This is an old revision of the document!
root@clientN:~# cat firewall.sh
iptables --flush iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -j DROP
root@clientN:~# sh firewall.sh
# iptables -t filter -n -L -v --line-numbers или # iptables -n -L -v --line-numbers
iptables -t ТАБЛИЦА -D ЦЕПОЧКА НОМЕР_ПРАВИЛА
http://conntrack-tools.netfilter.org/conntrack.html
# apt install conntrack # conntrack -L
root@gate:~# iptables-save > /etc/iptables.rules
root@gate:~# iptables-restore < /etc/iptables.rules
root@gate:~# cat /etc/network/interfaces
... auto eth1 iface eth1 inet static pre-up iptables-restore < /etc/iptables.rules ...
# apt install iptables-persistent # netfilter-persistent save
# systemctl status firewalld # firewall-cmd --get-zones | tr " " "\n" # firewall-cmd --get-active-zones !!! даже, если пусто, похоже, в этом случае используется public # firewall-cmd --get-zone-of-interface=enp0s3 no zone !!!похоже, в этом случае используется public # firewall-cmd --list-all # firewall-cmd --change-interface=enp0s3 --zone=public # firewall-cmd --get-services | tr " " "\n" # less /usr/lib/firewalld/services/sip.xml server# firewall-cmd --zone=public --add-service=http server# firewall-cmd --zone=public --remove-service=http gate# firewall-cmd --zone=public --add-port=2222/tcp gate# firewall-cmd --zone=public --remove-port=2222/tcp server# firewall-cmd --zone=internal --add-source 192.168.X.0/24 server# firewall-cmd --get-active-zones server# firewall-cmd --zone=internal --list-all server# firewall-cmd --zone=internal --add-service=smtp # firewall-cmd --runtime-to-permanent или, возвращаем исходное состояние # firewall-cmd --reload # systemctl stop firewalld
# service iptables save # cat /etc/sysconfig/iptables # service iptables stop
[gate:~] # cat /etc/pf.conf
set skip on lo0 block in all pass out inet all keep state
[gate:~] # cat /etc/rc.conf
... pf_enable=yes
[gate:~] # /etc/rc.d/pf check [gate:~] # /etc/rc.d/pf start [gate:~] # /etc/rc.d/pf reload [gate:~] # pfctl -s rules [gate:~] # pfctl -vs rules [gate:~] # pfctl -vs state [gate:~] # pfctl -F state
root@gate:~# cat firewall.sh
iptables --flush iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 22 -j ACCEPT iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 53 -j ACCEPT iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 53 -j ACCEPT #iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 25 -j REJECT #iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 25 -j ACCEPT #iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 465 -j ACCEPT #iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 587 -j ACCEPT #iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 143 -j ACCEPT iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 80 -j ACCEPT iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 5222 -j ACCEPT #iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 5060 -j ACCEPT #iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 4569 -j ACCEPT #iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 10000:20000 -j ACCEPT #iptables -A FORWARD -i eth0 -p tcp --dport 25 -j REJECT #iptables -A FORWARD -s 192.168.100+X.0/24 -p tcp --dport 80 -j REJECT #iptables -A FORWARD -s 192.168.100+X.0/24 -p tcp --dport 443 -j REJECT iptables -A FORWARD -i eth0 -s 192.168.X.0/24 -j ACCEPT #iptables -A FORWARD -s 192.168.100+X.0/24 -j ACCEPT iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -j DROP conntrack -F
root@gate:~# apt install conntrack root@gate:~# sh firewall.sh root@gate:~# iptables-save > /etc/iptables.rules
root@gate:~# cat /etc/modules
... nf_conntrack_ftp
... # firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth0 -o eth1 -j ACCEPT # firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT ...
