Ndichithe ixesha ndicinga ngezinto ezimbini malunga nezi iptables: uninzi lwabo bafuna ezi tutorials ngabaqalayo kwaye okwesibini, uninzi sele lukhangela into elula kwaye sele icacisiwe.
Lo mzekelo ungoweseva yewebhu, kodwa ungongeza ngokulula imigaqo engaphezulu kwaye uyilungelelanise neemfuno zakho.
Xa ubona u "x" utshintsha ii-ip zakho
#!/bin/bash
#Sicocekile iptables iitafile -F iptables -X # Sicoce i-NAT iptables -t nat -F iptables -t nat -X # mangle table for things like PPPoE, PPP, and ATM iptables -t mangle -F iptables -t mangle -X # Imigaqo-nkqubo ndicinga ukuba le yeyona ndlela ilungileyo yabaqalayo kwaye # akukabi kubi, ndiza kuchaza iziphumo zazo zonke ngenxa yokuba zizidibaniso eziphumayo #, igalelo sililahla yonke into, kwaye akukho seva ekufuneka ihambile. iptables -P INPUT DROP iptables -P ISIPHUMO YAMKELA ii-iptables -P PHAMBILI NGOKUTSHA #Intranet LAN intranet = eth0 #Extranet wan extranet = eth1 # Gcina imeko. Yonke into esele idityanisiwe (isungulwe) ishiyeke ngoluhlobo iptables -I-INPUT -m state -state ESTABLISHED, RELATED -j ACCEPT # device Loop. iptables -I-INPUT -i lo -j YAMKELA # http, https, asichazi ujongano kuba # sifuna ukuba ibe yeyazo zonke iptables -A INPUT -p tcp -dport 80 -j ACCEPT iptables -A INPUT -p tcp - dport 443 -j YAMKELA # ssh ngaphakathi kuphela kwaye ukusukela kolu luhlu lwee-iptables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet -dport 7659 -j YAMKELA # ukubeka esweni umzekelo ukuba bane-zabbix okanye enye iptables yenkonzo ye-snmp -I-INPUT -p tcp -s 192.168.xx / 24 -i $ intranet -dport 10050 -j ACCEPT # icmp, ping well it's up to you iptables -A INPUT -p icmp -s 192.168. xx / 24 - i $ intranet -j YAMKELA #mysql ngeposi yiport 5432 iptables -A INPUT -p tcp -s 192.168.xx -sport 3306 -i $ intranet -j ACCEPT #sendmail bueeeh if you want to send some mail #iifayili -I-OUTPUT -p tcp -dport 25 -j YAMKELA # Ukuchasana nokuchasana 09/07/2014 # SERVER_IP = "190.xxx" # IP server - eyona wan ip yeserver yakho LAN_RANGE = "192.168.xx / "Uluhlu lwe-LAN yenethiwekhi yakho okanye ii-vlan # Ip zakho ezingaze zingene kwi-extranet,kukusebenzisa isuntswana le- # logic ukuba sinonxibelelwano lweWAN kuphela akufuneki lingene # LAN uhlobo lokugcwala ngakwindlela ejonganayo SPOOF_IPS = "21/0.0.0.0 8/127.0.0.0 8/10.0.0.0 8/172.16.0.0 12 .192.168.0.0 / 16 "# Isenzo esingagqibekanga - esenziwayo xa kuthe kwahambelana umgaqo ACTION =" DROP "# Iipakethi nge-ip efanayo yeseva yam ngokusebenzisa ip ipables -A INPUT -i $ extranet -s $ SERVER_IP -j $ ACTION # iptables -I-OUTPUT -o $ extranet -s $ SERVER_IP -j $ ACTION # Iipakethi ngeLan Range ye-wan, ndiyibeka ngolu hlobo kwimeko yokuba unayo # nayiphi na inethiwekhi, kodwa le ayifuneki ngolu hlobo lulandelayo # umthetho ngaphakathi iluphu "ye" iptables -I-INPUT -i $ extranet -s $ LAN_RANGE -j $ ACTION iptables -A ISIPHUMO -o $ extranet -s $ LAN_RANGE -j $ ACTION ## Zonke iinethiwekhi ze-SPOOF azivunyelwanga yi-wan ye-ip in $ SPOOF_IPS yenza iptables -I-INPUT -i $ extranet -s $ ip -j $ ACTION iptables -I-OUTPUT -o $ extranet -s $ ip -j $ ACTION yenziwe
Njengesiqhelo ndilindele amagqabantshintshi, hlala ubukele kule bhlog, Enkosi
Kuyandinceda ukuqhubeka nokufunda umbulelo omncinci okhutshelweyo.
