Ngichithe isikhathi esithile ngicabanga ngezinto ezimbili mayelana nalezi iptables: iningi lalabo abafuna lezi tutorials ngabaqalayo futhi okwesibili, abaningi sebevele bafuna okuthile okulula futhi osekuningiliziwe.
Lesi sibonelo eseseva yewebhu, kepha ungangeza kalula eminye imithetho futhi uyivumelanise nezidingo zakho.
Lapho ubona u "x" ushintshela ama-ip akho
#!/bin/bash
# Sihlanza amatafula we-iptables -F iptables -X # Sihlanza ama-iptables we-NAT -t nat -F iptables -t nat -X # itafula le-mangle lezinto ezifana ne-PPPoE, i-PPP, ne-ATM iptables -t mangle -F iptables -t mangle -X # Izinqubomgomo ngicabanga ukuthi le yindlela enhle yabaqalayo futhi # namanje akukubi, ngizochaza okukhiphayo (okukhiphayo) konke ngoba kungukuxhumana okuphumayo #, okokufaka kulahla konke, futhi akukho seva okufanele idlulise. iptables -P INPUT DROP iptables -P OUTPUT YAMUKELA iptables -P FORWARD DROP #Intranet LAN intranet = eth0 #Extranet wan extranet = eth1 # Gcina isimo. Yonke into esivele ixhumekile (isunguliwe) ishiywa kanjena: iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT # Loop device. iptables -A INPUT -i lo -j ACCEPT # http, https, asicacisi i-interface ngoba # sifuna kube yiyo yonke iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp - dport 443 -j ACCEPT # ssh only ngaphakathi and from this range of ip's iptables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 7659 -j ACCEPT # Monitoring example if they have zabbix or amanye ama-iptables wensizakalo ye-snmp -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 10050 -j ACCEPT # icmp, ping well it's up to you iptables -A INPUT -p icmp -s 192.168.xx / 24 - i $ intranet -j ACCEPT #mysql with postgres is port 5432 iptables -A INPUT -p tcp -s 192.168.xx --sport 3306 -i $ intranet -j ACCEPT #sendmail bueeeh if you want to send some mail # iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT # Anti-SPOOFING 09/07/2014 # SERVER_IP = "190.xxx" # server IP - i-wan wan yangempela yeseva yakho LAN_RANGE = "192.168.xx / 21 "# Uhla lwe-LAN lenethiwekhi yakho noma ama-vlan # Ip akho okungafanele angene ku-extranet,ukusebenzisa okuncane kwe- # logic uma sinesixhumi esibonakalayo se-WAN akufanele ifake ithrafikhi yohlobo lwe- # LAN ngaleyo interface SPOOF_IPS = "0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0 .16 / XNUMX "# Isenzo esizenzakalelayo - esizokwenziwa uma noma yimuphi umthetho ufana ne-ACTION =" DROP "# Amaphakethe ane-ip efanayo yeseva yami ngokusebenzisa ama-ip ipables -A INPUT -i $ extranet -s $ SERVER_IP -j $ ACTION # ama-iptables -A OUTPUT -o $ extranet -s $ SERVER_IP -j $ ACTION # Amaphakethe ane-LAN Range ye-wan, ngikubeka kanjena uma kwenzeka une # noma iyiphi inethiwekhi ethile, kepha lokhu akusafuneki ngale mithetho # elandelayo ngaphakathi iluphu "ye" iptables -A INPUT -i $ extranet -s $ LAN_RANGE -j $ ACTION iptables -A OUTPUT -o $ extranet -s $ LAN_RANGE -j $ ACTION ## Onke ama-SPOOF Networks awavunyelwe yi-wan ye-ip in $ SPOOF_IPS enza ama-iptables -I-INPUT -i $ extranet -s $ ip -j $ ACTION iptables -A OUTPUT -o $ extranet -s $ ip -j $ ACTION kwenziwe
Njengenjwayelo ngilindele ukuphawula kwakho, hlala ubukele kule bhulogi, Ngiyabonga