Ndakagara imwe nguva ndichifunga nezve zvinhu zviviri nezve iyi iptables: vazhinji vevaya vanotsvaga aya maatorials vatangi uye chechipiri, vazhinji vatove kutsvaga chimwe chinhu chakapusa uye chakatsanangurwa
Uyu muenzaniso ndewewebhu webhu, asi iwe unogona nyore nyore kuwedzera mimwe mitemo uye kuigadzirisa kune zvaunoda.
Paunoona "x" chinja yako ip's
#!/bin/bash
#Tinochenesa iptables matafura -F iptables -X # Isu tinosuka NAT iptables -t nat -F iptables -t nat -X # mangle tafura yezvinhu zvakaita sePPPoE, PPP, uye ATM iptables -t mangle -F iptables -t mangle -X # Mitemo ini ndinofunga iyi ndiyo nzira yakanakisa yevatangi vekutanga uye # ichiri isiri yakaipa, ini ndichatsanangura kuburitsa (kuburitsa) zvese nekuti ivo vari kubuda kushamwaridzana #, kuisa tinorasa zvese, uye hapana server inofanirwa kumberi. iptables -P INPUT DROP iptables -P CHITSAUKO BATIRA iptables -P PAMUSORO DROP #Intranet LAN intranet = eth0 #Extranet wan extranet = eth1 # Chengeta nyika. Zvese zvatove zvakabatana (zvakasimbiswa) zvasara seizvi: iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT # Loop mudziyo. iptables -A INPUT -i lo -j BATIRA # http, https, hatitaure chinongedzo nekuti # isu tinoda kuti ive ese iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp - dport 443 -j Bvuma # ssh chete mukati uye kubva pane ino ip ipables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 7659 -j Bvuma # kutarisa semuenzaniso kana vane zabbix kana imwe snmp yebasa iptables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 10050 -j ACCEPT # icmp, ping zvakanaka zviri kwauri iptables -A INPUT -p icmp -s 192.168.xx / 24 - i $ intranet -j ACCEPT #mysql ine postgres iri port 5432 iptables -A INPUT -p tcp -s 192.168.xx --sport 3306 -i $ intranet -j ACCEPT #sendmail bueeeh kana uchida kutumira tsamba # iptables -A OUTPUT -p tcp --dport 25 -j BATIRA # Anti-SPOOFING 09/07/2014 # SERVER_IP = "190.xxx" # server IP - chaiko wan ip ye server yako LAN_RANGE = "192.168.xx / 21 "# LAN renji re network yako kana vlan # Ip yako isingatombofaniri kupinda mu extranet,kushandisa zvishoma zve # pfungwa kana isu tiine WAN interface isingatombofaniri kupinda # LAN mhando traffic kuburikidza neiyo interface SPOOF_IPS = "0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0 .16 / XNUMX "# Default chiito - chinoitwa kana chero mutemo uchienderana ACTION =" DROP "# Mapaketi ane imwechete ip ye server yangu kuburikidza ne wan iptables -A INPUT -i $ extranet -s $ SERVER_IP -j $ ACTION # iptables -A OUTPUT -o $ extranet -s $ SERVER_IP -j $ ACTION # Mapaketi neLAN Range yeiyo wan, ndinoiisa sezvizvi kuitira kana iwe uine # chero netiweki, asi izvi zvakawandisa neinotevera # mutemo mukati chiuno "che" iptables -A INPUT -i $ extranet -s $ LAN_RANGE -j $ ACTION iptables -A OUTPUT -o $ extranet -s $ LAN_RANGE -j $ ACTION # # MaSpOOF ese maNetwork haatenderwe newan ye ip in $ SPOOF_IPS ita iptables -A INPUT -i $ extranet -s $ ip -j $ ACTION iptables -A OUTPUT -o $ extranet -s $ ip -j $ ACTION zvaitwa
Semazuva ese ini ndakamirira makomendi ako, gara wakatarisana neiyi blog, Ndatenda
Zvinondibatsira kuti ndirambe ndichidzidza zvishoma yekutenda kutevedzera.
unogamuchirwa, unofara kubatsira
Ndine urombo, asi ndine mibvunzo miviri (uye nechipo 😉):
Ungasvike neiyi gadziriso kuti Apache irambe ichimhanya nekuvhara zvimwe zvese kunze kweSSH?
