Mhoro munhu wese, nhasi ndinokuunzira chikamu chechipiri cheiyi nhevedzano yezvidzidzo pane firewall ine iptables, yakapusa kwazvo kuti ugone kuteedzera nekunamatira, ndinofunga kuti pakupera kwezuva ndizvo zvinotariswa nevatangi vese kana kunyangwe vane ruzivo, nei tichifanira kudzoreredza vhiri zana nguva, handiti?
Ino nguva ini ndinovaudza kuti vaedze kutarisisa pane chaiyo nyaya yekuti tirikuda kuti firewall yedu ive nehasha neOUTPUT DROP mutemo. Iyi posvo iri zvakare mukukumbira kwemuverengi wepeji ino uye yangu post. (Mukati mepfungwa dzangu wiiiiiiiiiiiii)
Ngatitaurei zvishoma nezve "zvayakanakira nezvayakaipira" zvekumisikidza Output Drop marongero, iyo yandinogona kukuudza kunyanya ndeyekuti zvinoita kuti basa riwedzere kunetesa uye kunetesa, zvisinei chirongwa ndechekuti padanho reneti iwe uchave chengetedzo kupfuura kana iwe ukagara pasi Kuti ufunge, dhizaini uye ronga marongero acho mushe, uchave uine server rakachengeteka zvakanyanya
Kuti usapopote kana kubva pachidzidzo, ini ndiri kuzokurumidza kukutsanangurira nemuenzaniso kuti mitemo yako ingave yakawanda sei kana mishoma
iptables -A OUTPUT -o eth0 -p tcp -port 80 -m mamiriro -state YAKASIMBISWA -j BATSIRA
-A nekuti takawedzera mutemo
-o inoreva traffic irikubuda, ipapo interface inoiswa kana isina kutaurwa nekuti inoenderana vese.
-sport chiteshi chekutanga, inoita basa rakakosha nekuti muzviitiko zvakawanda hatizive kuti vanozokumbira kubva pachiteshi chipi, kana zvakadaro tinogona kushandisa dport
–Dhipatimendi dhipatimendi rekuenda, kana isu tichinyatsoziva pamberi kuti chinongedzo chinobuda chinofanira kungoenda kune chaiyo chiteshi. Inofanirwa kunge iri yechimwe chinhu chakanyanya kuita senge iri kure mysql server semuenzaniso.
-m nyika -state YAKASIMBISWA Ichi chatova chishongo chekuchengetedza zvakabatana zvakatomisikidzwa, tinogona kuzvinyatsoongorora mune ramangwana posvo
-d kutaura kwekuenda, kana zvaigona kudomwa, semuenzaniso ssh kune mumwe mushini neip
#!/bin/bash
# Isu tinosuka iptables matafura -F iptables -X # Isu tinosuka NAT iptables -t nat -F iptables -t nat -X # mangle tafura yezvinhu zvakaita sePPPoE, PPP, uye ATM iptables -t mangle -F iptables -t mangle -X # Mitemo ini ndinofunga iyi ndiyo nzira yakanakisa yevatangi vekutanga uye # haisati yakaipa, ini ndichatsanangura kuburitsa zvese nekuti vari kubuda kushamwaridzana #, kuisa tinorasa zvese, uye hapana server inofanirwa kumberi. iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P YEMWEYO DROP #Intranet LAN intranet = eth0 #Extranet wan extranet = eth1 # Chengeta nyika. Zvese zvakatosunganidzwa (zvakasimbiswa) tinozvisiya sezvizvi iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
iptables -A OUTPUT -m mamiriro --state YAKASIMBISWA, RELATED -j Bvuma
# Loop chishandiso. iptables -A INPUT -i lo -j Bvuma
# Iptables loopback kuburitsa -A CHITSAUKO -o lo -j Bvuma
-
# kuenda
# http, https, hatitaure chinongedzo nekuti
# tinoda kuti ive yevose asi kana tikadoma chiteshi chekuburitsa
iptables -A OUTPUT -p tcp -sport 80 -j ACCEPT iptables -A OUTPUT -p tcp -sport 443 -j Bvuma
# ssh chete mukati uye kubva kune iyi renji ye ip ipables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 7659 -j Bvuma
# kubuda # ssh chete mukati uye kubva kune iyi nhanho ye ip's
iptables -A OUTPUT -p tcp -d 192.168.xx / 24 -o $ intranet -sport 7659 -j Bvuma
# kutarisa semuenzaniso kana vaine zabbix kana imwe snmp sevhisi iptables -A INPUT -p tcp -s 192.168.1.1 -i $ intranet --dport 10050 -j Bvuma
# kuenda
# yekutarisa semuenzaniso kana vaine zabbix kana imwe snmp sevhisi
iptables -A OUTPUT -p tcp -d 192.168.1.1 -o $ intranet - dhipatimendi 10050 -j Bvuma
# icmp, ping yakanaka isarudzo yako iptables -A INPUT -p icmp -s 192.168.xx / 24 -i $ intranet -j Bvuma
# kuenda
# icmp, ping yakanaka isarudzo yako
iptables -A KUTAURA -p icmp -d 192.168.xx / 24 -o $ intranet -j Bvuma
#mysql ine postgres is port 5432 iptables -A INPUT -p tcp -s 192.168.xx --sport 3306 -i $ intranet -j Bvuma
# kuburitsa - mubvunzo wakabvunzwawo nemushandisi kuti aite chaizvo # mutemo server: 192.168.1.2 mysql: 192.168.1.3
#mysql ine postgres iri port 5432
iptables -A OUTPUT -p tcp -s 192.168.1.2 -d 192.168.1.3 - dhipatimendi 3306 -o $ intranet -j Bvuma
#sendmail bueeeh kana iwe uchida kutumira mamwe mameseji #iptables -A OUTPUT -p tcp --port 25 -j Bvuma # Kurwisa-KUSVIRA 09/07/2014 # SERVER_IP = "190.xxx" # server IP - iyo chaiyo wan ip yeLAN_RANGE server yako = "192.168.xx / 21" # LAN renhare yako kana vlan # IP yako isingatombofaniri kupinda mu extranet, ndeye kushandisa zvishoma # pfungwa kana tiine WAN interface chete. pinda # traffic LAN mhando kuburikidza neiyo interface SPOOF_IPS = "0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" # Default action - inoitwa kana chero mutemo uchienderana ACTION = "DROP" # Mapakeji ane ip imwechete se server yangu kuburikidza ne wan iptables -A INPUT -i $ extranet -s $ SERVER_IP -j $ ACTION
iptables -A OUTPUT -o $ extranet -s $ SERVER_IP -j $ ACTION
# Mapaketi ane iyo LAN Range yeiyo wan, ini ndinoiisa sezvizvi kana uine # chero chaiyo network, asi izvi zvakawandisa neinotevera # mutemo mukati me "for" loop iptables -A INPUT -i $ extranet -s $ LAN_RANGE -j $ KUSVIRA
iptables -A OUTPUT -o $ extranet -s $ LAN_RANGE -j $ ACTION
## Ose SPOOF Networks haibvumirwe newan ye ip mu $ SPOOF_IPS inoita iptables -A INPUT -i $ extranet -s $ ip -j $ ACTION
iptables -A OUTPUT -o $ extranet -s $ ip -j $ ACTION
nokuitaMuongororo inotevera tichaita doko renzvimbo uyezve nekumisikidza marongero akarongedzwa nemazita, pakati pezvimwe zvinhu ... ini ndakamirira makomendi ako nezvikumbiro.