Sanibonani nonke, namuhla ngikulethela ingxenye yesibili yalolu chungechunge lwezifundo ku-firewall enama-iptables, elula kakhulu ukuze ukwazi ukukopisha nokunamathisela, ngicabanga ukuthi ekugcineni kosuku yilokho bonke abaqalayo abakufunayo noma abanolwazi kakhulu, kungani kufanele silibuyisele kabusha isondo izikhathi eziyikhulu, akunjalo
Ngalesi sikhathi ngibatshela ukuthi bazame ukugxila ecaleni eliqondile lokuthi sifuna i-firewall yethu ibe nolaka kakhulu ngenqubomgomo ye-OUTPUT DROP. Lokhu okuthunyelwe futhi ngesicelo somfundi waleli khasi nokuthunyelwe kwami. (Ngaphakathi kwengqondo yami wiiiiiiiiiiiii)
Ake sikhulume kancane "ngobuhle nangobubi" bokusungula izinqubomgomo ze-Output Drop, engingakutshela ngakho ukuthi kwenza umsebenzi ube yisidina futhi ukhandle kakhulu, kepha okusemandleni ukuthi ezingeni lenethiwekhi uzoba nokuvikeleka kunokuthi uhlale phansi Ukucabanga, ukuklama nokuhlela kahle izinqubomgomo, uzoba neseva ephephe kakhulu.
Ukuze unganyakazi noma usuke esihlokweni, ngizokuchazela ngokushesha ngesibonelo ukuthi kufanele imithetho yakho ibe mincane kangakanani
iptables -A OUTPUT -o eth0 -p tcp -port 80 -m state-state ESTABLISHED -j ACCEPT
-A ngoba singeze umthetho
-o kubhekiswa kuthrafikhi ephumayo, khona-ke i-interface iyabekwa uma ingacaciswanga ngoba ifana nakho konke.
-sport itheku lomdabu, lidlala indima ebalulekile ngoba ezimweni eziningi asazi ukuthi bazokwenza isicelo sikuphi itheku, uma kunjalo singasebenzisa i-dport
–Izinga port ekuyiwa kuyo, lapho sazi ngqo kusengaphambili ukuthi ukuxhumeka okuphumayo kufanele kuye kuphela ethekwini elithile. Kufanele kube okuthile okucaciswe kakhulu njengeseva ekude ye-mysql ngokwesibonelo.
-m state –state BUSUNGULWA Lokhu sekuvele kungumhlobiso wokugcina ukuxhumana okusunguliwe, singakucubungula kokuthunyelwe okuzayo
-d ukukhuluma ngendawo oya kuyo, uma kungacaciswa, ngokwesibonelo ssh emshinini othile yi-ip yayo
#!/bin/bash
# Sihlanza amatafula we-iptables -F iptables -X # Sihlanza ama-iptables we-NAT -t nat -F iptables -t nat -X # itafula le-mangle lezinto ezifana ne-PPPoE, i-PPP, ne-ATM iptables -t mangle -F iptables -t mangle -X # Imigomo Ngicabanga ukuthi le yindlela enhle yabaqalayo futhi # namanje akukubi, ngizochaza okukhiphayo (okukhiphayo) konke ngoba kungukuxhumana okuphumayo #, okokufaka kulahla konke, futhi akukho seva okufanele idlulise. iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #Intranet LAN intranet = eth0 #Extranet wan extranet = eth1 # Gcina isimo. Konke okuvele kuxhunyiwe (kusunguliwe) sikushiya njengalezi iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
# Idivayisi yeLoop. iptables -I-INPUT -i lo -j YAMUKELA
# Iptables loopback okukhiphayo -I-OUTPUT -o lo -j YAMUKELA
# http, https, asicacisi isikhombimsebenzisi ngoba # sifuna ukuthi kube yiwo wonke ama-iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# ukuhamba
# http, https, asisho i-interface ngoba
# sifuna kube ngeyabo bonke kepha uma sichaza itheku lokukhipha
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT iptables -A OUTPUT -p tcp --sport 443 -j ACCEPT