#Tinochenesa matafura
iptables -F
iptables -X
Isu tinosuka NAT
iptables -t nat -F
iptables -t nat -X
iptables -A INPUT -p tcp -port 80 -j Bvuma
ssh chete mukati uye kubva kune iyi nhanho ye ip's
iptables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet –port 7659 -j Bvuma
Mubvunzo wechipiri: Is 7659 chiteshi chinoshandiswa muSSH mune uyu muenzaniso?
Uye chechitatu nekupedzisira: iyi faira inofanirwa kuponeswa?
Ndatenda zvikuru nedzidziso, zvinonyadzisa kuti uri newbie akadaro uye haugone kutora mukana wayo mushe.
uyu ndiwo mutemo waunoda we http kubva apache
iptables -A INPUT -p tcp -port 80 -j Bvuma
asi iwe unodawo kuzivisa zvisizvo zvekudonha marongero (zviri muchinyorwa)
iptables -P INPUT DROP
iptables -P CHITSAUKO Bvuma
iptables -P PAMUSORO DROP
uye izvi nekuti kana uri kure, zvinokurasa.
iptables -A INPUT -m mamiriro -state YAKASIMBISWA, RELATED -j Bvuma
kana 7659 iri chiteshi cheiyo ssh mumuenzaniso, nekutadza iri makumi maviri nembiri, kunyangwe ini ndichikurudzira kuchinjira kuchiteshi "chisingazivikanwe"
Iwe murume, ini handizive, sekuda kwako ... firewall.sh uye unoiisa mu rc.local (sh firewall.sh) kuti ikwanise kumhanya yoga, zvinoenderana nekuti unoshanda system yei, pane mafaira uko unogona kuisa mitemo yacho zvakananga.
Hei, chinyorwa chako chakanaka kwazvo, uchichiongorora .... Unoziva here kuti ndingaramba sei zvikumbiro zvese kubva kune vashandisi vangu kune yakatarwa webhusaiti?…. asi ino webhusaiti ine akawanda maseva….
Ini ndinokurudzira dzimwe sarudzo:
1) Unogona kugadzira yenhema nzvimbo munzvimbo dzako dns ...
2) Unogona kuisa proxy neacl
chitadzo
Kune iptables iwe unogona kuda izvi ... haisi nguva dzose sarudzo yakanakisa (kune dzimwe nzira)
iptables -A INPUT -s blog.desdelinux.ne -j DROP
iptables -A OUTPUT -d blog.desdelinux.net -j DROP
Ndiudze kana zvakashanda
Kutenda nemhinduro, zvese zvakajekeswa. Ini ndanga ndichibvunza nezve chiteshi nekuti ndakashamisika kushandisa iyo 7659, sezvo zviteshi zvakavanzika zvinotangira pa49152, uye zvaigona kukanganisa imwe sevhisi kana chimwe chinhu.
Zvekare, nekutenda kune zvese, izvo zvakanaka!
Thanks.
BrodyDalle, ndingaonana sei newe? Inonakidza kwazvo script yako.
soulofmarionet_1@hotmail.com
Mutsara wekutanga usati "iptables -A OUTPUT -o $ extranet -s $ ip -j $ ACTION" ndeyekudzivirira yako wega muchina kubva mukuparadza? Kana kuti zvinokwanisika here kuti imwe packet ine chepfu inopinda uye inogona kubva iine iyo sosi sosi uye ndosaka mutemo wacho uchisanganisirwa neOUTPUT?
