Abuur darbigaa adiga kuu gaar ah oo leh iptables adoo adeegsanaya qoraalkan fudud

Waxaan ka fekerayay laba arimood oo ku saabsan iptables in yar: inta badan kuwa raadinaya casharradan ayaa ah kuwo bilow ah iyo tan labaad, qaar badan oo ka mid ah ayaa haddaba raadinaya wax si cadaalad ah u fudud oo horay loo sharaxay.

Tusaalahan waxaa loogu talagalay server-ka websaydhka, laakiin waxaad si fudud ugu dari kartaa xeerar badan oo aad ula qabsan kartaa baahiyahaaga.

Markaad aragto "x" wax ka beddel ip-kaaga


#!/bin/bash

# Waxaan nadiifinaa miisaska iptables -F iptables -X # Waxaan u nadiifinaa NAT iptables -t nat -F iptables -t nat -X # miiska mangle waxyaabaha sida PPPoE, PPP, iyo ATM iptables -t mangle -F iptables -t mangle -X # Policies Waxaan u maleynayaa in tani ay tahay sida ugu wanaagsan ee bilowga ah oo # wali aan uxuneyn, waan sharixi doonaa wax soo saarka (wax soo saar) dhamaantood maxaa yeelay waxay yihiin xiriiryo tagaya #, talobixinta waan iska tuuraynaa wax walba, mana jiro adeege horay usii gudbiya. iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP #Intranet LAN intranet = eth0 #Extranet wan extranet = eth1 # Hayso gobolka. Wax kasta oo horeyba u xirnaa (aasaasay) ayaa looga tagay sidan: iptables -A INPUT -m state - Dawlad DHISME, RELATED -j ACCEPT # Loop device. iptables -A gashiga -i lo -j ACCEPT # http, https, ma qeexeyno isdhexgalka maxaa yeelay # waxaan dooneynaa inuu noqdo dhamaan iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp - dport 443 -j ACCEPT # ssh kaliya gudaha oo laga helo noocyadan ip ee ip-yada ah -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 7659 -j ACCEPT # kormeerka tusaale hadii ay leeyihiin zabbix ama wax kale adeegga snmp iptables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 10050 -j ACCEPT # icmp, ping si fiican adiga ayey kuugu xiran tahay iptables -A INPUT -p icmp -s 192.168.xx / 24 - i $ intranet -j ACCEPT #mysql with postgres is port 5432 iptables -A INPUT -p tcp -s 192.168.xx --sport 3306 -i $ intranet -j ACCEPT #sendmail bueeeh hadii aad rabto inaad dirto xoogaa mail ah #iptables -OUTPUT -p tcp --dport 25 -j ACCEPT # Anti-SPOOFING 09/07/2014 # SERVER_IP = "190.xxx" # server IP - the real wan ip of your server LAN_RANGE = "192.168.xx / 21" # LAN range shabakadaada ama shabakadaada # Ip's ee aan waligood galin sheyga,waa in la adeegsado xoogaa # caqli gal ah hadii aan leenahay shey wanagsan oo WAN ah waa inuusan waligiis galin # nooca LAN ee taraafikada SPOOF_IPS = "0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0 / 16 "# Tallaabada ugu dambaysa - in la sameeyo marka sharci kasta oo la jaan qaadaya ACTION" "DIIQ" # Baakado isku mid ah ip oo ah adeegeyga oo la adeegsado wan iptable -A INPUT -i $ extranet -s $ SERVER_IP -j $ ACTION # iptables -AXADDARO -waxaa $ siyaado ah -s $ SERVER_IP -j $ ACTION # Baakado leh LAN Range oo loogu talagalay wan, waxaan u dhigay sidan haddii ay dhacdo inaad leedahay # shabakad gaar ah, laakiin tani waa mid aan loo baahnayn oo leh sharciga # soo socda ee gudaha wareegga " loogu talagalay "iptables -A INPUT -i $ extranet -s $ LAN_RANGE -j $ ACTION iptables -A OUTPUT -o $ extranet -s $ LAN_RANGE -j $ ACTION ## Dhammaan shabakadaha SPOOF ma ogolaan wan wan ip in $ SPOOF_IPS samee iptables -A INPUT -i $ extranet -s $ ip -j $ ACTION iptables -A OUTPUT -o $ extranet -s $ ip -j $ ACTION la qabtay

Sida had iyo jeer aan u sugo faallooyinkaaga, kala soco bartan, Mahadsanid


12 faallooyin, ka tag taada

Ka tag faalladaada

cinwaanka email aan la daabacin doonaa. Beeraha loo baahan yahay waxaa lagu calaamadeeyay la *

