This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
сервис_firewall [2018/10/23 09:01] val [CentOS] |
сервис_firewall [2020/11/12 11:35] val [Debian/Ubuntu (iptables)] |
||
---|---|---|---|
Line 14: | Line 14: | ||
=== Настройка фильтра === | === Настройка фильтра === | ||
<code> | <code> | ||
- | root@gate:~# cat firewall.sh | + | root@clientN:~# cat firewall.sh |
</code><code> | </code><code> | ||
iptables --flush | iptables --flush | ||
Line 21: | Line 21: | ||
iptables -A INPUT -j DROP | iptables -A INPUT -j DROP | ||
</code><code> | </code><code> | ||
- | root@gate:~# sh firewall.sh | + | root@clientN:~# sh firewall.sh |
</code> | </code> | ||
=== Просмотр правил фильтра === | === Просмотр правил фильтра === | ||
<code> | <code> | ||
- | root@gate:~# iptables -t filter -n -L -v --line-numbers | + | # iptables -t filter -n -L -v --line-numbers |
или | или | ||
- | root@gate:~# iptables -n -L -v --line-numbers | + | # iptables -n -L -v --line-numbers |
</code> | </code> | ||
Line 36: | Line 36: | ||
<code> | <code> | ||
- | # cat /proc/net/ip_conntrack | ||
- | |||
# apt install conntrack | # apt install conntrack | ||
Line 45: | Line 43: | ||
=== Сохранение состояния iptables === | === Сохранение состояния iptables === | ||
<code> | <code> | ||
- | root@gate:~# iptables-save > /etc/iptables.rules | + | # iptables-save > /etc/iptables.rules |
</code> | </code> | ||
=== Восстановление состояния iptables === | === Восстановление состояния iptables === | ||
<code> | <code> | ||
- | root@gate:~# iptables-restore < /etc/iptables.rules | + | # iptables-restore < /etc/iptables.rules |
</code> | </code> | ||
Line 57: | Line 55: | ||
== Debian/Ubuntu == | == Debian/Ubuntu == | ||
<code> | <code> | ||
- | root@gate:~# cat /etc/network/interfaces | + | # cat /etc/network/interfaces |
</code><code> | </code><code> | ||
... | ... | ||
Line 72: | Line 70: | ||
* [[https://bozza.ru/art-259.html|Настройка firewalld CentOS 7 с примерами команд]] | * [[https://bozza.ru/art-259.html|Настройка firewalld CentOS 7 с примерами команд]] | ||
* [[https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7|How To Set Up a Firewall Using FirewallD on CentOS 7]] | * [[https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7|How To Set Up a Firewall Using FirewallD on CentOS 7]] | ||
+ | * [[https://www.linuxjournal.com/content/understanding-firewalld-multi-zone-configurations|Understanding Firewalld in Multi-Zone Configurations]] | ||
<code> | <code> | ||
Line 79: | Line 78: | ||
# firewall-cmd --get-active-zones | # firewall-cmd --get-active-zones | ||
+ | !!! даже, если пусто, похоже, в этом случае используется public | ||
- | # firewall-cmd --zone=public --list-all | + | # firewall-cmd --get-zone-of-interface=enp0s3 |
+ | no zone !!!похоже, в этом случае используется public | ||
- | # # firewall-cmd --change-interface=enp0s3 --zone=drop | + | # firewall-cmd --list-all |
+ | |||
+ | # firewall-cmd --change-interface=enp0s3 --zone=public | ||
# firewall-cmd --get-services | tr " " "\n" | # firewall-cmd --get-services | tr " " "\n" | ||
Line 88: | Line 91: | ||
# less /usr/lib/firewalld/services/sip.xml | # less /usr/lib/firewalld/services/sip.xml | ||
- | # firewall-cmd --zone=public --add-service=http | + | server# firewall-cmd --zone=public --add-service=http |
+ | server# firewall-cmd --zone=public --remove-service=http | ||
- | # firewall-cmd --zone=public --remove-service=http | + | gate# firewall-cmd --zone=public --add-port=2222/tcp |
+ | gate# firewall-cmd --zone=public --remove-port=2222/tcp | ||
- | # firewall-cmd --zone=public --add-port=2222/tcp | + | server# firewall-cmd --zone=internal --add-source 192.168.X.0/24 |
+ | server# firewall-cmd --get-active-zones | ||
+ | server# firewall-cmd --zone=internal --list-all | ||
- | # firewall-cmd --zone=public --remove-port=2222/tcp | + | server# firewall-cmd --zone=internal --add-service=smtp |
