====== Сервис Firewall ======
* [[http://ru.wikipedia.org/wiki/Межсетевой_экран]]
* [[http://www.xakep.ru/post/53653/]]
===== Конфигурация для рабочей станции =====
==== nftables ====
* [[https://habr.com/ru/companies/ruvds/articles/580648/|Переход с iptables на nftables. Краткий справочник]]
* [[https://cryptoworld.su/kak-perejti-s-iptables-na-nftables-polnaya-istrukciya/|Как перейти с iptables на Nftables — полная инструкция]]
==== Linux (iptables) ====
* [[https://help.ubuntu.com/community/IptablesHowTo|ubuntu.com community IptablesHowTo]]
* [[https://ru.wikibooks.org/wiki/Iptables|Материал из Викиучебника iptables — утилита командной строки]]
* [[https://ru.wikipedia.org/wiki/Netfilter|Материал из Википедии netfilter — межсетевой экран]]
=== Настройка фильтра ===
root@clientN:~# cat firewall.sh
iptables --flush
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP
root@clientN:~# sh firewall.sh
=== Просмотр правил фильтра ===
# iptables -t filter -n -L -v --line-numbers
или
# iptables -n -L -v --line-numbers
=== Удаление правил фильтра ===
iptables -t ТАБЛИЦА -D ЦЕПОЧКА НОМЕР_ПРАВИЛА
=== Работа с таблицей состояний ===
[[http://conntrack-tools.netfilter.org/conntrack.html]]
# apt install conntrack
# conntrack -L
=== Управление состоянием iptables ===
== Вариант 1 ==
== Сохранение состояния iptables ==
root@gate:~# iptables-save > /etc/iptables.rules
== Восстановление состояния iptables ==
root@gate:~# iptables-restore < /etc/iptables.rules
== Восстановление состояния iptables при загрузке ==
root@gate:~# cat /etc/network/interfaces
...
auto eth1
iface eth1 inet static
pre-up iptables-restore < /etc/iptables.rules
...
== Вариант 2 ==
# apt install iptables-persistent
# netfilter-persistent save
==== CentOS ====
=== CentOS 7, AlmaLinux 9 ===
* [[https://bozza.ru/art-259.html|Настройка firewalld CentOS 7 с примерами команд]]
* [[https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7|How To Set Up a Firewall Using FirewallD on CentOS 7]]
* [[https://www.linuxjournal.com/content/understanding-firewalld-multi-zone-configurations|Understanding Firewalld in Multi-Zone Configurations]]
# systemctl status firewalld
# firewall-cmd --get-zones | tr " " "\n"
# firewall-cmd --get-active-zones
!!! даже, если пусто, похоже, в этом случае используется public
# firewall-cmd --get-zone-of-interface=enp0s3
no zone !!!похоже, в этом случае используется public
# firewall-cmd --list-all
# firewall-cmd --change-interface=enp0s3 --zone=public
# firewall-cmd --get-services | tr " " "\n"
# less /usr/lib/firewalld/services/sip.xml
server# firewall-cmd --zone=public --add-service=http
server# firewall-cmd --zone=public --remove-service=http
gate# firewall-cmd --zone=public --add-port=2222/tcp
gate# firewall-cmd --zone=public --remove-port=2222/tcp
server# firewall-cmd --zone=internal --add-source 192.168.X.0/24
server# firewall-cmd --get-active-zones
server# firewall-cmd --zone=internal --list-all
server# firewall-cmd --zone=internal --add-service=smtp
# firewall-cmd --runtime-to-permanent
или, возвращаем исходное состояние
# firewall-cmd --reload
# systemctl stop firewalld
=== CentOS 6 ===
# service iptables save
# cat /etc/sysconfig/iptables
# service iptables stop
==== FreeBSD (PF) ====
* [[http://www.openbsd.org/faq/pf/|PF: The OpenBSD Packet Filter]]
=== Настройка ===
[gate:~] # cat /etc/pf.conf
set skip on lo0
block in all
pass out inet all keep state
=== Включение ===
[gate:~] # cat /etc/rc.conf
...