*

*

  1. Masuul ka ah xogta: Miguel Ángel Gatón
  2. Ujeedada xogta: Xakamaynta SPAM, maaraynta faallooyinka.
  3. Sharci: Oggolaanshahaaga
  4. Isgaarsiinta xogta: Xogta looma gudbin doono dhinacyada saddexaad marka laga reebo waajibaadka sharciga ah.
  5. Kaydinta xogta: Macluumaadka ay martigelisay Shabakadaha Occentus (EU)
  6. Xuquuqda: Waqti kasta oo aad xadidi karto, soo ceshan karto oo tirtiri karto macluumaadkaaga.

  1.   HO2Gi dijo

    Waxay iga caawineysaa inaan sii wado barashada wax yar ka badan mahadcelintana la koobiyeeyay.

    1.    brodydalle dijo

      waad soo dhaweyneysaa, waad ku faraxsan tahay inaad caawimaad noqotid

  2.   Javier dijo

    Runtii waan ka xumahay, laakiin waxaan qabaa laba su'aalood (iyo mid hadiyad ahaan 😉):

    Miyaad ku imaan laheyd qaabeynta si Apache uu u socdo oo u xiro inta hartay marka laga reebo SSH?

    #Waxaan nadiifinaa miisaska
    iptables -F
    iptables -X

    Waan nadiifinaa NAT

    iptables -t nat -F
    iptables -t nat -X

    iptables -QURBAHA -p tcp -dport 80 -j ACCEPT

    ssh kaliya gudaha iyo laga soo bilaabo noocyadan ip's

    iptables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet –dport 7659 -j ACCEPT

    Su'aasha labaad: Ma 7659 dekeddii loo adeegsaday SSH tusaalahan?

    Iyo saddexaad iyo kan ugu dambeeya: feylkee ayaa qaabkan loo keydinayaa?

    Aad baad ugu mahadsantahay casharka, waa wax laga xishoodo inaad tahay qof cusub oo aadan sifiican uga faaidaysan karin.

    1.    brodydalle dijo

      tani waa qaanuunka aad ugu baahan tahay http ee ka socda apache
      iptables -QURBAHA -p tcp -dport 80 -j ACCEPT

      laakiin sidoo kale waxaad u baahan tahay inaad sheegto hoos u dhigista siyaasadaha caadiga ah (waxay ku qoran tahay qoraalka)
      iptables -P FURASHADA QALABKA
      iptables -P WAX SOO SAARKA AQBAL
      iptables -P QORAALKA HOR

      tanina maxaa yeelay hadaad fogtahay way ku tuuri doontaa.
      iptables -GELI-GELIN -m gobol –Dagaalo la aasaasay, LA XIRIIR -j AQBAL

      haddii 7659 ay tahay dekedda ssh-ka tusaale ahaan, asal ahaan waa 22, in kasta oo aan kugula talinayo in loo beddelo deked "si fiican looma yaqaan"
      ninyahow anigu garan maayo, sidaad rabto ... firewall.sh adiguna waxaad gelisaa rc.local (sh firewall.sh) si ay si toos ah ugu socoto, waxay kuxirantahay nidaamka qalliinka aad ku shaqeysid, waxaa jira faylal aad si toos ah xeerarka u gelin karaa.

  3.   jge dijo

    Eii aad ufiican qoraalkaaga, adoo falanqeynaya…. Ma ogtahay sida aan ugu diidi karo dhammaan codsiyada isticmaaleyaasheeda degel gaar ah? laakiin degelkani wuxuu leeyahay server badan….

    1.    brodydalle dijo

      Waxaan kugula talinayaa xulashooyinka kale:
      1) Waxaad ku abuuri kartaa aag been abuur ah dns-kaaga ...
      2) Waad wakiil u dhigan kartaa acl
      dambi xayiraad
      Waxyaabaha iptables waad ka heli kartaa sidan ... had iyo jeer maahan ikhtiyaarka ugu fiican (waxaa jira siyaabo badan)
      iptables -Bloogga INPUT.desdelinux.ne -j DEJINTA
      iptables -A OUTPUT -d blog.desdelinux.net -j DROP

      Ii sheeg haddii ay shaqaysay

  4.   Javier dijo

    Waad ku mahadsantahay jawaabta, wax walbana waa la cadeeyay. Waxan weydiinayay dekeda maxaa yeelay waxaan layaabay isticmaalka 7659, maadaama dekedaha gaarka loo leeyahay laga bilaabo 49152, waxayna faragalin ku yeelan kartaa adeeg ama wax uun.
    Mar labaad, waad ku mahadsan tahay wax walba, taasi waa wax fiican!

