Molweni nonke, namhlanje ndikuzisa inxalenye yesibini yolu chungechunge lwezifundo kwi-firewall kunye ne-iptables, ilula kakhulu ukuze ukwazi ukukopa kwaye unamathisele, ndicinga ukuba ekugqibeleni yinto efunwa ngabo bonke abaqalayo okanye abanamava kakhulu, kutheni kufuneka siphinde siyiqambe kwakhona ivili izihlandlo ezili-100, akunjalo?
Ngeli xesha ndiyanixelela ukuba sizama ukugxila kweyona meko ichanekileyo yokuba sifuna ukuba i-firewall yethu ibe ndlongondlongo ngomgaqo-nkqubo we-OUTPUT DROP. Esi sithuba sikwacelwa ngumfundi wala maphepha kunye nezithuba zam. (Engqondweni yam Wiiiiiiiiiiiii)
Makhe sithethe kancinci malunga "noncedo kunye nokubi" kokuseka imigaqo-nkqubo yokuPhuhlisa, eyona nto ndinokuxelela yona kukuba yenza umsebenzi ube nzima kwaye unzima, nangona kunjalo ipro kukuba kwinqanaba lenethiwekhi uya kuqiniseka. ukuba uthe wahlala phantsi Ngokucinga, ukuyila nokucwangcisa imigaqo-nkqubo yakho kakuhle, uya kuba nomncedisi okhuselekileyo kakhulu.
Ukuze ungaphambuki okanye uphume kwisihloko, ndiza kuchaza ngokukhawuleza ngomzekelo ukuba imigaqo yakho kufuneka ibe ngaphezulu okanye ngaphantsi.
iiptables -A ISIPHUMO -o eth0 -p tcp –sport 80 -m state –state ESISISHWA -j YAMKELE
-A kuba songeze umthetho
-o Ibhekisa kwitrafikhi ephumayo, emva koko ujongano lubekwe ukuba aluchazwanga kuba luhambelana nazo zonke.
-ezemidlalo izibuko lemvelaphi, lidlala indima ebalulekileyo kuba kwiimeko ezininzi asazi ukuba leliphi na izibuko abaza kwenza isicelo ngalo, ukuba kunjalo sinokusebenzisa i-dport.
-Dport Indawo ekuyiwa kuyo, kuba siyazi ngokuthe ngqo kwangaphambili ukuba uxhulumaniso oluphumayo kufuneka luye kuphela kwizibuko elithile. Kufuneka ibe yinto ethile kakhulu njengeseva ye-mysql ekude umzekelo.
-m state –state IYASEKWA Lo ngumhlobiso wokugcina unxibelelwano olusele lusekiwe, sinokungena kulo kwisithuba esizayo
-d Ukuthetha ngendawo ekuyiwa kuyo, ukuba inokuchazwa, umzekelo ssh kumatshini othile nge IP yayo
#!/bin/bash
#Sicoca iitafile ze-iptables -F iptables -X # Sicoca ii-iptables ze-NAT -t nat -F iptables -t nat -X # itheyibhile ye-mangle yezinto ezifana nePPPoE, PPP, kunye ne-ATM iptables -t mangle -F iptables -t mangle -X # Imigaqo-nkqubo Ndicinga ukuba le yeyona ndlela ilungileyo yabaqalayo kwaye # ayikabi yimbi, ndicacisa yonke into ephumayo kuba zi # eziphumayo zonxibelelwano, igalelo silahla yonke into, kwaye akukho mncedisi ofanele enze phambili. ii-iptables -P IINPUTSHO UKULAHLA ii-iptables -P ISIPHUMO SILAHLA ii-iptables -P PHAMBILI UKULAHLA #I-Intranet LAN intranet=eth0 #I-Extranet wan extranet=eth1 # Gcina imo. Yonke into esele iqhagamshelwe (isekiwe) siyishiya ngolu hlobo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j YAMKELELA
iptables -A ISIPHUMO -m isimo --state ISEMISHIWE, IYANXULUMANA -j YAMKELE