wamkelekile, ndiyavuya ukunceda
Ndicela uxolo, kodwa ndinemibuzo emibini (kwaye omnye njengesipho:):
Ngaba ungafika noluqwalaselo ukuze i-Apache ibaleke kwaye ivale yonke ngaphandle kwe-SSH?
#Sicocekile iitafile
iiptables -F
iiptables -X
Sicoce iNAT
iiptables -t nat -F
iiptables -t nat -X
iptables -I-INPUT -p tcp-ingxelo 80 -j YAMKELA
ssh kuphela ngaphakathi nangoluhlu lwee-ip's
iptables -I-INPUT -p tcp -s 192.168.xx / 24 -i $ intranet-ingxelo 7659 -j YAMKELA
Umbuzo wesibini: Ngaba i-7659 izibuko elisetyenziswe kwi-SSH kulo mzekelo?
Okwesithathu nowokugqibela: loluphi ifayile ekufuneka igcinwe kulo fayile?
Enkosi kakhulu kwisifundo, kulihlazo ukuba uyi-newbie enjalo kwaye awunakho ukuthatha ithuba layo kakuhle.
lo ngumgaqo owufunayo kwi-http ukusuka kwi-apache
iptables -I-INPUT -p tcp-ingxelo 80 -j YAMKELA
kodwa kuya kufuneka ubhengeze imigaqo-nkqubo yokuyeka emiselweyo (kwisikripthi)
iptables -P Igalelo lokwenza
iptables -P ISIPHUMO SOKWAMKELA
iptables -P PHAMBILI NGOKUXELAYO
kwaye oku ngenxa yokuba ukude, kuya kukulahla.
iptables -I-INPUT -m state-state ESTABBISHED, RELATED -j YAMKELA
ukuba i-7659 izibuko lale ssh kumzekelo, ngokungagqibekanga ingama-22, nangona ndincoma ukutshintsha kwizibuko "elingaziwa kakuhle"
Indoda andiyazi, njengoko ufuna ... firewall.sh kwaye uyibeka kwi-rc.local (sh firewall.sh) ukuze ibaleke ngokuzenzekelayo, ixhomekeke kwinkqubo onayo, kukho iifayile apho unokubeka imigaqo ngokuthe ngqo.
Heyi, iskripthi sakho silunge kakhulu, siyayihlalutya… Ngaba uyazi ukuba ndingazikhaba njani zonke izicelo ezivela kubasebenzisi bam kwiwebhusayithi ethile?…. kodwa le webhusayithi ineeseva ezininzi….
Ndicebisa ezinye iindlela:
1) Unokwenza indawo engekhoyo kwi-dns yakho ...
2) Ungabeka ummeli nge-acl
isono embargo
Ngee-iptables ungayithanda le ... ayisoloko iyeyona nto ilungileyo (zininzi iindlela)
iptables -A INPUT -s blog.desdelinux.ne -j DROP
iptables -A OUTPUT -d blog.desdelinux.net -j DROP
Ndixelele ukuba iyasebenza
Enkosi ngempendulo, yonke into icociwe. Ndabuza malunga nezibuko kuba ndothuka ukusebenzisa i-7659, kuba izibuko labucala liqala ngo-49152, kwaye inokuphazamisa inkonzo ethile okanye enye into.
Kwakhona, enkosi ngayo yonke into, intle loo nto!
Ukubulisa
BrodyDalle, ndinganxibelelana njani nawe? Ndinomdla kakhulu kwiskripthi sakho.
soulofmarionet_1@hotmail.com
Ngaba ngaphambi komgca wokugqibela "iptables -I-OUTPUT -o $ extranet -s $ ip -j $ ACTION" ukuthintela owakho umatshini ekuphambeni? Okanye kunokwenzeka ukuba enye ipakethi enetyhefu ingene kwaye inokuphuma kunye nomthombo onetyhefu kwaye yiyo loo nto umthetho ubandakanyiwe kwi-OUTPUT?