    Thanks.

  5.   ingula dijo

    BrodyDalle, sideen kula soo xiriiri karaa? Aad u xiiso badan qoraalkaaga.

  6.   Carlos dijo

    Khadka ugu dambeeya miyaa "iptables -A OUTPUT -o $ extranet -s $ ip -j $ ACTION" si looga hortago mashiinkaaga inuu kufsado? Mise waa suurta gal in baakad sumaysan ay soo gasho oo ay la tagi karto ishaas sumaysan waana sababtaas sababta xeerka sidoo kale loogu daray KA-BEDDELKA?
    Aad baad ugu mahadsantahay cadeynta !!!

  7.   fran dijo

    Kani waa qoraalkeyga iptables-ka, waa mid dhameystiran:

    # franes.iptable.airoso
    # doc.iptables.airoso: iptables dhaxalka iyo nft
    #
    # dekadaha firewall
    ##############################
    #! / bin / bash
    #
    # nadiifi shaashadda
    ###################################ibeynka /etc/f-iptables/default.cfg |||||
    cad
    # ka tag sadar maran
    codso
    dhoofinta haa = »» maya = »echo off»
    # doorsoomayaasha aad beddeli karto si loogu oggolaado marin u helid
    ############################################################################################################### Ismadeecada doorsoomayaasha si wax looga badalo $ haa ama $ maya
    dhoofinta hayexcepciones = »$ no»
    # waxaa jira waxyaabo ka reeban: $ haa si loogu ogolaado martida gaarka ah iyo $ maya in la joojiyo
    dhoofinta dhoofinta = »$ no»
    # hayping: $ haa si loogu ogolaado pings qeybta saddexaad iyo $ maya in la diido
    dhoofinta haylogserver = »$ no»
    # haylogeosserver: $ haa si aad u awoodo inaad gasho tcp $ maya si aadan u awoodin inaad gasho tcp
    ######
    #################################################################################################//bedbeddalka isbeddelada si loo beddelo adiga oo ku daraya "," ama leh "
    Ka reeban dhoofinta = »baldras.wesnoth.org»
    # ka reebitaanku wuxuu u oggolaanayaa hal ama dhowr marti-geliye inay ka socdaan gidaarrada ama qiime la'aan
    dhoofinta logserver = iska tuur, ipp, dict, ssh
    # dekedaha serverka tcp kuwaas oo gashan markay xirmooyinka soo galaan
    dhoofinta casaanka = 0/0
    # redserver: shabakad loogu talagalay dekedaha server doorbid shabakad maxalli ah ama dhowr ips
    dhoofinta macmiilka casaan = 0/0
    # clientnet: shabakada dekedda macmiilka laga doorbido dhamaan shabakadaha
    dhoofinta servidortcp = iska tuur, ipp, dict, 6771
    # servidortcp: dekedaha server tcp ee cayiman
    dhoofinta serverudp = iska tuur
    #udpserver: xarumaha udp serverka la cayimay
    dhoofinta clientudp = domain, bootpc, bootps, ntp, 20000: 45000
    #udp macmiil: dekedda macmiilka udp ee cayiman
    dhoofinta clienttcp = domain, http, https, ipp, git, dict, 14999: 15002
    # tcp macmiil: dekedaha macaamiisha tcp ee cayiman
    ################################# dhamaadka /etc/f-iptables/default.cfg ||||||
    ################################# dhamaadka dhamaadka doorsoomayaasha
    dhoofinta firewall = $ 1 doorsoomayaasha = $ 2
    haddii ["$ doorsoomayaasha" = "$ NULL"]; markaa isha /etc/f-iptables/default.cfg;
    ilo kale / iwm / f-iptables / $ 2; fi
    #################################
    ###################################################### ###########################################
    dhoofinta firewall = $ 1 doorsoomayaasha wax dhoofinta = $ 2
    #####################################################################
    haddii ["$ firewall" = "laga jaray"]; ka dib ku celceliya DABKA NADIIFINTA;
    dhoofinta activateserver = »$ no» activateclient = »$ no» wet = »$ no»;
    elif ["$ firewall" = "macmiil"]; ka dibna ku celceliya MACAQAALKA DABKA;
    dhoofinta activateserver = »$ no» activateclient = »» qoyan = »$ no»;
    elif ["$ firewall" = "server"]; ka dib ku celceliya DABKA SERVER;
    dhoofinta activateserver = »» activateclient = »$ no» qoyan = »$ no»;
    elif ["$ firewall" = "macmiil iyo adeege"]; ka dib ku celceliya macmiil FIREWALL IYO SERVER;
    dhoofinta firfircoon server = »»; dhoofinta activateclient = »»; dhoofinta qoyan = »$ no»;
