Ndakhala ndikulingalira kwakanthawi pazinthu ziwiri za iptables: ambiri mwa iwo omwe akufuna maphunziro awa ndi oyamba kumene ndipo chachiwiri, ambiri akuyang'ana china chake chophweka komanso cholongosola kale.
Chitsanzo ichi ndi cha seva ya intaneti, koma mutha kuwonjezera mosavuta malamulo ena ndikusintha mogwirizana ndi zosowa zanu.
Mukawona "x" kusintha kwa ip yanu
#!/bin/bash
# Timatsuka matebulo apamwamba -F iptables -X # Timatsuka ma iptables a NAT -t nat -F iptables -t nat -X # mangle tebulo la zinthu monga PPPoE, PPP, ndi ATM iptables -t mangle -F iptables -t mangle -X # Ndondomeko ndikuganiza kuti iyi ndiye njira yabwino kwambiri kwa oyamba kumene ndipo # akadalibe zoyipa, ndikufotokozera zonse chifukwa ndi maulalo ochezeka #, zomwe tikufuna timataya zonse, ndipo palibe seva yomwe iyenera kupita patsogolo. iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP #Intranet LAN intranet = eth0 #Extranet wan extranet = eth1 # Khalani boma. Chilichonse chomwe chalumikizidwa kale (chakhazikitsidwa) chatsalira monga izi: iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT # Loop device. iptables -A INPUT -i lo -j ACCEPT # http, https, sitinena mawonekedwe ake chifukwa # tikufuna kuti ikhale ya iptables zonse -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp - dport 443 -j ACCEPT # ssh kokha mkati komanso kuchokera kuma iptables a ip -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 7659 -j ACCEPT # kuwunika mwachitsanzo ngati ali ndi zabbix kapena ma iptables ena a snmp -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet -dport 10050 -j ACCEPT # icmp, ping bwino zili ndi inu iptables -A INPUT -p icmp -s 192.168. xx / 24 - i $ intranet -j ACCEPT #mysql yokhala ndi postgres ndi port 5432 iptables -A INPUT -p tcp -s 192.168.xx --sport 3306 -i $ intranet -j ACCEPT #sendmail bueeeh ngati mukufuna kutumiza makalata #iptables -A Output -p tcp --dport 25 -j ACCEPT # Anti-SPOOFING 09/07/2014 # SERVER_IP = "190.xxx" # seva IP - wan wan weniweni wa seva yanu LAN_RANGE = "192.168.xx / 21 "# LAN ma netiweki anu kapena ma vlan # Ip anu omwe sayenera kulowa mu extranet,ndikugwiritsa ntchito malingaliro # ngati tili ndi mawonekedwe a WAN sayenera kulowa # LAN mtundu wamagalimoto kudzera pa mawonekedwe SPOOF_IPS = "0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0 16 iptables -OUTPUT -o $ extranet -s $ SERVER_IP -j $ ACTION # Mapaketi okhala ndi LAN Range ya wan, ndimawayika chonchi ngati mungakhale ndi # netiweki iliyonse, koma izi ndizofunikanso ndi malamulo # awa mkati kuzungulira "kwa" iptables -A INPUT -i $ extranet -s $ LAN_RANGE -j $ ACTION iptables -A OUTPUT -o $ extranet -s $ LAN_RANGE -j $ ACTION ## Ma network onse a SPOOF saloledwa ndi wan wa ip in $ SPOOF_IPS amachita iptables -A INPUT -i $ extranet -s $ ip -j $ ACTION iptables -A OUTPUT -o $ extranet -s $ ip -j $ ACTION zachitika
Monga nthawi zonse ndimayembekezera ndemanga zanu, khalani maso pa blog iyi, Zikomo
Ndemanga za 12, siyani anu
Zimandithandiza kupitiliza kuphunzira zikomo zochulukirapo zokopera.
mwalandilidwa, wokondwa kukhala wothandizidwa
Pepani, ndili ndi mafunso awiri (ndipo limodzi ngati mphatso 😉):
Kodi mungafike ndikusintha kumeneku kuti Apache ayambe kutseka ndi kutseka enawo kupatula SSH?