Enkosi kakhulu ngengcaciso !!!
Esi sisicatshulwa sam se-iptables, sigqibelele:
# iifransi.iifayile
# doc.iptables.airoso: iptables yelifa kunye nft
#
# amazibuko e-firewall
##########################
#! / bin / ibash
#
# coca isikrini
################################# ukuqala #etc/f-iptables/default.cfg ||
kucace
# shiya umgca ungenanto
Bhala
thumela ngaphandle ewe = »» hayi = »ungqinisiso»
# eziguquguqukayo onokuzitshintsha ukuvumela ukufikelela
# # # # # # # # # # # # # # # # # # # # # # # # # # # zigqibile
ukuthumela ngaphandle hayexcepciones = »$ hayi»
# Kukho okwahlukileyo: $ ewe ukuvumela iinginginya ezizodwa kwaye $ hayi ikhubaze
ukuthumela ngaphandle hayping = »$ hayi»
# hayping: $ ewe ukuvumela ii-pings kubantu besithathu kunye ne- $ hayi ukuyala
ukuthumela ngaphandle haylogserver = »$ hayi»
# haylogeosserver: $ ewe ukuze ukwazi ukungena kwi-tcp $ hayi ukuze ungabinako ukungena kwi-tcp
######
# # # # # # # # # # # # # # # # # # ''
ngaphandle ngaphandle = »baldras.wesnoth.org»
# okwahlukileyo kuvumela indawo enye okanye ezininzi kwi-firewall okanye akukho xabiso
ukuthumela ngaphandle i-logserver = lahla, ipp, dict, ssh
# tcp amazibuko eseva angenelwe xa iipakethi zingena
ukuthumela kwakhona i-redserver = 0/0
# redserver: inethiwekhi yamazibuko eserver ikhetha inethiwekhi yendawo okanye ii-ips ezininzi
iklayenti yokuthumela ngaphandle ebomvu = 0/0
# clientnet: uthungelwano lwamazibuko abaxhasi lukhethwa kuzo zonke iinethiwekhi
thumela ngaphandle servidortcp = lahla, ipp, dict, 6771
# servidortcp: amazibuko eseva ye-tcp
ukuthumela ngaphandle isevaudp = ukulahla
#udpserver: amazibuko eseva we-udp achaziweyo
ukuthumela ngaphandle iklayenti = idomeyini, i-bootpc, i-bootps, i-ntp, i-20000: 45000
#udp umthengi: amazibuko abaxhasi be-udp
ukuthumela ngaphandle iklayenti = isizinda, http, https, ipp, git, dict, 14999: 15002
# tcp umthengi: ezichaziweyo zabathengi be-tcp
########################### ukuphela kwe /etc/f-iptables/default.cfg |||||
#############################
ukuthumela ngaphandle i-firewall = 1 $ variables = $ 2
ukuba ["eziguquguqukayo $" = "$ NULL"]; ke umthombo /etc/f-iptables/default.cfg;
omnye umthombo / njl / f-iptables / $ 2; fi
##############################################################################################################################################################
################################## ###########################
ukuthumela ngaphandle i-firewall = $ 1 izinto eziguquguqukayo = = 2
##########################
ukuba ["$ firewall" = "inqanyuliwe"]; emva koko ungqina ukuba i-FIREWALL IBONISWE;
ukuthumela ngaphandle kwisebe = »$ no» activateclient = »$ no» wet = »$ no»;
elif
ukuthumela ngaphandle umthetho osebenzayo = »$ hayi» activateclient = »» wet = »$ no»;
elif ["$ firewall" = "iseva"]; emva koko ungqina ISERVER YOMLILO;
ukuthumela ngaphandle umthetho osebenzayo = »» activateclient = »$ no» wet = »$ no»;
elif ["$ firewall" = "umxhasi kunye neseva"]; emva koko ungqengqa UMLAZI WOMLILO NENKONZO
ukuthumela ngaphandle yenza isebenze = »»; ukuthumela ngaphandle into esebenzayo = »», ukuthumela ngaphandle ezimanzi = »$ hayi»;
elif ["$ firewall" = "evumelekileyo"]; emva koko ungqinela INDLELA YOKUQHUBA UMLILO;
ukuthumela ngaphandle i-activatesverver »» $ no »activateclient =» $ no »wet =» »;
enye
$ jonga i-sudo echo iptables-legacy:
$ jonga i-sudo iptables-legacy -v -L INPUT
$ jonga i-sudo iptables-legacy -v -L ISIPHUMO
$ jonga i-sudo echo iptables-nft:
$ jonga i-sudo iptables-nft -v -L INPUT
$ jonga i-sudo iptables-nft -v -L ISIPHUMO
echo _____parameters____ $ 0 $ 1 $ 2
i-echo "cast ngaphandle kweeparameter kukuluhlu lwee-iptables."