- | + | ||
- | # firewall-cmd --zone=internal --add-source 192.168.X.0/24 | + | |
- | # firewall-cmd --get-active-zones | + | |
- | # firewall-cmd --zone=internal --list-all | + | |
- | + | ||
- | # firewall-cmd --zone=internal --add-service=smtp | + | |
# firewall-cmd --runtime-to-permanent | # firewall-cmd --runtime-to-permanent | ||
- | или | + | или, возвращаем исходное состояние |
# firewall-cmd --reload | # firewall-cmd --reload | ||
Line 117: | Line 118: | ||
# service iptables stop | # service iptables stop | ||
</code> | </code> | ||
- | |||
==== FreeBSD (PF) ==== | ==== FreeBSD (PF) ==== | ||
Line 165: | Line 165: | ||
iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 53 -j ACCEPT | iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 53 -j ACCEPT | ||
#iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 25 -j REJECT | #iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 25 -j REJECT | ||
- | iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 25 -j ACCEPT | + | #iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 25 -j ACCEPT |
- | iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 80 -j ACCEPT | + | iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 465 -j ACCEPT |
+ | iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 587 -j ACCEPT | ||
iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 143 -j ACCEPT | iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 143 -j ACCEPT | ||
- | #iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 5006 -j ACCEPT | + | iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 80 -j ACCEPT |
+ | iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 5222 -j ACCEPT | ||
+ | |||
+ | #iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 5060 -j ACCEPT | ||
#iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 4569 -j ACCEPT | #iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 4569 -j ACCEPT | ||
#iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 10000:20000 -j ACCEPT | #iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 10000:20000 -j ACCEPT | ||
Line 289: | Line 293: | ||
</code><code> | </code><code> | ||
... | ... | ||
- | iptables -A FORWARD -j LOG --log-prefix "iptables denied: " --log-level 7 | + | iptables -A ... -j LOG --log-prefix "iptables denied: " --log-level 7 |
- | + | iptables -A ... -j DROP | |
- | iptables -A FORWARD -j DROP | + | |
</code><code> | </code><code> | ||
root@gate:~# sh firewall.sh | root@gate:~# sh firewall.sh | ||
Line 385: | Line 388: | ||
</code><code> | </code><code> | ||
iptables --flush | iptables --flush | ||
- | |||
- | #### for brute force #### | ||
- | iptables -I FORWARD -p tcp --dport 22 -i eth1 -m conntrack --ctstate NEW -m recent --set | ||
- | iptables -I FORWARD -p tcp --dport 22 -i eth1 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP | ||
... | ... | ||
+ | iptables -A FORWARD -p tcp --dport 80 -i eth1 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j LOG | ||
+ | iptables -A FORWARD -p tcp --dport 80 -i eth1 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP | ||
+ | iptables -A FORWARD -p tcp --dport 80 -i eth1 -m conntrack --ctstate NEW -m recent --set | ||
+ | ... | ||
+ | </code><code> | ||
+ | root@gate:~# tail -f /var/log/syslog | ||
+ | |||
+ | root@gate:~# cat /proc/net/xt_recent/DEFAULT | ||
+ | |||
+ | root@gate:~# echo -10.5.7.1 >/proc/net/xt_recent/DEFAULT | ||
+ | |||
+ | root@gate:~# echo / >/proc/net/xt_recent/DEFAULT | ||
</code> | </code> | ||
+ | |||
==== FreeBSD (pf) ==== | ==== FreeBSD (pf) ==== | ||
Line 428: | Line 440: | ||
[gate:~] # pfctl -vs state | [gate:~] # pfctl -vs state | ||
- | [gate:~] # pkg_add -r pftop | + | [gate:~] # pfctl -F states |
- | [gate:~] # rehash | + | [gate:~] # pkg install pftop |
[gate:~] # pftop | [gate:~] # pftop |