#Timatsuka matebulo
mapangidwe -F
iptables -X
Timatsuka NAT
iptables -t nat -F
iptables -t nat -X
iptables -A INPUT -p tcp-kutumiza 80 -j LANDIRA
ssh kokha mkati komanso kuchokera pamitundu iyi ya ip
iptables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet - tumizani 7659 -j ACCEPT
Funso lachiwiri: Kodi 7659 doko lomwe likugwiritsidwa ntchito mu SSH muchitsanzo ichi?
Ndipo chachitatu ndi chomaliza: kodi mafayilo ayenera kusungidwa mu fayilo iti?
Zikomo kwambiri chifukwa cha phunziroli, ndizochititsa manyazi kuti ndinu newbie ndipo simungathe kuzigwiritsa ntchito bwino.
ili ndi lamulo lomwe mukufuna http kuchokera apache
iptables -A INPUT -p tcp-kutumiza 80 -j LANDIRA
koma uyeneranso kulengeza mfundo zosasintha (zili mulemba)
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P PATSOPANO DROP
ndipo chifukwa chakuti ngati muli kutali, zidzakutayani.
iptables -A INPUT -m state -state Kukhazikitsidwa, YOKHUDZA -j KULANDIRA
ngati 7659 ndiye doko la ssh lachitsanzo, mwachidziwikire ndi 22, ngakhale ndikulimbikitsani kuti musinthe doko "losadziwika"
Amuna, sindikudziwa, monga momwe ukufunira ... firewall.sh ndipo umayiika mu rc.local (sh firewall.sh) kuti iziyenda yokha, zimatengera mtundu wamagetsi womwe uli nawo, pali mafayilo mutha kukhazikitsa malamulowo molunjika.
Hei, zolemba zanu ndi zabwino kwambiri, kuzisanthula…. Kodi mukudziwa momwe ndingakane zonse zopempha kuchokera kwa ogwiritsa ntchito patsamba lina?…. koma webusaitiyi ili ndi maseva ambiri….
Ndikupangira zina zomwe mungachite:
1) Mutha kupanga malo abodza mu dns yanu ...
2) Mutha kuyika proxy ndi acl
sinbar
Kwa iptables mutha kukonda izi ... sizinthu zabwino nthawi zonse (pali njira zambiri)
iptables -A INPUT -s blog.fromlinux.ne -j DROP
iptables -OUTPUT -d blog.fromlinux.net -j DROP
Ndiuzeni ngati zidagwira
Tithokoze chifukwa cha yankho, zonse zakonzedwa. Ndimafunsa za doko chifukwa ndinadabwa kugwiritsa ntchito 7659, popeza madoko achinsinsi amayambira pa 49152, ndipo amatha kusokoneza ntchito zina kapena zina.
Apanso, zikomo pazonse, ndizabwino!
Zikomo.
BrodyDalle, ndingalumikizane bwanji nanu? Chosangalatsa chanu kwambiri.
soulofmarionet_1@hotmail.com
Mzere womaliza "iptables -A OUTPUT -o $ extranet -s $ ip -j $ ACTION" alipo kuti muteteze makina anu kuti asawonongeke? Kapenanso ndizotheka kuti paketi ina yapoizoni ilowa ndipo imatha kuchoka ndi poyizoniyo ndichifukwa chake lamuloli limaphatikizidwanso ndi OUTPUT?
