Ngichithe isikhathi esithile ngicabanga ngezinto ezimbili mayelana nalezi iptables: iningi lalabo abafuna lezi tutorials ngabaqalayo futhi okwesibili, abaningi sebevele bafuna okuthile okulula futhi osekuningiliziwe.
Lesi sibonelo eseseva yewebhu, kepha ungangeza kalula eminye imithetho futhi uyivumelanise nezidingo zakho.
Lapho ubona u "x" ushintshela ama-ip akho
#!/bin/bash
# Sihlanza amatafula we-iptables -F iptables -X # Sihlanza ama-iptables we-NAT -t nat -F iptables -t nat -X # itafula le-mangle lezinto ezifana ne-PPPoE, i-PPP, ne-ATM iptables -t mangle -F iptables -t mangle -X # Izinqubomgomo ngicabanga ukuthi le yindlela enhle yabaqalayo futhi # namanje akukubi, ngizochaza okukhiphayo (okukhiphayo) konke ngoba kungukuxhumana okuphumayo #, okokufaka kulahla konke, futhi akukho seva okufanele idlulise. iptables -P INPUT DROP iptables -P OUTPUT YAMUKELA iptables -P FORWARD DROP #Intranet LAN intranet = eth0 #Extranet wan extranet = eth1 # Gcina isimo. Yonke into esivele ixhumekile (isunguliwe) ishiywa kanjena: iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT # Loop device. iptables -A INPUT -i lo -j ACCEPT # http, https, asicacisi i-interface ngoba # sifuna kube yiyo yonke iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp - dport 443 -j ACCEPT # ssh only ngaphakathi and from this range of ip's iptables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 7659 -j ACCEPT # Monitoring example if they have zabbix or amanye ama-iptables wensizakalo ye-snmp -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 10050 -j ACCEPT # icmp, ping well it's up to you iptables -A INPUT -p icmp -s 192.168.xx / 24 - i $ intranet -j ACCEPT #mysql with postgres is port 5432 iptables -A INPUT -p tcp -s 192.168.xx --sport 3306 -i $ intranet -j ACCEPT #sendmail bueeeh if you want to send some mail # iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT # Anti-SPOOFING 09/07/2014 # SERVER_IP = "190.xxx" # server IP - i-wan wan yangempela yeseva yakho LAN_RANGE = "192.168.xx / 21 "# Uhla lwe-LAN lenethiwekhi yakho noma ama-vlan # Ip akho okungafanele angene ku-extranet,ukusebenzisa okuncane kwe- # logic uma sinesixhumi esibonakalayo se-WAN akufanele ifake ithrafikhi yohlobo lwe- # LAN ngaleyo interface SPOOF_IPS = "0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0 .16 / XNUMX "# Isenzo esizenzakalelayo - esizokwenziwa uma noma yimuphi umthetho ufana ne-ACTION =" DROP "# Amaphakethe ane-ip efanayo yeseva yami ngokusebenzisa ama-ip ipables -A INPUT -i $ extranet -s $ SERVER_IP -j $ ACTION # ama-iptables -A OUTPUT -o $ extranet -s $ SERVER_IP -j $ ACTION # Amaphakethe ane-LAN Range ye-wan, ngikubeka kanjena uma kwenzeka une # noma iyiphi inethiwekhi ethile, kepha lokhu akusafuneki ngale mithetho # elandelayo ngaphakathi iluphu "ye" iptables -A INPUT -i $ extranet -s $ LAN_RANGE -j $ ACTION iptables -A OUTPUT -o $ extranet -s $ LAN_RANGE -j $ ACTION ## Onke ama-SPOOF Networks awavunyelwe yi-wan ye-ip in $ SPOOF_IPS enza ama-iptables -I-INPUT -i $ extranet -s $ ip -j $ ACTION iptables -A OUTPUT -o $ extranet -s $ ip -j $ ACTION kwenziwe
Njengenjwayelo ngilindele ukuphawula kwakho, hlala ubukele kule bhulogi, Ngiyabonga
Kuyangisiza ukuqhubeka nokufunda ukubonga okuthe xaxa okukopishiwe.
wamukelekile, ngijabulela ukuba usizo
Ngiyaxolisa kakhulu, kepha nginemibuzo emibili (futhi owodwa njengesipho:):
Ngabe uzofika nalokhu kulungiswa ukuze i-Apache isebenze futhi ivale konke okunye ngaphandle kwe-SSH?
