Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Trace:
сервис_firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
сервис_firewall [2018/10/23 09:01]
val [CentOS] 		сервис_firewall [2020/11/12 11:35]
val [Debian/Ubuntu (iptables)]
Line 14: Line 14:
 === Настройка фильтра === === Настройка фильтра ===
 <​code>​ <​code>​
-root@gate:~# cat firewall.sh+root@clientN:~# cat firewall.sh
 </​code><​code>​ </​code><​code>​
 iptables --flush iptables --flush
Line 21: Line 21:
 iptables -A INPUT -j DROP iptables -A INPUT -j DROP
 </​code><​code>​ </​code><​code>​
-root@gate:~# sh firewall.sh+root@clientN:~# sh firewall.sh
 </​code>​ </​code>​
  
 === Просмотр правил фильтра === === Просмотр правил фильтра ===
 <​code>​ <​code>​
-root@gate:~# iptables -t filter -n -L -v --line-numbers+# iptables -t filter -n -L -v --line-numbers
 или или
-root@gate:~# iptables -n -L -v --line-numbers+# iptables -n -L -v --line-numbers
 </​code>​ </​code>​
  
Line 36: Line 36:
  
 <​code>​ <​code>​
-# cat /​proc/​net/​ip_conntrack 
- 
 # apt install conntrack # apt install conntrack
  
Line 45: Line 43:
 === Сохранение состояния iptables === === Сохранение состояния iptables ===
 <​code>​ <​code>​
-root@gate:~# iptables-save > /​etc/​iptables.rules+# iptables-save > /​etc/​iptables.rules
 </​code>​ </​code>​
  
 === Восстановление состояния iptables === === Восстановление состояния iptables ===
 <​code>​ <​code>​
-root@gate:~# iptables-restore < /​etc/​iptables.rules+# iptables-restore < /​etc/​iptables.rules
 </​code>​ </​code>​
  
Line 57: Line 55:
 == Debian/​Ubuntu == == Debian/​Ubuntu ==
 <​code>​ <​code>​
-root@gate:~# cat /​etc/​network/​interfaces+# cat /​etc/​network/​interfaces
 </​code><​code>​ </​code><​code>​
 ... ...
Line 72: Line 70:
   * [[https://​bozza.ru/​art-259.html|Настройка firewalld CentOS 7 с примерами команд]]   * [[https://​bozza.ru/​art-259.html|Настройка firewalld CentOS 7 с примерами команд]]
   * [[https://​www.digitalocean.com/​community/​tutorials/​how-to-set-up-a-firewall-using-firewalld-on-centos-7|How To Set Up a Firewall Using FirewallD on CentOS 7]]   * [[https://​www.digitalocean.com/​community/​tutorials/​how-to-set-up-a-firewall-using-firewalld-on-centos-7|How To Set Up a Firewall Using FirewallD on CentOS 7]]
 +  * [[https://​www.linuxjournal.com/​content/​understanding-firewalld-multi-zone-configurations|Understanding Firewalld in Multi-Zone Configurations]]
  
 <​code>​ <​code>​
Line 79: Line 78:
  
 # firewall-cmd --get-active-zones # firewall-cmd --get-active-zones
 +!!! даже, если пусто, похоже,​ в этом случае используется public
  
-# firewall-cmd --zone=public ​--list-all+# firewall-cmd --get-zone-of-interface=enp0s3 
 +no zone   ​!!!похоже,​ в этом случае используется public
  
-# # firewall-cmd --change-interface=enp0s3 --zone=drop+firewall-cmd --list-all 
 + 
 +# firewall-cmd --change-interface=enp0s3 --zone=public
  
 # firewall-cmd --get-services | tr " " "​\n"​ # firewall-cmd --get-services | tr " " "​\n"​
Line 88: Line 91:
 # less /​usr/​lib/​firewalld/​services/​sip.xml # less /​usr/​lib/​firewalld/​services/​sip.xml
  
-# firewall-cmd --zone=public --add-service=http+server# firewall-cmd --zone=public --add-service=http 
 +server# firewall-cmd --zone=public --remove-service=http
  