Zikomo kwambiri chifukwa cha kufotokozera !!!
iyi ndi yanga yanga iptables, ndi yathunthu:
#alirezatalischioriginal
# doc.iptables.airoso: iptables za cholowa ndi za nft
#
# madoko a firewall
##################### #
#! / bin / bash
#
# yeretsani chinsalu
# # # # # # # # # # # # # # # # # #
momveka bwino
# siyani mzere wopanda kanthu
Tchulani
kutumiza kunja = = »» ayi = »kutsekedwa»
# zosintha zomwe mungasinthe kuti mulole kufikira
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
kutumiza kunja hayexcepciones = »$ ayi»
# pali zosiyana: $ inde kulola makamu apadera ndi $ ayi kulepheretsa
kutumiza kunja = »$ ayi»
# hayping: $ inde kuloleza magawo ena ndi $ ayi kukana
kutumiza kunja haylogserver = »$ no»
# haylogeosserver: $ inde kuti muthe kulemba tcp $ ayi kuti musalembe tcp
######
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
kutumiza kunja = = baldras.wesnoth.org »
# kusiyanasiyana kumalola makamu amodzi kapena angapo kuchokera pamoto wowotchera moto kapena wopanda phindu
export logserver = kutaya, ipp, dict, ssh
# tcp madoko apakompyuta omwe amalowetsedwa mapaketi atalowa
kutumiziranso kunja = 0/0
# redserver: netiweki yamadoko apakompyuta yomwe ili yabwino kwambiri kapena ma ips angapo
kutumiza kasitomala wofiira = 0/0
#clientnet: netiweki yamadoko amakasitomala omwe amakonda kwambiri ma netiweki onse
tumizani servidortcp = kutaya, ipp, kulamula, 6771
# servidortcp: madoko apakompyuta a tcp
kutumiza serverudp = kutaya
#udpserver: madoko apakompyuta a udp
kasitomala kasitomalaudp = domain, bootpc, bootps, ntp, 20000: 45000
#udp kasitomala: madoko a kasitomala a udp
kasitomala kasitomala = domain, http, https, ipp, git, dict, 14999: 15002
kasitomala # tcp: madoko omwe amatchulidwa a tcp
# # # # # # # # # # # # # # #
#####################
kutumiza kunja firewall = $ 1 zosintha = $ 2
ngati ["$ zosintha" = "$ NULL"]; ndiye gwero /etc/f-iptables/default.cfg;
gwero lina / etc / f-iptables / $ 2; fi
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
################################ # ##########################
kutumiza kunja firewall = $ 1 zotumiza kunja = $ 2
##########################
ngati ["$ firewall" = "sakukhudzidwa"]; kenako echo FIREWALL YOSATSITSIDWA;
export activateserver = »$ no» activateclient = »$ no» wet = »$ ayi»;
elif ["$ firewall" = "kasitomala"]; kenako lembani FIREWALL CLIENT;
export activateserver = »$ no» activateclient = »» wet = »$ ayi»;
elif ["$ firewall" = "seva"]; kenako echo FIREWALL SERVER;
export activateserver = »» activateclient = »$ no» wet = »$ ayi»;
elif ["$ firewall" = "kasitomala ndi seva"]; kenako echo FIREWALL CLIENT NDI SERVER;
kutumiza kunja yambitsa seva = »»; kutumiza kunja activateclient = »»; kutumiza konyowa = »$ no»;
elif ["$ firewall" = "yololeza"]; kenako onaninso MOTO WOSAVUTA;
export activateserver = »$ no» activateclient = »$ no» wet = »»;
china
$ check sudo echo iptables-cholowa:
$ chekeni sudo iptables-leg -v -L INPUT
$ cheke sudo iptables-cholowa -v -L OUTPUT
$ onani sudo echo iptables-nft:
$ onetsetsani sudo iptables-nft -v -L INPUT
$ fufuzani sudo iptables-nft -v -L OUTPUT
onaninso _____ magawo____ $ 0 $ 1 $ 2
echo "kuponyedwa popanda magawo ndikulemba mndandanda wa iptables."
lembani "parameter yoyamba (yambitsani iptables): sakukhudzidwa kapena kasitomala kapena seva kapena kasitomala ndi seva kapena yololeza."