pf_enable=yes
[gate:~] # /etc/rc.d/pf check
[gate:~] # /etc/rc.d/pf start
[gate:~] # /etc/rc.d/pf reload
[gate:~] # pfctl -s rules
[gate:~] # pfctl -vs rules
[gate:~] # pfctl -vs state
[gate:~] # pfctl -F state
===== Конфигурация для шлюза WAN - LAN =====
==== Debian/Ubuntu (iptables) ====
root@gate:~# cat firewall.sh
iptables --flush
iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 22 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 53 -j ACCEPT
iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 53 -j ACCEPT
#iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 25 -j REJECT
#iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 25 -j ACCEPT
#iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 465 -j ACCEPT
#iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 587 -j ACCEPT
#iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 143 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 80 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 5222 -j ACCEPT
#iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 5060 -j ACCEPT
#iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 4569 -j ACCEPT
#iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 10000:20000 -j ACCEPT
#iptables -A FORWARD -i eth0 -p tcp --dport 25 -j REJECT
#iptables -A FORWARD -s 192.168.100+X.0/24 -p tcp --dport 80 -j REJECT
#iptables -A FORWARD -s 192.168.100+X.0/24 -p tcp --dport 443 -j REJECT
iptables -A FORWARD -i eth0 -s 192.168.X.0/24 -j ACCEPT
#iptables -A FORWARD -s 192.168.100+X.0/24 -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -j DROP
conntrack -F
root@gate:~# apt install conntrack
root@gate:~# sh firewall.sh
root@gate:~# iptables-save > /etc/iptables.rules
root@gate:~# cat /etc/modules
...
nf_conntrack_ftp
==== CentOS ====
...
# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth0 -o eth1 -j ACCEPT
# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
...
==== FreeBSD (pf) ====
[gate:~] # cat /etc/pf.conf
corp_net="192.168.X/24"
#pppoe_corp_net="192.168.100+X/24"
ssh_server="192.168.X.10"
dns_server="192.168.X.10"
www_server="192.168.X.10"
mail_server="192.168.X.10"
asterisk_server="192.168.X.10"
set skip on lo0
block in all
#block return in quick inet proto tcp from any to $mail_server port 25
#block return out quick inet proto tcp from $corp_net to !$corp_net port 25
pass in inet from any to {em0,em1}
pass in inet from $corp_net to any
#pass in inet from $dns_server to any
#pass in inet from $pppoe_corp_net to any
pass out inet all keep state
pass in inet proto tcp from any to $ssh_server port 22
pass in inet proto tcp from any to $mail_server port 25
pass in inet proto {udp,tcp} from any to $dns_server port 53
pass in inet proto tcp from any to $www_server port 80
pass in inet proto tcp from any to $mail_server port 143
#pass in inet proto udp from any to $asterisk_server port 5006
#pass in inet proto udp from any to $asterisk_server port 10000:20000
#pass in inet proto udp from any to $asterisk_server port 4569
[gate:~] # /etc/rc.d/pf check
[gate:~] # /etc/rc.d/pf reload
==== FreeBSD (ipfw statefull) ====
# cat /etc/ipfw.rules
ipfw -q -f flush
ipfw -q add check-state
ipfw -q add deny all from any to any frag
ipfw -q add deny tcp from any to any established
ipfw -q add allow tcp from 192.168.X.0/24 to any setup keep-state
ipfw -q add allow udp from 192.168.X.0/24 to any keep-state
ipfw -q add allow icmp from 192.168.X.0/24 to any keep-state
#ipfw -q add allow tcp from any to 192.168.X.10 22 keep-state
ipfw -q add allow tcp from any to 192.168.X.10 22-80 keep-state
#ipfw -q add allow udp from any to 192.168.X.10 53 keep-state
#ipfw -q add allow ip from any to 192.168.X.10 keep-state
==== FreeBSD (ipfw stateless) ====
# cat /etc/ipfw.rules
ipfw -q -f flush
ipfw -q add allow ip from 192.168.X.0/24 to any
ipfw -q add allow tcp from any to 192.168.X.0/24 established
ipfw -q add allow udp from any 1024-65535 to any 1024-65535
ipfw -q add allow udp from any 53 to any 1024-65535
ipfw -q add allow icmp from any to any
ipfw -q add allow tcp from any to 192.168.X.10 22-23
ipfw -q add allow udp from any to 192.168.X.10 53
===== Протоколирование отброшенных пакетов =====
==== Debian/Ubuntu (iptables) ====
root@gate:~# cat firewall.sh
...
iptables -A ... -j LOG --log-prefix "iptables denied: " --log-level 7
iptables -A ... -j DROP
root@gate:~# sh firewall.sh
root@gate:~# iptables-save > /etc/iptables.rules
root@gate:~# tail -f /var/log/syslog
==== FreeBSD (pf) ====
[gate:~] # cat /etc/rc.conf
...
pflog_enable="YES"
[gate:~] # /etc/rc.d/pflog start
[gate:~] # ifconfig
[gate:~] # cat /etc/pf.conf
...