    elif ["$ firewall" = "la oggol yahay"]; ka dib ku celceliya DABKA AQOONSIGA;
    dhoofinta activateserver = »$ no» activateclient = »$ no» wet = »»;
    kale
    $ hubi sudo echo iptables-legacy:
    $ hubi sudo iptables-legacy -v -L TALOOYIN
    $ hubi sudo iptables-legacy -v -L OUTPUT
    $ hubi sudo echo iptables-nft:
    $ hubi sudo iptables-nft -v -L TALOOYIN
    $ hubi sudo iptables-nft -v -L OUTPUT
    echo _____miyaalayaasha____ $ 0 $ 1 $ 2
    echo "tuur bilaa cabir waa in la taxaa iptables."
    echo "Halbeegga ugu horreeya (awood u yeelo iptables): waa la jaray ama macmiil ama server ama macmiil iyo server ama oggolaansho."
    echo "Halbeegga labaad: (ikhtiyaari): faylka default.cfg wuxuu doortaa /etc/f-iptables/default.cfg"
    echo "Dejiyeyaasha isbeddelaya:" $ (ls / etc / f-iptables /)
    bixitaanka 0; fi
    ##################
    codso
    echo Tuurista $ 0 ayaa laga jaray ama macmiilka ama serverka ama macmiilka iyo serverka ama saamaxa ama ubadalista ama iyadoon la adeegsan halbeeg lagu qoro iptables.
    echo Faylka $ 0 waxaa ku jira xoogaa isbeddelayaal ah oo wax laga beddeli karo gudaha.
    ##################################
    ###################################
    echo dejinta doorsoomayaasha iptables
    echo doorsoomayaasha firfircoon
    codso
    #############################
    echo Dejinta iptables-dhaxal ahaan
    sudo / usr / sbin / iptables-legacy -t filter -F
    sudo / usr / sbin / iptables-legacy -t nat -F
    sudo / usr / sbin / iptables-legacy -t mangle -F
    sudo / usr / sbin / ip6table-legacy -t filter -F
    sudo / usr / sbin / ip6table-legacy -t nat -F
    sudo / usr / sbin / ip6table-legacy -t mangle -F
    sudo / usr / sbin / ip6table-legacy -A INPUT -j DROP
    sudo / usr / sbin / ip6table-legacy -A OUTPUT -j DROP
    sudo / usr / sbin / ip6table-legacy -A FORWARD -j DROP
    sudo / usr / sbin / iptables-legacy -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
    $ haylogserver sudo / usr / sbin / iptables-legacy -A INPUT -p tcp -m multiport –dports $ logserver -j LOG> / dev / null
    $ hayeexcepts sudo / usr / sbin / iptables-legacy-INPUT -s $ reebban -j ACCEPT> / dev / null
    $ dhaqaajiso serverka sudo / usr / sbin / iptables-legacy -A INPUT -p udp -m multiport –dports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ dhaqaajiso serverka sudo / usr / sbin / iptables-legacy -A INPUT -p tcp -m multiport –dports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ activateclient sudo / usr / sbin / iptables-legacy-INPUT -p udp -m multiport –sports $ clientudp -m state –state based -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
    $ firfircooni sudo / usr / sbin / iptables-legacy -A INPUT -p tcp -m multiport –sports $ clienttcp -m state –state la aasaasay -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
    $ hayping sudo / usr / sbin / iptables-legacy -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT> / dev / null
    sudo / usr / sbin / iptables-legacy -A INPUT -j DROP> / dev / null
    sudo / usr / sbin / iptables-legacy -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
    $ hayeexcepts sudo / usr / sbin / iptables-legacy -OUTPUT -d $ ka reeban -j ACCEPT> / dev / null
    $ dhaqaajiso sudo server / usr / sbin / iptables-legacy -OUTPUT -p udp -m multiport –sports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ dhaqaaji serverka sudo / usr / sbin / iptables-legacy -OUTPUT -p tcp -m multiport –sports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ awood macmiilka sudo / usr / sbin / iptables-legacy -A OUTPUT -p udp -m multiport –dports $ clientudp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
    $ activateclient sudo / usr / sbin / iptables-legacy -A OUTPUT -p tcp -m multiport –dports $ clienttcp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
    $ hayping sudo / usr / sbin / iptables-legacy -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT> / dev / null
    sudo / usr / sbin / iptables-legacy -A OUTPUT -j DIB
