1. Перед настройкой IPtables запланировать перезагрузку через 10 минут, чтобы не потерять доступ, если что-то пойдет не так:
shutdown -t 10 –r
Отменить перезагрузку:
shutdown –c
2. Создаем скрипт для iptables (не забываем chmod 0740)
nano /usr/local/firewall/firewall_static.sh
3. Правила:
#!/bin/sh
PATH='/sbin'
ALLOW_SSH='<ip_addresses>'
ALLOW_VPN='<ip_addresses>'
WAN='<int_name>'
IPSEC_NET='<network>'
# Flush previous rules, delete chains and reset counters
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
# Default policies
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
echo -n '1' > /proc/sys/net/ipv4/ip_forward
echo -n '0' > /proc/sys/net/ipv4/conf/all/accept_source_route
echo -n '0' > /proc/sys/net/ipv4/conf/all/accept_redirects
echo -n '1' > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo -n '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Enable statefull rules (after that, only need to allow NEW conections)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Drop invalid state packets
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
# Allow SSH management
iptables -A INPUT -i $WAN -s $ALLOW_SSH -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
# Enable all outgoing traffic to internet
iptables -A OUTPUT -o $WAN -d 0.0.0.0/0 -j ACCEPT
#Allow incoming IKE connections
iptables -A INPUT -i $WAN -p esp -s $ALLOW_VPN -j ACCEPT
iptables -A INPUT -i $WAN -p ah -s $ALLOW_VPN -j ACCEPT
iptables -A INPUT -i $WAN -p udp -m udp --sport 500 --dport 500 -s $ALLOW_VPN -j ACCEPT
iptables -A INPUT -i $WAN -p udp -m udp --sport 4500 --dport 4500 -s $ALLOW_VPN -j ACCEPT
#Adjust TCP MSS
iptables -t mangle -I FORWARD -p tcp -m policy --pol ipsec --dir in --syn -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables -t mangle -I FORWARD -p tcp -m policy --pol ipsec --dir out --syn -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
#Allow forwarding for VPN
iptables -A FORWARD -s $IPSEC_NET -d 0.0.0.0/0 -i $WAN -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
iptables -A FORWARD -s $IPSEC_NET -d 0.0.0.0/0 -o $WAN -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
#Configure NAT for VPN users
iptables -t nat -A POSTROUTING -s $IPSEC_NET -o $WAN -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s $IPSEC_NET -o $WAN -j MASQUERADE
## LOGGING to /var/log/messages
#iptables -A INPUT -j LOG --log-level debug --log-prefix '[FW INPUT]: '
#iptables -A OUTPUT -j LOG --log-level debug --log-prefix '[FW OUTPUT]: '
#iptables -A FORWARD -j LOG --log-level debug --log-prefix '[FW FORWARD ]: '
4. Создаем также правила для ipv6 в файле /usr/local/firewall/ipv6_firewall.sh
(не забываем chmod 0740)
#!/bin/sh
PATH='/sbin'
# Flush the tables to apply changes
ip6tables -F
#ACCEPT POLICY
ip6tables -P INPUT DROP #If it doesn't match a rule Drop it
ip6tables -P FORWARD DROP #NO ROUTING POLICY DROP
ip6tables -P OUTPUT ACCEPT #If it doesn't match a rule
########
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -m state --state ESTABLISHED,RELATED -A INPUT -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j ACCEPT
5. Добавляем . /usr/local/firewall/firewall_static.sh и ./usr/local/firewall/ipv6_firewall.sh
в /etc/rc.local перед exit0
6. Проверяем счетчики iptables
iptables -vL
iptables -t nat -L -n -v
7. Смотрим загрузку интерфейсов
iftop
shutdown -t 10 –r
Отменить перезагрузку:
shutdown –c
2. Создаем скрипт для iptables (не забываем chmod 0740)
nano /usr/local/firewall/firewall_static.sh
3. Правила:
#!/bin/sh
PATH='/sbin'
ALLOW_SSH='<ip_addresses>'
ALLOW_VPN='<ip_addresses>'
WAN='<int_name>'
IPSEC_NET='<network>'
# Flush previous rules, delete chains and reset counters
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
# Default policies
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
echo -n '1' > /proc/sys/net/ipv4/ip_forward
echo -n '0' > /proc/sys/net/ipv4/conf/all/accept_source_route
echo -n '0' > /proc/sys/net/ipv4/conf/all/accept_redirects
echo -n '1' > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo -n '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Enable statefull rules (after that, only need to allow NEW conections)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Drop invalid state packets
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
# Allow SSH management
iptables -A INPUT -i $WAN -s $ALLOW_SSH -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
# Enable all outgoing traffic to internet
iptables -A OUTPUT -o $WAN -d 0.0.0.0/0 -j ACCEPT
#Allow incoming IKE connections
iptables -A INPUT -i $WAN -p esp -s $ALLOW_VPN -j ACCEPT
iptables -A INPUT -i $WAN -p ah -s $ALLOW_VPN -j ACCEPT
iptables -A INPUT -i $WAN -p udp -m udp --sport 500 --dport 500 -s $ALLOW_VPN -j ACCEPT
iptables -A INPUT -i $WAN -p udp -m udp --sport 4500 --dport 4500 -s $ALLOW_VPN -j ACCEPT
#Adjust TCP MSS
iptables -t mangle -I FORWARD -p tcp -m policy --pol ipsec --dir in --syn -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables -t mangle -I FORWARD -p tcp -m policy --pol ipsec --dir out --syn -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
#Allow forwarding for VPN
iptables -A FORWARD -s $IPSEC_NET -d 0.0.0.0/0 -i $WAN -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
iptables -A FORWARD -s $IPSEC_NET -d 0.0.0.0/0 -o $WAN -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
#Configure NAT for VPN users
iptables -t nat -A POSTROUTING -s $IPSEC_NET -o $WAN -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s $IPSEC_NET -o $WAN -j MASQUERADE
## LOGGING to /var/log/messages
#iptables -A INPUT -j LOG --log-level debug --log-prefix '[FW INPUT]: '
#iptables -A OUTPUT -j LOG --log-level debug --log-prefix '[FW OUTPUT]: '
#iptables -A FORWARD -j LOG --log-level debug --log-prefix '[FW FORWARD ]: '
4. Создаем также правила для ipv6 в файле /usr/local/firewall/ipv6_firewall.sh
(не забываем chmod 0740)
#!/bin/sh
PATH='/sbin'
# Flush the tables to apply changes
ip6tables -F
#ACCEPT POLICY
ip6tables -P INPUT DROP #If it doesn't match a rule Drop it
ip6tables -P FORWARD DROP #NO ROUTING POLICY DROP
ip6tables -P OUTPUT ACCEPT #If it doesn't match a rule
########
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -m state --state ESTABLISHED,RELATED -A INPUT -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j ACCEPT
5. Добавляем . /usr/local/firewall/firewall_static.sh и ./usr/local/firewall/ipv6_firewall.sh
в /etc/rc.local перед exit0
6. Проверяем счетчики iptables
iptables -vL
iptables -t nat -L -n -v
7. Смотрим загрузку интерфейсов
iftop
Lucky Club Lucky Club Casino Site - The lucky club
ОтветитьУдалитьLucky Club Casino Online, Mobile and Live Casino. Established in 1999, the Lucky Club is luckyclub.live one of the oldest online casino casinos, operating from 1999.