-# firewall-cmd --zone=public --remove-service=http+gate# firewall-cmd --zone=public --add-port=2222/​tcp 
 +gate# firewall-cmd --zone=public --remove-port=2222/tcp
  
-# firewall-cmd --zone=public ​--add-port=2222/tcp+server# firewall-cmd --zone=internal ​--add-source 192.168.X.0/24 
 +server# firewall-cmd --get-active-zones 
 +server# firewall-cmd --zone=internal --list-all
  
-# firewall-cmd --zone=public --remove-port=2222/​tcp +server# firewall-cmd --zone=internal --add-service=smtp
- +
-# firewall-cmd --zone=internal --add-source 192.168.X.0/​24 +
-# firewall-cmd --get-active-zones +
-# firewall-cmd --zone=internal --list-all +
- +
-# firewall-cmd --zone=internal --add-service=smtp+
  
 # firewall-cmd --runtime-to-permanent # firewall-cmd --runtime-to-permanent
-  или+  или, возвращаем исходное состояние
 # firewall-cmd --reload # firewall-cmd --reload
  
Line 117: Line 118:
 # service iptables stop # service iptables stop
 </​code>​ </​code>​
- 
 ==== FreeBSD (PF) ==== ==== FreeBSD (PF) ====
  
Line 165: Line 165:
 iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 53 -j ACCEPT iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 53 -j ACCEPT
 #iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 25 -j REJECT #iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 25 -j REJECT
-iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 25 -j ACCEPT +#iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 25 -j ACCEPT 
-iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport ​80 -j ACCEPT+iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport ​465 -j ACCEPT 
 +iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 587 -j ACCEPT
 iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 143 -j ACCEPT iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 143 -j ACCEPT
-#iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport ​5006 -j ACCEPT+iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 80 -j ACCEPT 
 +iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 5222 -j ACCEPT 
 + 
 +#iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport ​5060 -j ACCEPT
 #iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 4569 -j ACCEPT #iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 4569 -j ACCEPT
 #iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 10000:20000 -j ACCEPT #iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 10000:20000 -j ACCEPT
Line 289: Line 293:
 </​code><​code>​ </​code><​code>​
 ... ...
-iptables -A FORWARD ​-j LOG --log-prefix "​iptables denied: " --log-level 7 +iptables -A ... -j LOG --log-prefix "​iptables denied: " --log-level 7 
- +iptables -A ... -j DROP
-iptables -A FORWARD ​-j DROP+
 </​code><​code>​ </​code><​code>​
 root@gate:​~#​ sh firewall.sh root@gate:​~#​ sh firewall.sh
Line 385: Line 388:
 </​code><​code>​ </​code><​code>​
 iptables --flush iptables --flush
- 
-#### for brute force #### 
-iptables -I FORWARD -p tcp --dport 22 -i eth1 -m conntrack --ctstate NEW -m recent --set 
-iptables -I FORWARD -p tcp --dport 22 -i eth1 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP 
 ... ...
 +iptables -A FORWARD -p tcp --dport 80 -i eth1 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j LOG
 +iptables -A FORWARD -p tcp --dport 80 -i eth1 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
 +iptables -A FORWARD -p tcp --dport 80 -i eth1 -m conntrack --ctstate NEW -m recent --set
 +...
 +</​code><​code>​
 +root@gate:​~#​ tail -f /​var/​log/​syslog
 +
 +root@gate:​~#​ cat /​proc/​net/​xt_recent/​DEFAULT
 +
 +root@gate:​~#​ echo -10.5.7.1 >/​proc/​net/​xt_recent/​DEFAULT
 +
 +root@gate:​~#​ echo / >/​proc/​net/​xt_recent/​DEFAULT
 </​code>​ </​code>​
 +
 ==== FreeBSD (pf) ==== ==== FreeBSD (pf) ====
  
Line 428: Line 440:
 [gate:~] # pfctl -vs state [gate:~] # pfctl -vs state
  
-[gate:~] # pkg_add ​-r pftop+[gate:~] # pfctl -F states
  
-[gate:~] # rehash+[gate:~] # pkg install pftop
  
 [gate:~] # pftop [gate:~] # pftop
сервис_firewall.txt · Last modified: 2024/05/07 16:18 by val

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Run on Debian Driven by DokuWiki