User Tools
сервис_firewall
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
сервис_firewall [2024/05/07 14:14] val [Debian/Ubuntu (iptables)] |
сервис_firewall [2025/02/06 12:40] (current) val [nftables] |
||
|---|---|---|---|
| Line 10: | Line 10: | ||
| * [[https://habr.com/ru/companies/ruvds/articles/580648/|Переход с iptables на nftables. Краткий справочник]] | * [[https://habr.com/ru/companies/ruvds/articles/580648/|Переход с iptables на nftables. Краткий справочник]] | ||
| * [[https://cryptoworld.su/kak-perejti-s-iptables-na-nftables-polnaya-istrukciya/|Как перейти с iptables на Nftables — полная инструкция]] | * [[https://cryptoworld.su/kak-perejti-s-iptables-na-nftables-polnaya-istrukciya/|Как перейти с iptables на Nftables — полная инструкция]] | ||
| + | * [[https://serveradmin.ru/bazovye-nastrojki-nftables-dlya-veb-servera-na-debian/|Набор правил nftables для веб сервера]] | ||
| + | |||
| + | <code> | ||
| + | root@openvpn2:~# systemctl enable nftables.service --now | ||
| + | |||
| + | root@openvpn2:~# cat /etc/nftables.conf | ||
| + | </code><code> | ||
| + | #!/usr/sbin/nft -f | ||
| + | |||
| + | flush ruleset | ||
| + | |||
| + | table inet filter { | ||
| + | chain input { | ||
| + | type filter hook input priority filter; | ||
| + | } | ||
| + | chain forward { | ||
| + | type filter hook forward priority filter; policy drop; | ||
| + | ct state established,related counter accept | ||
| + | # BMSTU DNS noc@bmstu.ru | ||
| + | ip daddr 195.19.32.2 udp dport 53 counter accept | ||
| + | # DMZ NETS noc@bmstu.ru | ||
| + | ip daddr { 195.19.40.0/24, 195.19.50.0/24 } counter accept | ||
| + | # EU eu@bmstu.ru | ||
| + | ip daddr 195.19.33.59 tcp dport { 80, 443 } counter accept | ||
| + | # CAS proxy noc@bmstu.ru | ||
| + | ip daddr 195.19.33.9 tcp dport 8443 counter accept | ||
| + | # lm.bmstu.ru | ||
| + | ip daddr 195.19.33.222 tcp dport 22 counter drop | ||
| + | ip daddr 195.19.33.222 counter accept | ||
| + | |||
| + | } | ||
| + | chain output { | ||
| + | type filter hook output priority filter; | ||
| + | } | ||
| + | } | ||
| + | </code><code> | ||
| + | root@openvpn2:~# systemctl reload nftables.service | ||
| + | |||
| + | root@openvpn2:~# nft list ruleset | ||
| + | </code> | ||
| ==== Linux (iptables) ==== | ==== Linux (iptables) ==== | ||
| Line 372: | Line 412: | ||
| root@gate:~# iptables-save > /etc/iptables.rules | root@gate:~# iptables-save > /etc/iptables.rules | ||
| + | или | ||
| + | root@gate:~# netfilter-persistent save | ||
| </code> | </code> | ||
| Line 432: | Line 474: | ||
| ==== nftables ==== | ==== nftables ==== | ||
| + | |||
| + | === Блокировка абонентов, превысивших частоту подключений === | ||
| * [[https://access.redhat.com/documentation/ru-ru/red_hat_enterprise_linux/7/html/security_guide/sec-using_nftables_to_limit_the_amount_of_connections|Using nftables to limit the amount of connections]] | * [[https://access.redhat.com/documentation/ru-ru/red_hat_enterprise_linux/7/html/security_guide/sec-using_nftables_to_limit_the_amount_of_connections|Using nftables to limit the amount of connections]] | ||
сервис_firewall.1715080467.txt.gz · Last modified: 2024/05/07 14:14 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