Ndatenda zvikuru nekujekeswa !!!
iyi ndeyangu yega iptables script, yakakwana kwazvo:
# franes.iptables.airy
# doc.iptables.airoso: iptables enhaka uye yenft
#
# firewall zviteshi
# # # # # # # # # # # #
#! / bin / bash
#
# bvisa skrini
# # # # # # # # # # # # # #
zvakajeka
# siya mutsara usina chinhu
echo
kutumira kunze hongu = »» kwete = »echo kurega»
# misiyano iwe yaunogona kuchinja kubvumidza kuwana
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
kutumira kunze hayexcepciones = »$ kwete»
# pane zvisaririra: $ hongu kubvumidza yakasarudzika mauto uye $ kwete kudzima
kutumira kunze hayping = »$ kwete»
# hayping: $ hongu kubvumira pings kune vatatu mapato uye $ kwete kuramba
kutumira kunze haylogserver = »$ kwete»
# haylogeosserver: $ hongu kukwanisa log tcp $ kwete kuti usakwanise kupinda tcp
######
# # # # # # # # # # # # # # # # # # # # # # # # # # # # #
kunze kunze kwekusiiwa = »
# kunze kwekutendera imwe kana akawanda mauto kubva kune firewall kana isina kukosha
export logserver = rasa, ipp, dict, ssh
# tcp server ports iyo yakavharwa kana mapaketi achipinda
kutumira kunze redserver = 0/0
# redserver: iyo netiweki yevava zviteshi inosarudzika yemuno network kana akati wandei ips
kutumira kunze mutengi mutsvuku = 0/0
# clientnet: iyo network yevatengi madoko anodiwa kune ese network
export servidortcp = rasa, ipp, dict, 6771
# servidortcp: iyo yakatsanangurwa tcp server chiteshi
export serverudp = rasa
#udpserver: iyo yakatsanangurwa udp server chiteshi
export clientudp = domain, bootpc, bootps, ntp, 20000: 45000
#udp mutengi: yakatsanangurwa udp mutengi madoko
export clienttcp = domain, http, https, ipp, git, dict, 14999: 15002
# tcp mutengi: iyo yakatsanangurwa tcp mutengi madoko
# # # # # # # # # # # # #
# # # # # # # # # # # # # # # # # # # # # # # #
kutumira kunze firewall = $ 1 akasiyana = $ 2
kana ["$ variables" = "$ NULL"]; ipapo sosi /etc/f-iptables/default.cfg;
kumwe kunobva / etc / f-iptables / $ 2; fi
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
################################## ###########################
kutumira kunze firewall = $ 1 kutengesa kunze = $ 2
# # # # # # # # # # # # # # # # # # # # # # # #
kana ["$ firewall" = "yakabviswa"]; wobva wadzokorora FIREWALL YAKADZIDZWA;
kunze kwenyika activateserver = »$ kwete» activateclient = »$ kwete» nyoro = »$ kwete»;
elif ["$ firewall" = "mutengi"]; ipapo echo FIREWALL CLIENT;
Export activateserver = »$ kwete» activateclient = »» nyoro = »$ kwete»;
elif ["$ firewall" = "server"]; wozoita echo FIREWALL SERVER;
export activateserver = »» activateclient = »$ no» wet = »$ kwete»;
elif ["$ firewall" = "mutengi uye server"]; wobva wadzokorora FIREWALL MUDZIMAI NESERVER;
Export activate server = »»; kunze kwenyika activateclient = »»; kutumira kunze nyoro = »$ kwete»;
elif ["$ firewall" = "bvumidza"]; wobva wadzokorora WEMAHARA FIREWALL;
Export activateserver = »$ kwete» activateclient = »$ kwete» nyoro = »»;
mumwe
$ check Sudo echo iptables-nhaka:
$ chengetedza sudo iptables-nhaka -v -L INPUT
$ chengetedza sudo iptables-nhaka -v -L ZVAKAITWA
$ tarisa sudo echo iptables-nft:
$ chengetedza sudo iptables-nft -v -L INPUT
$ chengetedza sudo iptables-nft -v -L ZVINOKOSHA
echo _____parameter____ $ 0 $ 1 $ 2
echo "cast isina paramita ndeyekunyora iptables."