"Iiparamitha zokuqala: unqunyanyisiwe okanye umxhasi okanye umncedisi okanye umxhasi kunye neseva okanye uvumele."
echo "Ipharamitha yesibini: (ngokuzithandela): ifayile emiselweyo.cfg ekhetha /etc/f-iptables/default.cfg"
echo "Useto olwahlukileyo:" $ (ls / njl / f-iptables /)
phuma 0; fi
#################
Bhala
i-echo iphosa i- $ 0 inqanyuliwe okanye iklayenti okanye iseva okanye umxhasi kunye neseva okanye evumayo okanye eyahlukileyo okanye ngaphandle kokusebenzisa iparameter ukudwelisa iptables.
echo Ifayile ye- $ 0 iqulethe izinto ezithile ezinokuhleleka ngaphakathi.
#####################
##############################
echo ukuseta iiptables eziguquguqukayo
echo izinto eziguquguqukayo ezenziweyo
Bhala
###########################
echo Ukuseta iptables-ilifa
Isudo / usr / sbin / iptables-legacy -t isihluzo -F
Isudo / usr / sbin / iptables-legacy -t nat -F
Isudo / usr / sbin / iptables-legacy -t mangle -F
Isudo / usr / sbin / ip6tables-legacy -t isihluzo -F
Isudo / usr / sbin / ip6tables-legacy -t nat -F
Isudo / usr / sbin / ip6tables-legacy -t mangle -F
Isudo / usr / sbin / ip6tables-legacy -A INPUT -j DROP
Isudo / usr / sbin / ip6tables-legacy -I-OUTPUT -j DROP
Sudo / usr / sbin / ip6tables-legacy -A PHAMBILI -j DROP
I-sudo / usr / sbin / iptables-legacy -I-INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ haylogserver sudo / usr / sbin / iptables-legacy -A INPUT -p tcp -m multiport -dports $ logserver -j LOG> / dev / null
$ kukho okwahlukileyo Sudo / usr / sbin / iptables-legacy -A INPUT -s $ exceptions -j ACCEPT> / dev / null
$ Sebenzisa iserver yesudo / usr / sbin / iptables-legacy -A INPUT -p udp -m multiport -dports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ sebenzisa iseva sudo / usr / sbin / iptables-legacy -A INPUT -p tcp -m multiport -dports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-legacy -A INPUT -p udp -m multiport -sports $ clientudp -m state -state established -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-legacy -A INPUT -p tcp -m multiport -sports $ clienttcp -m state -state established -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ hayping Sudo / usr / sbin / iptables-legacy -A INPUT -p icmp -icmp-uhlobo echo-impendulo -j ACCEPT> / dev / null
Isudo / usr / sbin / iptables-legacy -I-INPUT -j DROP> / dev / null
Isudo / usr / sbin / iptables-legacy -I-OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ hayeexceptions sudo / usr / sbin / iptables-legacy -I-OUTPUT -d $ ngaphandle -j ACCEPT> / dev / null
$ Sebenzisa iserver yesudo / usr / sbin / iptables-legacy -I-OUTPUT -p udp -m multiport -sports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ sebenzisa iseva sudo / usr / sbin / iptables-legacy -I-OUTPUT -p tcp -m multiport -sports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-legacy -I-OUTPUT -p udp -m multiport -dports $ clientudp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-legacy -I-OUTPUT -p tcp -m multiport -dports $ clienttcp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ hayping Sudo / usr / sbin / iptables-legacy -I-OUTPUT -p icmp -icmp-uhlobo echo-sicelo -j ACCEPT> / dev / null
I-sudo / usr / sbin / iptables-legacy -ISIPHUMO -j DROP
Sudo / usr / sbin / iptables-legacy -A PHAMBILI -j DROP
i-echo iptables-legacy yenziwe
Bhala
echo Ukuseta iptables-nft
Isudo / usr / sbin / iptables-nft -t isihluzo -F
Isudo / usr / sbin / iptables-nft -t nat -F