[gate:~] # cat /etc/pf.conf
corp_net="192.168.X/24" #pppoe_corp_net="192.168.100+X/24" ssh_server="192.168.X.10" dns_server="192.168.X.10" www_server="192.168.X.10" mail_server="192.168.X.10" asterisk_server="192.168.X.10" set skip on lo0 block in all #block return in quick inet proto tcp from any to $mail_server port 25 #block return out quick inet proto tcp from $corp_net to !$corp_net port 25 pass in inet from any to {em0,em1} pass in inet from $corp_net to any #pass in inet from $dns_server to any #pass in inet from $pppoe_corp_net to any pass out inet all keep state pass in inet proto tcp from any to $ssh_server port 22 pass in inet proto tcp from any to $mail_server port 25 pass in inet proto {udp,tcp} from any to $dns_server port 53 pass in inet proto tcp from any to $www_server port 80 pass in inet proto tcp from any to $mail_server port 143 #pass in inet proto udp from any to $asterisk_server port 5006 #pass in inet proto udp from any to $asterisk_server port 10000:20000 #pass in inet proto udp from any to $asterisk_server port 4569
[gate:~] # /etc/rc.d/pf check [gate:~] # /etc/rc.d/pf reload
# cat /etc/ipfw.rules
ipfw -q -f flush ipfw -q add check-state ipfw -q add deny all from any to any frag ipfw -q add deny tcp from any to any established ipfw -q add allow tcp from 192.168.X.0/24 to any setup keep-state ipfw -q add allow udp from 192.168.X.0/24 to any keep-state ipfw -q add allow icmp from 192.168.X.0/24 to any keep-state #ipfw -q add allow tcp from any to 192.168.X.10 22 keep-state ipfw -q add allow tcp from any to 192.168.X.10 22-80 keep-state #ipfw -q add allow udp from any to 192.168.X.10 53 keep-state #ipfw -q add allow ip from any to 192.168.X.10 keep-state
# cat /etc/ipfw.rules
ipfw -q -f flush ipfw -q add allow ip from 192.168.X.0/24 to any ipfw -q add allow tcp from any to 192.168.X.0/24 established ipfw -q add allow udp from any 1024-65535 to any 1024-65535 ipfw -q add allow udp from any 53 to any 1024-65535 ipfw -q add allow icmp from any to any ipfw -q add allow tcp from any to 192.168.X.10 22-23 ipfw -q add allow udp from any to 192.168.X.10 53
root@gate:~# cat firewall.sh
... iptables -A ... -j LOG --log-prefix "iptables denied: " --log-level 7 iptables -A ... -j DROP
root@gate:~# sh firewall.sh root@gate:~# iptables-save > /etc/iptables.rules root@gate:~# tail -f /var/log/syslog
[gate:~] # cat /etc/rc.conf
... pflog_enable="YES"
[gate:~] # /etc/rc.d/pflog start [gate:~] # ifconfig [gate:~] # cat /etc/pf.conf
... block in log all
[gate:~] # /etc/rc.d/pf check [gate:~] # /etc/rc.d/pf reload [gate:~] # tcpdump -n -i pflog0 [gate:~] # tcpdump -n -r /var/log/pflog
root@gate:~# cat firewall.sh
iptables --flush iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT iptables -A FORWARD -i eth2 -j ACCEPT #### for openvpn #### iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -j DROP iptables -A OUTPUT -o eth2 -j DROP
root@gate:~# sh firewall.sh root@gate:~# iptables-save > /etc/iptables.rules
[gate:~] # cat /etc/pf.conf
lan_net="192.168.100+X/24" dmz_net="192.168.X/24" vpn_nets="{ 192.168.200+X/24, 192.168.100+Y/24}" nat on em1 from $lan_net to any -> (em1) block in all pass out inet all keep state block out from any to $lan_net #pass out from $vpn_nets to $lan_net pass in inet from any to {em0,em1,em2} pass in inet from any to $dmz_net pass in inet from $dmz_net to !$lan_net pass in inet from $lan_net to any pass in inet from $vpn_nets to $lan_net
root@gate:~# cat firewall.sh
iptables --flush ... iptables -A FORWARD -p tcp --dport 80 -i eth1 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j LOG iptables -A FORWARD -p tcp --dport 80 -i eth1 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP iptables -A FORWARD -p tcp --dport 80 -i eth1 -m conntrack --ctstate NEW -m recent --set ...
root@gate:~# tail -f /var/log/syslog root@gate:~# cat /proc/net/xt_recent/DEFAULT root@gate:~# echo -10.5.7.1 >/proc/net/xt_recent/DEFAULT root@gate:~# echo / >/proc/net/xt_recent/DEFAULT
http://www.opennet.ru/base/sec/bruteforce_pf.txt.html
gate# cat /etc/pf.conf
table <fail2ban> persist block in quick from <fail2ban> pass in on em1 proto tcp to \ port 22 flags S/SA keep state \ (max-src-conn-rate 4/60, overload <fail2ban> flush)
# pfctl -t fail2ban -T show # pfctl -t fail2ban -T delete 172.16.1.254 # pfctl -t fail2ban -T add 172.16.1.254 # pfctl -k 172.16.1.254 # pfctl -t fail2ban -T flush
root@gate:~# conntrack -L root@gate:~# iptstate root@gate:~# conntrack -F
[gate:~] # pfctl -vs state [gate:~] # pfctl -k 0.0.0.0/0 -k 172.16.1.254 [gate:~] # pfctl -F states [gate:~] # pkg install pftop [gate:~] # pftop
# touch /etc/ipf.rules # cat /etc/rc.conf
... ipfilter_enable=yes
# service ipfilter start # ipfstat -hio