lembani "Gawo lachiwiri: (posankha): fayilo ya .cfg yosankha /etc/f-iptables/default.cfg"
lembani "Zosintha zosiyanasiyana:" $ (ls / etc / f-iptables /)
tulukani 0; fi
############## #
Tchulani
echo Imaponya $ 0 osalumikizidwa kapena kasitomala kapena seva kapena kasitomala ndi seva kapena yololeza kapena zosintha kapena osagwiritsa ntchito parameter kuti alembe iptables.
lembani $ 0 fayilo ili ndi zosintha zina mkati.
# # # # # # # # # # # # # # # # # # # # # # # # # # #
#############################
echo kukhazikitsa zosintha za iptables
echo zomwe zidasinthidwa
Tchulani
########################### malamulo a iptables
echo Kukhazikitsa iptables-cholowa
sudo / usr / sbin / iptables-legacy -t fyuluta -F
sudo / usr / sbin / iptables-cholowa -t nat -F
sudo / usr / sbin / iptables-legacy -t mangle -F
sudo / usr / sbin / ip6tables-legacy -t fyuluta -F
sudo / usr / sbin / ip6tables-cholowa -t nat -F
sudo / usr / sbin / ip6tables-legacy -t mangle -F
sudo / usr / sbin / ip6tables-cholowa -A INPUT -j DROP
sudo / usr / sbin / ip6tables-legacy -ZOKHUDZA -j DROP
sudo / usr / sbin / ip6tables-legacy -ZOKHUDZA -j DROP
sudo / usr / sbin / iptables-legacy -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ haylogserver sudo / usr / sbin / iptables-cholowa -A INPUT -p tcp -m multiport -dports $ logserver -j LOG> / dev / null
$ hayeexceptions sudo / usr / sbin / iptables-cholowa -A INPUT -s $ kusiyanitsa -j ACCEPT> / dev / null
$ yambitsani seva sudo / usr / sbin / iptables-cholowa -A INPUT -p udp -m multiport -dports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ yambitsani seva sudo / usr / sbin / iptables-cholowa -A INPUT -p tcp -m multiport -dports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-legacy -A INPUT -p udp -m multiport -sports $ clientudp -m state -state established -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-legacy -A INPUT -p tcp -m multiport -sports $ clienttcp -m state -state established -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ hayping sudo / usr / sbin / iptables-cholowa -A INPUT -p icmp -icmp-mtundu echo-reply -j ACCEPT> / dev / null
sudo / usr / sbin / iptables-cholowa -A INPUT -j DROP> / dev / null
sudo / usr / sbin / iptables-legacy -ZOKHUDZA -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ hayeexceptions sudo / usr / sbin / iptables-cholowa -ZOKHUDZA -d $ kusiyanitsa -j ACCEPT> / dev / null
$ yambitsani sudo server / usr / sbin / iptables-cholowa -ZOPHUNZITSA -p udp -m multiport -sports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ yambitsani seva sudo / usr / sbin / iptables-cholowa -OUTPUT -p tcp -m multiport -sports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-legacy -ZOKHUDZA -p udp -m multiport -dports $ clientudp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-legacy -ZOPHUNZITSA -p tcp -m multiport -dports $ clienttcp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ hayping sudo / usr / sbin / iptables-cholowa -ZOKHUDZA -p icmp -icmp-mtundu echo-pempho -j ACCEPT> / dev / null
sudo / usr / sbin / iptables-legacy -ZOKHUDZA -j DROP
sudo / usr / sbin / iptables-legacy -ZOKHUDZA -j DROP
cholowa cha iptables chololedwa
Tchulani
echo Kukhazikitsa iptables-nft
sudo / usr / sbin / iptables-nft -t fyuluta -F
sudo / usr / sbin / iptables-nft -t nat -F
sudo / usr / sbin / iptables-nft -t mangle -F
sudo / usr / sbin / ip6tables-nft -t fyuluta -F
