This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
сервис_firewall [2025/10/01 10:10] val [CentOS, AlmaLinux] |
сервис_firewall [2025/10/20 09:17] (current) val [Debian/Ubuntu (iptables)] |
||
---|---|---|---|
Line 6: | Line 6: | ||
===== Конфигурация для рабочей станции ===== | ===== Конфигурация для рабочей станции ===== | ||
- | ==== nftables ==== | ||
- | * Сервис SalesPlatform Vtiger CRM Russian [[Сервис SalesPlatform Vtiger CRM Russian#Информация по установке в LXC]] | ||
- | |||
- | * [[https://habr.com/ru/companies/ruvds/articles/580648/|Переход с iptables на nftables. Краткий справочник]] | ||
- | * [[https://cryptoworld.su/kak-perejti-s-iptables-na-nftables-polnaya-istrukciya/|Как перейти с iptables на Nftables — полная инструкция]] | ||
- | * [[https://serveradmin.ru/bazovye-nastrojki-nftables-dlya-veb-servera-na-debian/|Набор правил nftables для веб сервера]] | ||
- | |||
- | <code> | ||
- | root@openvpn2:~# systemctl enable nftables.service --now | ||
- | |||
- | root@openvpn2:~# cat /etc/nftables.conf | ||
- | </code><code> | ||
- | #!/usr/sbin/nft -f | ||
- | |||
- | flush ruleset | ||
- | |||
- | table inet filter { | ||
- | chain input { | ||
- | type filter hook input priority filter; | ||
- | } | ||
- | chain forward { | ||
- | type filter hook forward priority filter; policy drop; | ||
- | ct state established,related counter accept | ||
- | # BMSTU DNS noc@bmstu.ru | ||
- | ip daddr 195.19.32.2 udp dport 53 counter accept | ||
- | # DMZ NETS noc@bmstu.ru | ||
- | ip daddr { 195.19.40.0/24, 195.19.50.0/24 } counter accept | ||
- | # EU eu@bmstu.ru | ||
- | ip daddr 195.19.33.59 tcp dport { 80, 443 } counter accept | ||
- | # CAS proxy noc@bmstu.ru | ||
- | ip daddr 195.19.33.9 tcp dport 8443 counter accept | ||
- | # lm.bmstu.ru | ||
- | ip daddr 195.19.33.222 tcp dport 22 counter drop | ||
- | ip daddr 195.19.33.222 counter accept | ||
- | |||
- | } | ||
- | chain output { | ||
- | type filter hook output priority filter; | ||
- | } | ||
- | } | ||
- | </code><code> | ||
- | root@openvpn2:~# systemctl reload nftables.service | ||
- | |||
- | root@openvpn2:~# nft list ruleset | ||
- | </code> | ||
==== Linux (iptables) ==== | ==== Linux (iptables) ==== | ||
Line 214: | Line 169: | ||
</code> | </code> | ||
===== Конфигурация для шлюза WAN - LAN ===== | ===== Конфигурация для шлюза WAN - LAN ===== | ||
+ | |||
+ | ==== nftables ==== | ||
+ | |||
+ | * [[https://habr.com/ru/companies/ruvds/articles/580648/|Переход с iptables на nftables. Краткий справочник]] | ||
+ | * [[https://cryptoworld.su/kak-perejti-s-iptables-na-nftables-polnaya-istrukciya/|Как перейти с iptables на Nftables — полная инструкция]] | ||
+ | * [[https://serveradmin.ru/bazovye-nastrojki-nftables-dlya-veb-servera-na-debian/|Набор правил nftables для веб сервера]] | ||
+ | |||
+ | <code> | ||
+ | root@openvpn2:~# systemctl enable nftables.service --now | ||
+ | |||
+ | root@openvpn2:~# cat /etc/nftables.conf | ||
+ | </code><code> | ||
+ | #!/usr/sbin/nft -f | ||
+ | |||
+ | flush ruleset | ||
+ | |||
+ | table inet filter { | ||
+ | chain input { | ||
+ | type filter hook input priority filter; | ||
+ | } | ||
+ | chain forward { | ||
+ | type filter hook forward priority filter; policy drop; | ||
+ | ct state established,related counter accept | ||
+ | # BMSTU DNS noc@bmstu.ru | ||
+ | ip daddr 195.19.32.2 udp dport 53 counter accept | ||
+ | # DMZ NETS noc@bmstu.ru | ||
+ | ip daddr { 195.19.40.0/24, 195.19.50.0/24 } counter accept | ||
+ | # EU eu@bmstu.ru | ||
+ | ip daddr 195.19.33.59 tcp dport { 80, 443 } counter accept | ||
+ | # CAS proxy noc@bmstu.ru | ||
+ | ip daddr 195.19.33.9 tcp dport 8443 counter accept | ||
+ | # lm.bmstu.ru | ||
+ | ip daddr 195.19.33.222 tcp dport 22 counter drop | ||
+ | ip daddr 195.19.33.222 counter accept | ||
+ | |||
+ | } | ||
+ | chain output { | ||
+ | type filter hook output priority filter; | ||
+ | } | ||
+ | } | ||
+ | </code><code> | ||
+ | root@openvpn2:~# systemctl reload nftables.service | ||
+ | |||
+ | root@openvpn2:~# nft list ruleset | ||
+ | </code> | ||
==== Debian/Ubuntu (iptables) ==== | ==== Debian/Ubuntu (iptables) ==== | ||
Line 417: | Line 417: | ||
root@gate:~# netfilter-persistent save | root@gate:~# netfilter-persistent save | ||
</code> | </code> | ||
+ | ==== Debian/Ubuntu (nftables) ==== | ||
+ | <code> | ||
+ | # cat /etc/nftables.conf | ||
+ | </code><code> | ||
+ | ... | ||
+ | table inet filter { | ||
+ | chain input { | ||
+ | type filter hook input priority filter; | ||
+ | } | ||
+ | chain forward { | ||
+ | type filter hook forward priority filter; | ||
+ | iifname "eth0" oifname "eth1" counter packets 0 bytes 0 accept | ||
+ | iifname "eth1" oifname "eth0" counter packets 0 bytes 0 accept | ||
+ | iifname "eth2" counter packets 0 bytes 0 accept | ||
+ | iifname "tun*" counter packets 0 bytes 0 accept | ||
+ | ct state established,related counter packets 0 bytes 0 accept | ||
+ | counter packets 0 bytes 0 drop | ||
+ | } | ||
+ | chain output { | ||
+ | type filter hook output priority filter; | ||
+ | ct state established,related counter packets 0 bytes 0 accept | ||
+ | oifname "eth2" counter packets 0 bytes 0 drop | ||
+ | } | ||
+ | } | ||
+ | </code> | ||
==== FreeBSD (pf) ==== | ==== FreeBSD (pf) ==== | ||
<code> | <code> |