#Sihlanza amatafula
iptables -F
iptables -X
Sihlanza i-NAT
iptables -t nat -F
iptables -t nat -X
iptables -A INPUT -p tcp -dport 80 -j ACCEPT
ssh kuphela ngaphakathi futhi kusuka kulolu hlu lwama-ip's
iptables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet –bika 7659 -j YAMUKELA
Umbuzo wesibili: Ngabe i-7659 itheku elisetshenziswe ku-SSH kulesi sibonelo?
Okwesithathu nokokugcina: kufanele kulondolozwe kuliphi ifayela lokhu kulungiselelwa?
Ngiyabonga kakhulu ngesifundo, kuyihlazo ukuthi uyi-newbie enjalo futhi awukwazi ukusizakala kahle.
lo ngumthetho owudinga i-http kusuka ku-apache
iptables -A INPUT -p tcp -dport 80 -j ACCEPT
kepha futhi udinga ukumemezela izinqubomgomo ezizenzakalelayo zokulahla (kusikripthi)
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P PHAMBILI IDROPHU
futhi lokhu ngoba uma ukude, kuzokulahla.
iptables -I-INPUT -m state -state ESTABLISHED, RELATED -j ACCEPT
uma i-7659 iyitheku laleyo ssh kusibonelo, ngokuzenzakalela ingama-22, yize ngincoma ukuthi ushintshele ethekwini "elingaziwa kahle"
indoda angazi, njengoba ufuna ... i-firewall.sh bese uyifaka ku-rc.local (sh firewall.sh) ukuze igijime ngokuzenzekelayo, kuya ngokuthi unaluphi uhlelo lokusebenza, kunamafayela lapho ingabeka imithetho ngqo.
Eii umuhle kakhulu umbhalo wakho, uwucubungula… Uyazi ukuthi ngingaziphika kanjani zonke izicelo zabasebenzisi bami kuwebhusayithi ethile?…. kodwa le webhusayithi inamaseva amaningi….
Ngincoma ezinye izinketho:
1) Ungakha indawo engamanga kuma-dns akho ...
2) Ungabeka ummeleli nge-acl
isono embargo
Okwe-iptables ungakuthanda lokhu ... akuyona inketho enhle ngaso sonke isikhathi (kunezindlela eziningi)
iptables -A INPUT -s blog.desdelinux.ne -j DROP
iptables -A OUTPUT -d blog.desdelinux.net -j DROP
Ngitshele uma kusebenze
Siyabonga ngempendulo, konke kulungisiwe. Bengibuza ngetheku ngoba ngamangala ukusebenzisa i-7659, ngoba amachweba azimele aqala ku-49152, futhi angaphazamisa isevisi ethile noma okuthile.
Futhi, ngiyabonga ngakho konke, lokho kuhle!
Ukubingelela
BrodyDalle, ngingaxhumana kanjani nawe? Ujabulisa kakhulu umbhalo wakho.
soulofmarionet_1@hotmail.com
Umugqa wangaphambi kokugcina "iptables -A OUTPUT -o $ extranet -s $ ip -j $ ACTION" ukuvikela umshini wakho ekuphambeni? Noma kungenzeka ukuthi iphakethe elithile elinobuthi lingena futhi lingahamba naloyo mthombo onobuthi futhi yingakho umthetho ufakiwe naku-OUTPUT?
