User Tools
сервис_firewall
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
сервис_firewall [2024/05/07 14:14] val [Debian/Ubuntu (iptables)] |
сервис_firewall [2025/10/21 11:24] (current) val [nftables] |
||
|---|---|---|---|
| Line 6: | Line 6: | ||
| ===== Конфигурация для рабочей станции ===== | ===== Конфигурация для рабочей станции ===== | ||
| - | ==== nftables ==== | ||
| - | * [[https://habr.com/ru/companies/ruvds/articles/580648/|Переход с iptables на nftables. Краткий справочник]] | ||
| - | * [[https://cryptoworld.su/kak-perejti-s-iptables-na-nftables-polnaya-istrukciya/|Как перейти с iptables на Nftables — полная инструкция]] | ||
| ==== Linux (iptables) ==== | ==== Linux (iptables) ==== | ||
| Line 82: | Line 79: | ||
| </code> | </code> | ||
| - | ==== CentOS ==== | + | ==== CentOS, AlmaLinux ==== |
| - | + | ||
| - | === CentOS 7, AlmaLinux 9 === | + | |
| * [[https://bozza.ru/art-259.html|Настройка firewalld CentOS 7 с примерами команд]] | * [[https://bozza.ru/art-259.html|Настройка firewalld CentOS 7 с примерами команд]] | ||
| Line 124: | Line 119: | ||
| или, возвращаем исходное состояние | или, возвращаем исходное состояние | ||
| # firewall-cmd --reload | # firewall-cmd --reload | ||
| + | |||
| + | # nft list ruleset | ||
| # systemctl stop firewalld | # systemctl stop firewalld | ||
| Line 172: | Line 169: | ||
| </code> | </code> | ||
| ===== Конфигурация для шлюза WAN - LAN ===== | ===== Конфигурация для шлюза WAN - LAN ===== | ||
| + | |||
| + | ==== nftables ==== | ||
| + | |||
| + | * [[https://habr.com/ru/companies/ruvds/articles/580648/|Переход с iptables на nftables. Краткий справочник]] | ||
| + | * [[https://cryptoworld.su/kak-perejti-s-iptables-na-nftables-polnaya-istrukciya/|Как перейти с iptables на Nftables — полная инструкция]] | ||
| + | * [[https://serveradmin.ru/bazovye-nastrojki-nftables-dlya-veb-servera-na-debian/|Набор правил nftables для веб сервера]] | ||
| + | |||
| + | <code> | ||
| + | root@openvpn2:~# systemctl enable nftables.service --now | ||
| + | |||
| + | root@openvpn2:~# cat /etc/nftables.conf | ||
| + | </code><code> | ||
| + | #!/usr/sbin/nft -f | ||
| + | |||
| + | flush ruleset | ||
| + | |||
| + | table inet filter { | ||
| + | chain input { | ||
| + | type filter hook input priority filter; | ||
| + | } | ||
| + | chain forward { | ||
| + | type filter hook forward priority filter; policy drop; | ||
| + | ct state established,related counter accept | ||
| + | # BMSTU DNS noc@bmstu.ru | ||
| + | ip daddr 195.19.32.2 udp dport 53 counter accept | ||
| + | # DMZ NETS noc@bmstu.ru | ||
| + | ip daddr { 195.19.40.0/24, 195.19.50.0/24 } counter accept | ||
| + | # EU eu@bmstu.ru | ||
| + | ip daddr 195.19.33.59 tcp dport { 80, 443 } counter accept | ||
| + | # CAS proxy noc@bmstu.ru | ||
| + | ip daddr 195.19.33.9 tcp dport 8443 counter accept | ||
| + | # lm.bmstu.ru | ||
| + | ip daddr 195.19.33.222 tcp dport 22 counter drop | ||
| + | ip daddr 195.19.33.222 counter accept | ||
| + | |||
| + | } | ||
| + | chain output { | ||
| + | type filter hook output priority filter; | ||
| + | } | ||
| + | } | ||
| + | </code><code> | ||
| + | root@openvpn2:~# systemctl reload nftables.service | ||
| + | |||
| + | root@openvpn2:~# nft list ruleset | ||
| + | </code> | ||
| ==== Debian/Ubuntu (iptables) ==== | ==== Debian/Ubuntu (iptables) ==== | ||
| Line 372: | Line 414: | ||
| root@gate:~# iptables-save > /etc/iptables.rules | root@gate:~# iptables-save > /etc/iptables.rules | ||
| + | или | ||
| + | root@gate:~# netfilter-persistent save | ||
| + | </code> | ||
| + | ==== Debian/Ubuntu (nftables) ==== | ||
| + | <code> | ||
| + | # cat /etc/nftables.conf | ||
| + | </code><code> | ||
| + | ... | ||
| + | table inet filter { | ||
| + | chain input { | ||
| + | type filter hook input priority filter; | ||
| + | } | ||
| + | chain forward { | ||
| + | type filter hook forward priority filter; | ||
| + | iifname "eth0" oifname "eth1" counter packets 0 bytes 0 accept | ||
| + | iifname "eth1" oifname "eth0" counter packets 0 bytes 0 accept | ||
| + | iifname "eth2" counter packets 0 bytes 0 accept | ||
| + | iifname "tun*" counter packets 0 bytes 0 accept | ||
| + | ct state established,related counter packets 0 bytes 0 accept | ||
| + | counter packets 0 bytes 0 drop | ||
| + | } | ||
| + | chain output { | ||
| + | type filter hook output priority filter; | ||
| + | ct state established,related counter packets 0 bytes 0 accept | ||
| + | oifname "eth2" counter packets 0 bytes 0 drop | ||
| + | } | ||
| + | } | ||
| </code> | </code> | ||
| - | |||
| ==== FreeBSD (pf) ==== | ==== FreeBSD (pf) ==== | ||
| <code> | <code> | ||
| Line 432: | Line 500: | ||
| ==== nftables ==== | ==== nftables ==== | ||
| + | |||
| + | === Блокировка абонентов, превысивших частоту подключений === | ||
| * [[https://access.redhat.com/documentation/ru-ru/red_hat_enterprise_linux/7/html/security_guide/sec-using_nftables_to_limit_the_amount_of_connections|Using nftables to limit the amount of connections]] | * [[https://access.redhat.com/documentation/ru-ru/red_hat_enterprise_linux/7/html/security_guide/sec-using_nftables_to_limit_the_amount_of_connections|Using nftables to limit the amount of connections]] | ||
| Line 453: | Line 523: | ||
| } | } | ||
| ... | ... | ||
| + | </code><code> | ||
| + | gate# nft list set inet filter denylist | ||
| + | |||
| + | gate# nft flush set inet filter denylist | ||
| </code> | </code> | ||
| ==== FreeBSD (pf) ==== | ==== FreeBSD (pf) ==== | ||
сервис_firewall.1715080467.txt.gz · Last modified: 2024/05/07 14:14 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