Isudo / usr / sbin / iptables-nft -t mangle -F
Isudo / usr / sbin / ip6tables-nft -t isihluzo -F
Isudo / usr / sbin / ip6tables-nft -t nat -F
Isudo / usr / sbin / ip6tables-nft -t mangle -F
Isudo / usr / sbin / ip6tables-nft -A Igalelo -j DROP
I-sudo / usr / sbin / ip6tables-nft-ISIPHUMO -j DROP
Isudo / usr / sbin / ip6tables-nft -A PHAMBILI -j DROP
Isudo / usr / sbin / iptables-nft -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ haylogserver sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport -dports $ logserver -j LOG> / dev / null
$ hayeexceptions sudo / usr / sbin / iptables-nft -A INPUT -s $ ngaphandle -j ACCEPT> / dev / null
$ sebenzisa iseva sudo / usr / sbin / iptables-nft -A INPUT -p udp -m multiport -dports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ sebenzisa iseva sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport -dports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-nft -A INPUT -p udp -m multiport -sports $ clientudp -m state -state established -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport -sports $ clienttcp -m state -state established -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ hayping Sudo / usr / sbin / iptables-nft -A INPUT -p icmp -icmp-uhlobo echo-phendula -j ACCEPT> / dev / null
Isudo / usr / sbin / iptables-nft -A INPUT -j DROP> / dev / null
Isudo / usr / sbin / iptables-nft-ISIPHUMO -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ kukho okwahlukileyo Sudo / usr / sbin / iptables-nft -A OUTPUT -d $ exceptions -j ACCEPT> / dev / null
$ Sebenzisa iserver yesudo / usr / sbin / iptables-nft-I-OUTPUT -p udp -m multiport -sports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ yenza iseva sudo / usr / sbin / iptables-nft-I-OUTPUT -p tcp -m multiport -sports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-nft -A OUTPUT -p udp -m multiport -dports $ clientudp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-nft -A OUTPUT -p tcp -m multiport -dports $ clienttcp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ hayping Sudo / usr / sbin / iptables-nft-ISIPHUMO -p icmp -icmp-uhlobo echo-sicelo -j ACCEPT> / dev / null
Isudo / usr / sbin / iptables-nft-Isiphumo -j DROP
Sudo / usr / sbin / iptables-nft -A PHAMBILI -j DROP
i-echo iptables-nft yenziwe
Bhala
$ wet sudo / usr / sbin / iptables-legacy -F> / dev / null
$ wet sudo / usr / sbin / iptables-legacy -I-INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ wet sudo / usr / sbin / iptables-legacy -I-INPUT -m state-indawo esekwe -j ACCEPT> / dev / null
$ wet sudo / usr / sbin / iptables-legacy -I-INPUT -j DROP> / dev / null
$ wet sudo / usr / sbin / iptables-legacy -I-OUTPUT -j YAMKELA> / dev / null
$ wet sudo / usr / sbin / iptables-legacy -A PHAMBILI -j DROP> / dev / null
$ wet sudo / usr / sbin / iptables-nft -F> / dev / null
$ wet sudo / usr / sbin / iptables-nft -I-INPUT -s 127.0.0.1 -d 127.0.0.1 -j YAMKELA> / dev / null
$ wet sudo / usr / sbin / iptables-nft -I-INPUT -m state-indawo esekwe -j ACCEPT> / dev / null
$ wet sudo / usr / sbin / iptables-nft -I-INPUT -j DROP> / dev / null
$ wet sudo / usr / sbin / iptables-nft-ISIPHUMO -j YAMKELA> / dev / null
$ wet sudo / usr / sbin / iptables-nft-A PHAMBILI -j DROP> / dev / null
# # # # # # # # # # # # # #
phinda ulahle $ 0 $ 1 $ 2
# uphuma kwiskripthi
ukuphuma 0
Ndingawubeka njani umthetho ukuba le firewall iyisebenzisele isango lam kwaye ine squid ngaphakathi kwe-LAN ???