketi omwe ali ndi ip yofanana ndi seva yanga kudzera pa ip ipables -A INPUT -i $ extranet -s $ SERVER_IP -j $ ACTION
iptables -OUTPUT -o $ extranet -s $ SERVER_IP -j $ ACTION
# Mapaketi okhala ndi LAN Range ya wan, ndimayiyika chonchi ngati mungakhale ndi # netiweki iliyonse, koma izi ndizofunikanso ndi malamulo # otsatirawa mkati mwa "for" loop iptables -A INPUT -i $ extranet -s $ LAN_RANGE -j $ ZOCHITIKA
iptables -OUTPUT -o $ extranet -s $ LAN_RANGE -j $ ACTION
## Ma SPOOF Networks onse samaloledwa ndi wan kwa ip mu $ SPOOF_IPS amachita iptables -A INPUT -i $ extranet -s $ ip -j $ ACTION
iptables -OUTPUT -o $ extranet -s $ ip -j $ ACTION
tamalizaMuwunikiranso wotsatira tidzachita ma doko komanso kukhazikitsa mfundo zopangidwa ndi mayina, mwa zina ... ndikudikirira ndemanga ndi zopempha zanu.
Khalani oyamba kuyankha