    sudo / usr / sbin / iptables-legacy -A HORMAR -j DIB
    echo iptables-dhaxal karti
    codso
    echo Dejinta iptables-nft
    sudo / usr / sbin / iptables-nft -t filter -F
    sudo / usr / sbin / iptables-nft -t nat -F
    sudo / usr / sbin / iptables-nft -t mangle -F
    sudo / usr / sbin / ip6table-nft -t filter -F
    sudo / usr / sbin / ip6table-nft -t nat -F
    sudo / usr / sbin / ip6table-nft -t mangle -F
    sudo / usr / sbin / ip6table-nft -A INPUT -j DIB
    sudo / usr / sbin / ip6table-nft -A OUTPUT -j DIB
    sudo / usr / sbin / ip6table-nft -A FORWARD -j DIB
    sudo / usr / sbin / iptables-nft -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
    $ haylogserver sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport –dports $ logserver -j LOG> / dev / null
    $ hayeexcepts sudo / usr / sbin / iptables-nft -A INPUT -s $ reebban -j ACCEPT> / dev / null
    $ dhaqaajiso server sudo / usr / sbin / iptables-nft -A INPUT -p udp -m multiport –dports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ dhaqaaji server sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport –dports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ activateclient sudo / usr / sbin / iptables-nft -A INPUT -p udp -m multiport –sports $ clientudp -m state –state based -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
    $ activateclient sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport –sports $ clienttcp -m state –state la aasaasay -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
    $ hayping sudo / usr / sbin / iptables-nft -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT> / dev / null
    sudo / usr / sbin / iptables-nft -A INPUT -j DAD> / dev / null
    sudo / usr / sbin / iptables-nft -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
    $ hayeexcepts sudo / usr / sbin / iptables-nft -A OUTPUT -d $ ka reeban -j ACCEPT> / dev / null
    $ dhaqaajiso server sudo / usr / sbin / iptables-nft -A OUTPUT -p udp -m multiport –sports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ dhaqaajiso server sudo / usr / sbin / iptables-nft -A OUTPUT -p tcp -m multiport –sports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
    $ activateclient sudo / usr / sbin / iptables-nft -A OUTPUT -p udp -m multiport –dports $ clientudp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
    $ activateclient sudo / usr / sbin / iptables-nft -A OUTPUT -p tcp -m multiport –dports $ clienttcp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
    $ hayping sudo / usr / sbin / iptables-nft -A OUTPUT -p icmp –coob nooca-echo-codsi -j ACCEPT> / dev / null
    sudo / usr / sbin / iptables-nft -A OUTPUT -j DIB
    sudo / usr / sbin / iptables-nft -A HORMAR -j DIB
    echo iptables-nft karti
    codso
    $ sudo / usr / sbin / iptables-legacy -F> / dev / null
    $ sudo qoyan / usr / sbin / iptables-legacy -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
    $ sudo / usr / sbin / iptables-legacy -A INPUT -m state –state la aasaasay -j ACCEPT> / dev / null
    $ sudo qoyan / usr / sbin / iptables-legacy -A INPUT -j DROP> / dev / null
    $ sudo / usr / sbin / iptables-legacy -A OUTPUT -j ACCEPT> / dev / null
    $ sudo qoyan / usr / sbin / iptables-legacy -A HORTA -j DUB> / dev / null
    $ sudo / usr / sbin / iptables-nft -F> / dev / null
    $ sudo / usr / sbin / iptables-nft -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
    $ sudo qoyan / usr / sbin / iptables-nft -A INPUT -m dowlad-goboleed la aasaasay -j ACCEPT> / dev / null
    $ sudo qoyan / usr / sbin / iptables-nft -A INPUT -j DAD> / dev / null
    $ sudo qoyan / usr / sbin / iptables-nft -A OUTPUT -j ACCEPT> / dev / null
    $ sudo / usr / sbin / iptables-nft -A HORMAR -j DAD> / dev / null
    ############################
    echo waxaad tuurtay $ 0 $ 1 $ 2
    # wuxuu ka baxaa qoraalka
    bixitaanka 0

  8.   louis duraan dijo

    Sideen sharci u dejisan karaa haddii darbigani u adeegsado irridkayga oo uu ku dhex yeesho LAN gudaha ???