# ssh ngaphakathi kuphela futhi kusuka kulolu hlu lwama-iptables we-ip -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 7659 -j ACCEPT
# okukhipha # ssh kuphela ngaphakathi futhi kusuka kulolu hlu lwama-ip's
iptables -A OUTPUT -p tcp -d 192.168.xx / 24 -o $ intranet - isport 7659 -j ACCEPT
# ukuqapha ngokwesibonelo uma bane-zabbix noma enye iptables yesevisi ye-snmp -A INPUT -p tcp -s 192.168.1.1 -i $ intranet --dport 10050 -j ACCEPT
# ukuhamba
# Ukuqapha ngokwesibonelo uma bane-zabbix noma enye insizakalo ye-snmp
iptables -I-OUTPUT -p tcp -d 192.168.1.1 -o $ intranet - ukuthumela 10050 -j YAMUKELA
# icmp, ping okuhle isinqumo sakho iptables -A INPUT -p icmp -s 192.168.xx / 24 -i $ intranet -j ACCEPT
# ukuhamba
# icmp, ping okuhle isinqumo sakho
iptables -I-OUTPUT -p icmp -d 192.168.xx / 24 -o $ intranet -j ACCEPT
I- # mysll enama-postgres yi-port 5432 iptables -A INPUT -p tcp -s 192.168.xx --sport 3306 -i $ intranet -j ACCEPT
# okukhiphayo - umbuzo obuzwe futhi ngumsebenzisi ukuthi enze iseva yokubusa ethize kakhulu engu- #: 192.168.1.2 mysql: 192.168.1.3
#mysql nge-postgres yi-port 5432
ama-iptables -A OUTPUT -p tcp -s 192.168.1.2 -d 192.168.1.3 - umbiko 3306 -o $ intranet -j ACCEPT
#sendmail bueeeh uma ufuna ukuthumela iposi elithile #iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT # Anti-SPOOFING 09/07/2014 # SERVER_IP = "190.xxx" # server IP - the real wan ip of your i-server LAN_RANGE = "192.168.xx / 21" # Uhla lwe-LAN lenethiwekhi yakho noma ama-vlan # IP wakho okungafanele angene ku-extranet, ukusebenzisa ingcaca ethile engu- # uma sinesixhumi esibonakalayo se-WAN Uhlobo lwe-LAN kuleso sixhumi esibonakalayo SPOOF_IPS = "0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" # Isenzo esizenzakalelayo - esizokwenziwa lapho umthetho othile uhambisana ne-ACTION = " DROP "# Amaphakethe ane-ip efanayo neseva yami ngokusebenzisa ama-ip ipables -A INPUT -i $ extranet -s $ SERVER_IP -j $ ACTION
ama-iptables -A OUTPUT -o $ extranet -s $ SERVER_IP -j $ ACTION
# Amaphakethe ane-LAN Range ye-wan, ngiyibeka kanjena uma kwenzeka unenethiwekhi ethile engu- #, kepha lokhu akusafuneki ngomthetho olandelayo # ngaphakathi kwe- "for" loop iptables -A INPUT -i $ extranet -s $ LAN_RANGE -j $ ISENZO
iptables -I-OUTPUT -o $ extranet -s $ LAN_RANGE -j $ ACTION
## Wonke ama-SPOOF Networks awavunyelwe yi-wan ye-ip ku- $ SPOOF_IPS enza ama-iptables -I-INPUT -i $ extranet -s $ ip -j $ ACTION
iptables -I-OUTPUT -o $ extranet -s $ ip -j $ ACTION
kwenziweEkubuyekezweni okulandelayo sizokwenza uhla lwamachweba siphinde simise izinqubomgomo ezihlelwe ngamagama, phakathi kokunye ... ngilindele ukuphawula nezicelo zakho.