echo "Iyo yekutanga paramende (inogonesa iptables): yakabviswa kana mutengi kana sevha kana mutengi uye server kana kubvumidza."
echo "Yechipiri paramende: (sarudzo): iyo default.cfg faira inosarudza /etc/f-iptables/default.cfg"
echo "Zvirongwa zvakasiyana-siyana:" $ (ls / etc / f-iptables /)
kubuda 0; fi
# # # # # # # # # # # #
echo
echo Inokanda $ 0 yakabviswa kana mutengi kana sevha kana mutengi uye sevha kana inobvumidza kana akasiyana kana pasina kushandisa paramende kunyora iptables.
echo Iyo $ 0 faira ine zvimwe zvinogadzirika mukati.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# # # # # # # # # # # #
echo kumisikidza iptables akasiyana
echo akaomeswa akasiyana
echo
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
echo Kuisa iptables-nhaka
sudo / usr / sbin / iptables-legacy -t firita -F
sudo / usr / sbin / iptables-nhaka -t nat -F
sudo / usr / sbin / iptables-legacy -t mangle -F
sudo / usr / sbin / ip6tables-legacy -t firita -F
sudo / usr / sbin / ip6tables-nhaka -t nat -F
sudo / usr / sbin / ip6tables-legacy -t mangle -F
sudo / usr / sbin / ip6tables-legacy -I INPUT -j DROP
sudo / usr / sbin / ip6tables-legacy -I CHIPANGANO -j DROP
sudo / usr / sbin / ip6tables-legacy -A PASI -j DROP
sudo / usr / sbin / iptables-legacy -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ haylogserver sudo / usr / sbin / iptables-nhaka -A INPUT -p tcp -m multiport -dports $ logserver -j LOG> / dev / null
$ hayeexceptions sudo / usr / sbin / iptables-nhaka -A INPUT -s $ kunze -j ACCEPT> / dev / null
$ shandisa sudo server / usr / sbin / iptables-legacy -I INPUT -p udp -m multiport -dports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ shandisa server sudo / usr / sbin / iptables-legacy -A INPUT -p tcp -m multiport -dports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-legacy -A INPUT -p udp -m multiport -sports $ clientudp -m state -state established -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-legacy -A INPUT -p tcp -m multiport -sports $ clienttcp -m state -state yakagadzwa -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ hayping sudo / usr / sbin / iptables-nhaka -A INPUT -p icmp -icmp-mhando echo-pindura -j ACCEPT> / dev / null
sudo / usr / sbin / iptables-nhaka -A INPUT -j DROP> / dev / null
sudo / usr / sbin / iptables-legacy -A CHIPANGANO -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ hayeexceptions Sudo / usr / sbin / iptables-nhaka -A CHIPANGANO -d $ kunze --j ACCEPT> / dev / null
$ shandisa sudo server / usr / sbin / iptables-legacy -A OUTPUT -p udp -m multiport -sports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ shandisa server sudo / usr / sbin / iptables-legacy -A OUTPUT -p tcp -m multiport -sports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-legacy -A OUTPUT -p udp -m multiport -dports $ clientudp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-legacy -A OUTPUT -p tcp -m multiport -dports $ clienttcp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ hayping sudo / usr / sbin / iptables-nhaka -A CHIPANGANO -p icmp -icmp-mhando echo-chikumbiro -j ACCEPT> / dev / null
sudo / usr / sbin / iptables-legacy -I CHIPANGANO -j DROP
sudo / usr / sbin / iptables-legacy -I YOKUTANGA -j DROP
echo iptables-nhaka inogoneswa
echo
echo Kuisa iptables-nft
sudo / usr / sbin / iptables-nft -t firita -F
sudo / usr / sbin / iptables-nft -t nat -F
sudo / usr / sbin / iptables-nft -t mangle -F
sudo / usr / sbin / ip6tables-nft -t firita -F