sudo / usr / sbin / ip6tables-nft -t nat -F
sudo / usr / sbin / ip6tables-nft -t mangle -F
sudo / usr / sbin / ip6tables-nft -A INPUT -j DROP
sudo / usr / sbin / ip6tables-nft -ZOKHUDZA -j DROP
sudo / usr / sbin / ip6tables-nft -A PAMBUYO -j DROP
sudo / usr / sbin / iptables-nft -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ haylogserver sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport -dports $ logserver -j LOG> / dev / null
$ hayeexceptions sudo / usr / sbin / iptables-nft -A INPUT -s $ kusiyanitsa -j ACCEPT> / dev / null
$ yambitsani seva sudo / usr / sbin / iptables-nft -A INPUT -p udp -m multiport -dports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ yambitsani seva sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport -dports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-nft -A INPUT -p udp -m multiport -sports $ clientudp -m state -state established -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport -sports $ clienttcp -m state -state kukhazikitsa -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ hayping sudo / usr / sbin / iptables-nft -A INPUT -p icmp -icmp-mtundu echo-reply -j ACCEPT> / dev / null
sudo / usr / sbin / iptables-nft -A INPUT -j DROP> / dev / null
sudo / usr / sbin / iptables-nft -ZOKHUDZA -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ hayeexceptions sudo / usr / sbin / iptables-nft -OUTPUT -d $ kusiyanitsa -j ACCEPT> / dev / null
$ yambitsani seva sudo / usr / sbin / iptables-nft -OUTPUT -p udp -m multiport -sports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ yambitsani seva sudo / usr / sbin / iptables-nft -OUTPUT -p tcp -m multiport -sports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-nft -A OUTPUT -p udp -m multiport -dports $ clientudp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-nft -A OUTPUT -p tcp -m multiport -dports $ clienttcp -s $ clientnet -d $ kasitomala -j ACCEPT> / dev / null
$ hayping sudo / usr / sbin / iptables-nft -OUTPUT -p icmp -icmp-mtundu echo-pempho -j ACCEPT> / dev / null
sudo / usr / sbin / iptables-nft -ZOKHUDZA -j DROP
sudo / usr / sbin / iptables-nft -A PAMBUYO -j DROP
echo iptables-nft idathandizidwa
Tchulani
$ wet sudo / usr / sbin / iptables-legacy -F> / dev / null
$ wet sudo / usr / sbin / iptables-cholowa -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ yonyowa sudo / usr / sbin / iptables-cholowa -A INPUT -m state-state state -j ACCEPT> / dev / null
$ wet sudo / usr / sbin / iptables-cholowa -A INPUT -j DROP> / dev / null
$ wet sudo / usr / sbin / iptables-legacy -ZOKHUDZA -j ACCEPT> / dev / null
$ wet sudo / usr / sbin / iptables-cholowa -PAMBIRI -j DROP> / dev / null
$ yonyowa sudo / usr / sbin / iptables-nft -F> / dev / null
$ yonyowa sudo / usr / sbin / iptables-nft -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ yonyowa sudo / usr / sbin / iptables-nft -A INPUT -m state-boma lokhazikitsidwa -j ACCEPT> / dev / null
$ yonyowa sudo / usr / sbin / iptables-nft -A INPUT -j DROP> / dev / null
$ yonyowa sudo / usr / sbin / iptables-nft -ZOPHUNZITSA -j ACCEPT> / dev / null
$ yonyowa sudo / usr / sbin / iptables-nft -PAMBIRI -j DROP> / dev / null
#################### #
echo mwataya $ 0 $ 1 $ 2
# akutuluka script
tulukani 0
Ndingakhazikitse bwanji lamulo ngati chowotcha motochi chimachigwiritsa ntchito polowera ndipo ndili ndi squid mkati mwa LAN ???