Ngiyabonga kakhulu ukucaciselwa !!!
lo ngumbhalo wami we-iptables, uphelele kakhulu:
# ama-franes.iptables.airoso
# doc.iptables.airoso: ama-iptables wefa ne-nft
#
# amachweba we-firewall
#######################
#! / bin / bash
#
# sula isikrini
#######################################
Kucacile
# shiya ulayini ungenalutho
qalisa
thekelisa yebo = »» cha = »kunqatshelwe»
# okuguqukayo ongakushintsha ukuvumela ukufinyelela
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
ukuthekelisa hayexcepciones = »$ no»
# kukhona okuhlukile: $ yebo ukuvumela ababungazi abahlukile futhi $ cha ukukhubaza
ukuthekelisa ukuthekelisa = »$ no»
# hayping: $ yebo ukuvumela ukukhishwa kwesithathu kanye no $ cha ukuphika
ukuthekelisa haylogserver = »$ no»
# haylogeosserver: $ yebo ukuze ukwazi ukungena ku-tcp $ cha ukuze ungakwazi ukungena ku-tcp
######
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
okuthekelisa okuthekelisa = »baldras.wesnoth.org»
# okuhlukile kuvumela ukusingathwa okukodwa noma okuningi kusuka ku-firewall noma kungabizi inani
export logserver = lahla, ipp, dict, ssh
# tcp server port ezifakiwe lapho amaphakethe engena
ukuthumela kabusha i-redserver = 0/0
# redserver: inethiwekhi yamachweba eseva inethiwekhi yendawo ekhethiwe noma ama-ips amaningana
ukuthekelisa iklayenti elibomvu = 0/0
# clientnet: inethiwekhi yamachweba amaklayenti akhethwe yibo bonke
export servidortcp = lahla, ipp, dict, 6771
# servidortcp: amachweba eseva we-tcp acacisiwe
thekelisa isevaudp = lahla
#udpserver: amachweba we-udp server abekiwe
export clientudp = domain, bootpc, bootps, ntp, 20000: 45000
#udp iklayenti: amachweba amaklayenti we-udp acacisiwe
ukuthekelisa iklayentitcp = isizinda, http, https, ipp, git, dict, 14999: 15002
Iklayenti le- # tcp: amachweba amaklayenti we-tcp acacisiwe
############################ ukuphela kwe /etc/f-iptables/default.cfg |||||
# # # # # # # # # # # # # # # # # # # # # # # # # # #
ukuthekelisa i-firewall = okuguqukayo kwe- $ 1 = $ 2
uma ["$ eziguquguqukayo" = "$ NULL"]; ke umthombo /etc/f-iptables/default.cfg;
omunye umthombo / etc / f-iptables / $ 2; fi
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
################################## # # # # # # # # # # # # # # #
ukuthekelisa i-firewall = okuguquguqukayo kokuthekelisa okungu- $ 1 = $ 2
# # XNUMX # # # # # # # # # # # # # # # #
uma ["$ firewall" = "inqanyuliwe"]; bese unanela i-FIREWALL IDONCIWE;
thekelisa i-activatesverver = »$ no» activateclient = »$ no» wet = »$ no»;
elif ["$ firewall" = "client"]; bese unanela i-FIREWALL CLIENT;
thekelisa i-activatesverver = »$ no» activateclient = »» wet = »$ no»;
elif ["$ firewall" = "iseva"]; bese usho i-FIREWALL SERVER;
thekelisa i-activateserver = »» activateclient = »$ no» wet = »$ no»;
elif ["$ firewall" = "iklayenti neseva"]; bese unanela IKlayenti LOMLILO KANYE Neseva;
thekelisa ukwenza kusebenze iseva = »»; thekelisa i-activateclient = »»; ukuthekelisa okumanzi = »$ no»;
elif ["$ firewall" = "ukuvumela"]; bese unanela UMLILO OVUMELAYO;
thekelisa i-activatesverver = »$ no» activateclient = »$ no» wet = »»;
futhi
$ hlola Sudo echo iptables-legacy:
$ hlola ama-sudo iptables-legacy -v -L INPUT
$ hlola ama-sudo iptables-legacy -v -L OUTPUT
$ hlola ama-sudo echo iptables-nft:
$ hlola ama-sudo iptables-nft -v -L INPUT
$ hlola ama-sudo iptables-nft -v -L OUTPUT
bhala _____amapharamitha____ $ 0 $ 1 $ 2
i-echo "cast ngaphandle kwemingcele ukufaka uhlu lwama-iptables."