sudo / usr / sbin / ip6tables-nft -t nat -F
sudo / usr / sbin / ip6tables-nft -t mangle -F
sudo / usr / sbin / ip6tables-nft -A INPUT -j DROP
sudo / usr / sbin / ip6tables-nft -A CHIPANGANO -j DROP
sudo / usr / sbin / ip6tables-nft -A YOKUTANGA -j DROP
sudo / usr / sbin / iptables-nft -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ haylogserver sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport -dports $ logserver -j LOG> / dev / null
$ hayeexceptions sudo / usr / sbin / iptables-nft -A INPUT -s $ kunze -j ACCEPT> / dev / null
$ shandisa server sudo / usr / sbin / iptables-nft -A INPUT -p udp -m multiport -dports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ shandisa server sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport -dports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-nft -A INPUT -p udp -m multiport -sports $ clientudp -m state -state yakagadzwa -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport -sports $ clienttcp -m state -state yakagadzwa -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ hayping sudo / usr / sbin / iptables-nft -A INPUT -p icmp -icmp-mhando echo-mhinduro -j ACCEPT> / dev / null
sudo / usr / sbin / iptables-nft -A INPUT -j DROP> / dev / null
sudo / usr / sbin / iptables-nft -A ZVINOKOSHA -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ pane zvisarudzika Sudo / usr / sbin / iptables-nft -A ZVAKAITWA -d $ kunze --j ACCEPT> / dev / null
$ shandisa sudo server / usr / sbin / iptables-nft -A OUTPUT -p udp -m multiport -sports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ shandisa server sudo / usr / sbin / iptables-nft -A OUTPUT -p tcp -m multiport -sports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-nft -A OUTPUT -p udp -m multiport -dports $ clientudp -s $ clientnet -d $ clientnet -j Bvuma> / dev / null
$ activateclient sudo / usr / sbin / iptables-nft -A OUTPUT -p tcp -m multiport -dports $ clienttcp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ hayping sudo / usr / sbin / iptables-nft -A CHIPANGANO -p icmp -icmp-mhando echo-chikumbiro -j ACCEPT> / dev / null
sudo / usr / sbin / iptables-nft -A CHIPANGANO -j DROP
sudo / usr / sbin / iptables-nft -A YOKUTANGA -j DROP
echo iptables-nft inogoneswa
echo
$ kunyorova sudo / usr / sbin / iptables-nhaka -F> / dev / null
$ nyoro Sudo / usr / sbin / iptables-nhaka -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ wet sudo / usr / sbin / iptables-legacy -I INPUT -m mamiriro -state yakasimbiswa -j ACCEPT> / dev / null
$ kunyorova sudo / usr / sbin / iptables-nhaka -A INPUT -j DROP> / dev / null
$ kunyorova sudo / usr / sbin / iptables-nhaka -A CHIPANGANO -j BATIRA> / dev / null
$ kunyorova sudo / usr / sbin / iptables-nhaka -A PASI -j DROP> / dev / null
$ kunyorova sudo / usr / sbin / iptables-nft -F> / dev / null
$ kunyorova sudo / usr / sbin / iptables-nft -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ yakanyorova sudo / usr / sbin / iptables-nft -A INPUT -m mamiriro -state yakasimbiswa -j ACCEPT> / dev / null
$ kunyorova sudo / usr / sbin / iptables-nft -A INPUT -j DROP> / dev / null
$ kunyorova sudo / usr / sbin / iptables-nft -A CHIPANGANO -j Bvuma> / dev / null
$ kunyorova sudo / usr / sbin / iptables-nft -A PASI -j DROP> / dev / null
#################### #
echo iwe wakanda $ 0 $ 1 $ 2
# inobuda script
kubuda 0
Ndingaite sei mutemo kana firewall iyi yaiishandisa pagedhi rangu uye iine squid mukati meLAN ???