This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
сервис_firewall [2020/09/03 08:43] val [Debian/Ubuntu (iptables)] |
сервис_firewall [2021/12/23 16:34] val |
||
---|---|---|---|
Line 8: | Line 8: | ||
==== Linux (iptables) ==== | ==== Linux (iptables) ==== | ||
- | * [[https://help.ubuntu.com/community/IptablesHowTo]] | + | * [[https://cryptoworld.su/kak-perejti-s-iptables-na-nftables-polnaya-istrukciya/|Как перейти с iptables на Nftables — полная инструкция]] |
- | * [[http://ru.wikibooks.org/wiki/Iptables]] | + | * [[https://help.ubuntu.com/community/IptablesHowTo|ubuntu.com community IptablesHowTo]] |
- | * [[https://ru.wikipedia.org/wiki/Netfilter]] | + | * [[https://ru.wikibooks.org/wiki/Iptables|Материал из Викиучебника iptables — утилита командной строки]] |
+ | * [[https://ru.wikipedia.org/wiki/Netfilter|Материал из Википедии netfilter — межсетевой экран]] | ||
=== Настройка фильтра === | === Настройка фильтра === | ||
<code> | <code> | ||
- | root@gate:~# cat firewall.sh | + | root@clientN:~# cat firewall.sh |
</code><code> | </code><code> | ||
iptables --flush | iptables --flush | ||
Line 21: | Line 22: | ||
iptables -A INPUT -j DROP | iptables -A INPUT -j DROP | ||
</code><code> | </code><code> | ||
- | root@gate:~# sh firewall.sh | + | root@clientN:~# sh firewall.sh |
</code> | </code> | ||
=== Просмотр правил фильтра === | === Просмотр правил фильтра === | ||
<code> | <code> | ||
- | root@gate:~# iptables -t filter -n -L -v --line-numbers | + | # iptables -t filter -n -L -v --line-numbers |
или | или | ||
- | root@gate:~# iptables -n -L -v --line-numbers | + | # iptables -n -L -v --line-numbers |
+ | </code> | ||
+ | === Удаление правил фильтра === | ||
+ | <code> | ||
+ | iptables -t ТАБЛИЦА -D ЦЕПОЧКА НОМЕР_ПРАВИЛА | ||
</code> | </code> | ||
- | |||
=== Работа с таблицей состояний === | === Работа с таблицей состояний === | ||
Line 43: | Line 47: | ||
=== Сохранение состояния iptables === | === Сохранение состояния iptables === | ||
<code> | <code> | ||
- | root@gate:~# iptables-save > /etc/iptables.rules | + | # iptables-save > /etc/iptables.rules |
</code> | </code> | ||
=== Восстановление состояния iptables === | === Восстановление состояния iptables === | ||
<code> | <code> | ||
- | root@gate:~# iptables-restore < /etc/iptables.rules | + | # iptables-restore < /etc/iptables.rules |
</code> | </code> | ||
Line 55: | Line 59: | ||
== Debian/Ubuntu == | == Debian/Ubuntu == | ||
<code> | <code> | ||
- | root@gate:~# cat /etc/network/interfaces | + | # cat /etc/network/interfaces |
</code><code> | </code><code> | ||
... | ... | ||
Line 166: | Line 170: | ||
#iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 25 -j REJECT | #iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 25 -j REJECT | ||
#iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 25 -j ACCEPT | #iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 25 -j ACCEPT | ||
- | iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 465 -j ACCEPT | + | #iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 465 -j ACCEPT |
- | iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 587 -j ACCEPT | + | #iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 587 -j ACCEPT |
+ | #iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 143 -j ACCEPT | ||
iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 80 -j ACCEPT | iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 80 -j ACCEPT | ||
- | iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 143 -j ACCEPT | + | iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 5222 -j ACCEPT |
#iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 5060 -j ACCEPT | #iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 5060 -j ACCEPT | ||
#iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 4569 -j ACCEPT | #iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 4569 -j ACCEPT | ||
Line 187: | Line 193: | ||
conntrack -F | conntrack -F | ||
</code><code> | </code><code> | ||
+ | root@gate:~# apt install conntrack | ||
+ | |||
root@gate:~# sh firewall.sh | root@gate:~# sh firewall.sh | ||
Line 420: | Line 428: | ||
# pfctl -t fail2ban -T add 172.16.1.254 | # pfctl -t fail2ban -T add 172.16.1.254 | ||
+ | # pfctl -k 172.16.1.254 | ||
# pfctl -t fail2ban -T flush | # pfctl -t fail2ban -T flush | ||
Line 437: | Line 446: | ||
<code> | <code> | ||
[gate:~] # pfctl -vs state | [gate:~] # pfctl -vs state | ||
+ | |||
+ | [gate:~] # pfctl -k 0.0.0.0/0 -k 172.16.1.254 | ||
[gate:~] # pfctl -F states | [gate:~] # pfctl -F states |