phendula "Ipharamitha yokuqala (nika amandla ama-iptables): inqanyuliwe noma iklayenti noma iseva noma iklayenti neseva noma kuvunyelwe."
phendula "Ipharamitha yesibili: (uma uthanda): ifayela le-default.cfg likhetha /etc/f-iptables/default.cfg"
qonda "izilungiselelo eziguqukayo:" $ (ls / etc / f-iptables /)
phuma 0; fi
#################
qalisa
i-echo iphonsa i- $ 0 inqanyuliwe noma iklayenti noma iseva noma iklayenti neseva noma ukuvumela noma okuguqukayo noma ngaphandle kokusebenzisa ipharamitha ukuhlunga ama-iptables.
echo Ifayela le- $ 0 liqukethe okuguquguqukayo okuhleleke ngaphakathi.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
##############################
echo ukusetha okuguquguqukayo kwe-iptables
echo okuguquguqukayo okwenziwe kwasebenza
qalisa
# # # # # # # # # # # # # # # # # # # # # # # # # # # # #
i-echo Setting iptables-legacy
Sudo / usr / sbin / iptables-legacy -t isihlungi -F
Sudo / usr / sbin / iptables-legacy -t nat -F
Sudo / usr / sbin / iptables-legacy -t mangle -F
Sudo / usr / sbin / ip6tables-legacy -t isihlungi -F
I-sudo / usr / sbin / ip6tables-legacy -t nat -F
I-sudo / usr / sbin / ip6tables-legacy -t mangle -F
I-sudo / usr / sbin / ip6tables-legacy -I-INPUT -j DROP
I-sudo / usr / sbin / ip6tables-legacy -I-OUTPUT -j DROP
sudo / usr / sbin / ip6tables-legacy -A PHAMBILI -j DROP
i-sudo / usr / sbin / iptables-legacy -I-INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ haylogserver sudo / usr / sbin / iptables-legacy -A INPUT -p tcp -m multiport –dports $ logserver -j LOG> / dev / null
$ hayeexceptions sudo / usr / sbin / iptables-legacy -I-INPUT -s $ ngaphandle -j ACCEPT> / dev / null
$ activate server sudo / usr / sbin / iptables-legacy -A INPUT -p udp -m multiport –dports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ activate server sudo / usr / sbin / iptables-legacy -A INPUT -p tcp -m multiport –dports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-legacy -A INPUT -p udp -m multiport –sports $ clientudp -m state –state established -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-legacy -A INPUT -p tcp -m multiport –sports $ clienttcp -m state -state established -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ hayping sudo / usr / sbin / iptables-legacy -I-INPUT -p icmp –icmp-type echo-reply -j ACCEPT> / dev / null
i-sudo / usr / sbin / iptables-legacy -I-INPUT -j DROP> / dev / null
i-sudo / usr / sbin / iptables-legacy -I-OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ hayeexceptions sudo / usr / sbin / iptables-legacy -I-OUTPUT -d $ ngaphandle -j ACCEPT> / dev / null
$ activate sudo server / usr / sbin / iptables-legacy -A OUTPUT -p udp -m multiport –sports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ activate server sudo / usr / sbin / iptables-legacy -A OUTPUT -p tcp -m multiport –sports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ nika amandla iklayenti sudo / usr / sbin / iptables-legacy -I-OUTPUT -p udp -m multiport –dports $ clientudp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-legacy -I-OUTPUT -p tcp -m multiport –dports $ clienttcp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ hayping sudo / usr / sbin / iptables-legacy -I-OUTPUT -p icmp –icmp-type echo-request -j ACCEPT> / dev / null
I-sudo / usr / sbin / iptables-legacy -I-OUTPUT -j DROP
Sudo / usr / sbin / iptables-legacy -A PHAMBILI -j DROP
i-echo iptables-legacy inikwe amandla
qalisa
echo Ukusetha iptables-nft
sudo / usr / sbin / iptables-nft -t isihlungi -F
sudo / usr / sbin / iptables-nft -t nat -F
sudo / usr / sbin / iptables-nft -t mangle -F