# Isixhobo seLoop. iiptables -A IINPUT -i lo -j YAMKELA
# Ii-iptables zemveliso yeLoopback -I-OUTPUT -o lo -j YAMKELA
# http, https, asiyikhankanyi i-interface kuba # sifuna ukuba ibe yezo zonke iiptables -A INPUT -p tcp --dport 80 -j YAMKELA iiptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Phuma
# http, https, asiyichazi i-interface kuba
# sifuna ibe yeyabo bonke kodwa ukuba sikhankanya izibuko lemveliso
iiptables -A OUTPUT -p tcp --sport 80 -j YAMKELA iiptables -A OUTPUT -p tcp --sport 443 -j YAMKELE
# ssh kuphela ngaphakathi kwaye ukusuka kolu luhlu lwe-iptables -A INPUT -p tcp -s 192.168.xx/24 -i $ intranet --dport 7659 -j ACCEPT
# imveliso # ssh kuphela ngaphakathi kwaye ukusuka kolu luhlu lwe-IP
iiptables -A ISIPHUMO -p tcp -d 192.168.xx/24 -o $intranet --sport 7659 -j YAMKELE
# ukubeka esweni umzekelo ukuba banezabbix okanye ezinye ii-iptables zenkonzo ye-snmp -A IINPUT -p tcp -s 192.168.1.1 -i $intranet --dport 10050 -j ACCEPT
# Phuma
# ukujonga umzekelo ukuba banezabbix okanye enye inkonzo ye-snmp
iiptables -A OUTPUT -p tcp -d 192.168.1.1 -o $intranet --dport 10050 -j YAMKELE
# icmp, ping kakuhle sisigqibo sakho iptables -A IINPUT -p icmp -s 192.168.xx/24 -i $intranet -j ACCEPT
# Phuma
# icmp, ping kakuhle sisigqibo sakho
iiptables -A ISIPHUMO -p icmp -d 192.168.xx/24 -o $intranet -j YAMKELE
#mysql nge-postgres yi-port 5432 iptables -A INPUT -p tcp -s 192.168.xx --sport 3306 -i $ intranet -j ACCEPT
# imveliso - umbuzo obuye wabuzwa ngumsebenzisi ukuba enze i-server yomgaqo # ethile: 192.168.1.2 mysql: 192.168.1.3
#mysql ene-postgres yi-port 5432
iiptables -A OUTPUT -p tcp -s 192.168.1.2 -d 192.168.1.3 --dport 3306 -o $intranet -j YAMKELE
#sendmail kakuhle ukuba ufuna ukuthumela imeyile #iptables -A OUTPUT -p tcp --dport 25 -j YAMKELA #Anti-SPOOFING 09/07/2014 # SERVER_IP = "190.xxx" # iseva IP - the real wan ip yomncedisi wakho LAN_RANGE = "192.168.xx/21" # Uluhlu lwe-LAN yenethiwekhi yakho okanye i-vlan # IP's ekungamelanga ingene nge-extranet, kukusebenzisa i-logic encinci ye- # logic ukuba sinojongano lwe-WAN olungenakuze lungene. # uhlobo lwetrafikhi yeLAN yolo jongano SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" # Inyathelo elihlala lihleli - eliya kwenziwa xa umthetho uhambelana ACTION =" I-DROP" # Iipakethi ezine-IP efanayo njengomncedisi wam ngokusebenzisa i-wan iptables -A INPUT -i $ extranet -s $ SERVER_IP -j $ ACTION
iiptables -A OUTPUT -o $extranet -s $SERVER_IP -j $ACTION
# Iipakethi kunye ne-LAN Range ngokusebenzisa i-wan, ndiyibeka ngolu hlobo kwimeko yokuba une # inethiwekhi ethile, kodwa oku akufuneki kunye nomgaqo we-# ulandelayo ngaphakathi kwe-"for" loop iptables -A INPUT -i $extranet -s $ LAN_RANGE -j $ACTION
iiptables -A OUTPUT -o $extranet -s $LAN_RANGE -j $ACTION
## Zonke iiNethiwekhi ze-SPOOF azivumelekanga yi-wan ye-ip kwi $SPOOF_IPS yenza iiptables -A INPUT -i $extranet -s $ip -j $ACTION
iiptables -A ISIPHUMO -o $extranet -s $ip -j $ACTION
ZenziweKuhlaziyo olulandelayo siza kwenza uluhlu lwezibuko kwaye sikwaseke imigaqo-nkqubo eququzelelwe ngamagama, phakathi kwezinye izinto... Ndijonge phambili kwizimvo kunye nezicelo zenu.