block in log all
[gate:~] # /etc/rc.d/pf check
[gate:~] # /etc/rc.d/pf reload
[gate:~] # tcpdump -n -i pflog0
[gate:~] # tcpdump -n -r /var/log/pflog
===== Конфигурация для шлюза WAN - LAN - DMZ =====
==== Debian/Ubuntu (iptables) ====
root@gate:~# cat firewall.sh
iptables --flush
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth2 -j ACCEPT
#### for openvpn ####
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -j DROP
iptables -A OUTPUT -o eth2 -j DROP
root@gate:~# sh firewall.sh
root@gate:~# iptables-save > /etc/iptables.rules
или
root@gate:~# netfilter-persistent save
==== FreeBSD (pf) ====
[gate:~] # cat /etc/pf.conf
lan_net="192.168.100+X/24"
dmz_net="192.168.X/24"
vpn_nets="{ 192.168.200+X/24, 192.168.100+Y/24}"
nat on em1 from $lan_net to any -> (em1)
block in all
pass out inet all keep state
block out from any to $lan_net
#pass out from $vpn_nets to $lan_net
pass in inet from any to {em0,em1,em2}
pass in inet from any to $dmz_net
pass in inet from $dmz_net to !$lan_net
pass in inet from $lan_net to any
pass in inet from $vpn_nets to $lan_net
===== Конфигурация для защиты от bruteforce =====
==== Debian/Ubuntu (iptables) ====
=== Ограничение частоты подключений ===
root@gate:~# cat firewall.sh
iptables --flush
...
iptables -A FORWARD -p tcp --dport 80 -i eth1 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j LOG
iptables -A FORWARD -p tcp --dport 80 -i eth1 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -A FORWARD -p tcp --dport 80 -i eth1 -m conntrack --ctstate NEW -m recent --set
#iptables -A FORWARD -p tcp -i eth1 -m conntrack --ctstate NEW -m recent --update --seconds 1 --hitcount 10 -j LOG
#iptables -A FORWARD -p tcp -i eth1 -m conntrack --ctstate NEW -m recent --update --seconds 1 --hitcount 10 -j DROP
#iptables -A FORWARD -p tcp -i eth1 -m conntrack --ctstate NEW -m recent --set
...
root@gate:~# tail -f /var/log/syslog
root@gate:~# journalctl -f
root@gate:~# cat /proc/net/xt_recent/DEFAULT
root@gate:~# watch cat /proc/net/xt_recent/DEFAULT
root@gate:~# echo -10.5.7.1 >/proc/net/xt_recent/DEFAULT
root@gate:~# echo / >/proc/net/xt_recent/DEFAULT
==== nftables ====
=== Блокировка абонентов, превысивших частоту подключений ===
* [[https://access.redhat.com/documentation/ru-ru/red_hat_enterprise_linux/7/html/security_guide/sec-using_nftables_to_limit_the_amount_of_connections|Using nftables to limit the amount of connections]]
gate# cat /etc/nftables.conf
...
table inet filter {
set denylist {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 5m
}
...
chain forward {
type filter hook forward priority filter; policy accept;
ip protocol tcp ct state new,untracked limit rate over 10/second add @denylist { ip saddr }
ip saddr @denylist drop
}
...
==== FreeBSD (pf) ====
[[http://www.opennet.ru/base/sec/bruteforce_pf.txt.html]]
gate# cat /etc/pf.conf
table persist
block in quick from
pass in on em1 proto tcp to \
port 22 flags S/SA keep state \
(max-src-conn-rate 4/60, overload flush)
# pfctl -t fail2ban -T show
# pfctl -t fail2ban -T delete 172.16.1.254
# pfctl -t fail2ban -T add 172.16.1.254
# pfctl -k 172.16.1.254
# pfctl -t fail2ban -T flush
===== Мониторинг соединений =====
==== Debian/Ubuntu (iptables) ====
root@gate:~# conntrack -L
root@gate:~# iptstate
root@gate:~# conntrack -F
==== FreeBSD (pf) ====
[gate:~] # pfctl -vs state
[gate:~] # pfctl -k 0.0.0.0/0 -k 172.16.1.254
[gate:~] # pfctl -F states
[gate:~] # pkg install pftop
[gate:~] # pftop
===== Transparent Firewall =====
==== NetFilter ====
[[http://bwachter.lart.info/linux/bridges.html]]
===== Дополнительные материалы =====
==== FreeBSD ipfilter ====
* [[https://www.freebsd.org/doc/handbook/firewalls-ipf.html]]
# touch /etc/ipf.rules
# cat /etc/rc.conf
...
ipfilter_enable=yes
# service ipfilter start
# ipfstat -hio
==== Пример пользовательского интерфейса для управления pf ====
[[Средства программирования shell#Использование программы dialog]]