I-sudo / usr / sbin / ip6tables-nft -t isihlungi -F
i-sudo / usr / sbin / ip6tables-nft -t nat -F
sudo / usr / sbin / ip6tables-nft -t mangle -F
I-sudo / usr / sbin / ip6tables-nft -A INPUT -j DROP
I-sudo / usr / sbin / ip6tables-nft -A OKUKHIPHILE -j DROP
sudo / usr / sbin / ip6tables-nft -A PHAMBILI -j DROP
i-sudo / usr / sbin / iptables-nft -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ haylogserver sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport –dports $ logserver -j LOG> / dev / null
$ hayeexceptions sudo / usr / sbin / iptables-nft -A INPUT -s $ okuhlukile -j ACCEPT> / dev / null
$ sebenzisa iseva sudo / usr / sbin / iptables-nft -A INPUT -p udp -m multiport –dports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ sebenzisa iseva sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport –dports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-nft -A INPUT -p udp -m multiport –sports $ clientudp -m state –state established -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-nft -A INPUT -p tcp -m multiport –sports $ clienttcp -m state –state established -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ hayping sudo / usr / sbin / iptables-nft -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT> / dev / null
sudo / usr / sbin / iptables-nft -A INPUT -j DROP> / dev / null
i-sudo / usr / sbin / iptables-nft -I-OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ hayeexceptions sudo / usr / sbin / iptables-nft -A OUTPUT -d $ okuhlukile -j ACCEPT> / dev / null
$ sebenzisa iseva sudo / usr / sbin / iptables-nft -I-OUTPUT -p udp -m multiport -sports $ serverudp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ sebenzisa iseva sudo / usr / sbin / iptables-nft -A OUTPUT -p tcp -m multiport –sports $ serverrtcp -s $ redserver -d $ redserver -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-nft -A OUTPUT -p udp -m multiport –dports $ clientudp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ activateclient sudo / usr / sbin / iptables-nft -A OUTPUT -p tcp -m multiport –dports $ clienttcp -s $ clientnet -d $ clientnet -j ACCEPT> / dev / null
$ hayping Sudo / usr / sbin / iptables-nft -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT> / dev / null
sudo / usr / sbin / iptables-nft -A OKUKHIPHILE -j DROP
sudo / usr / sbin / iptables-nft -A PHAMBILI -j DROP
Ama-echo iptables-nft anikwe amandla
qalisa
$ wet sudo / usr / sbin / iptables-legacy -F> / dev / null
$ wet sudo / usr / sbin / iptables-legacy -I-INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ wet sudo / usr / sbin / iptables-legacy -I-INPUT -m state –state established -j ACCEPT> / dev / null
$ wet sudo / usr / sbin / iptables-legacy -I-INPUT -j DROP> / dev / null
$ wet sudo / usr / sbin / iptables-legacy -I-OUTPUT -j ACCEPT> / dev / null
$ wet sudo / usr / sbin / iptables-legacy -I-FORWARD -j DROP> / dev / null
$ wet sudo / usr / sbin / iptables-nft -F> / dev / null
$ wet sudo / usr / sbin / iptables-nft -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT> / dev / null
$ wet sudo / usr / sbin / iptables-nft -A INPUT -m state –state established -j ACCEPT> / dev / null
$ wet sudo / usr / sbin / iptables-nft -A INPUT -j DROP> / dev / null
$ wet sudo / usr / sbin / iptables-nft -I-OUTPUT -j ACCEPT> / dev / null
$ wet sudo / usr / sbin / iptables-nft -A PHAMBILI -j DROP> / dev / null
########################
echo uphonsa $ 0 $ 1 $ 2
# uphuma kuskripthi
phuma 0
Ngingawubeka kanjani umthetho uma le firewall iyisebenzisela isango lami futhi ine-squid ngaphakathi kwe-LAN ???