 |
|
|
 |
 |
|
|
| | 1 | 2 | 3 | 4 | 5 |
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | 31 | |
|
|
| |
|
 |
|
|
|
iptables ถึงเวลาต้องใช้ซะแล้ว
Thank you, Picture from => //linuxpoison.blogspot.com/2008/09/iptables-block-diagram.html
![](//1.bp.blogspot.com/_VN8zHqq8Ns8/SLepX1xMFkI/AAAAAAAABPM/V7-gN94R70U/s1600/fire_tables.png"<br)
อ่านเจอก็ดีเหมือนกัน
Credit //www.sns.ias.edu/~jns/files/iptables_ruleset
อีกที่ๆ ละเอียดดี //www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
ถ้าจะเปิดรับ รั่วๆ ไปเลย เอาไว้ทดสอบว่าถ้าไม่ผ่าน iptables แล้วมันใช้งานได้ไหม?
iptables -P INPUT ACCEPT
ต่อกันด้วยตัวอย่าง Firewall ที่มั่วเอง ลองดู
[root@pc ~]# cat /etc/Jenk_firewall
# iptables configuration file
# Flush all current rules from iptables
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
# Set default policies for INPUT, FORWARD and OUTPUT chains
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy FORWARD DROP
/sbin/iptables --policy OUTPUT ACCEPT
#Accept anything from myself
/sbin/iptables -A INPUT -i lo --jump ACCEPT
/sbin/iptables -A OUTPUT -o lo --jump ACCEPT
#Accept by Host/Network
/sbin/iptables -A INPUT -s 192.168.1.0/24 --jump ACCEPT
/sbin/iptables -A INPUT -s 11.22.33.44/32 --jump ACCEPT
#Block by Host/Network
/sbin/iptables -A INPUT -s 161.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 64.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 69.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 93.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 94.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 172.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 194.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 195.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 207.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 203.206.0.0/16 -j DROP
/sbin/iptables -A OUTPUT -d 161.0.0.0/8 -j DROP
/sbin/iptables -A OUTPUT -d 64.0.0.0/8 -j DROP
/sbin/iptables -A OUTPUT -d 69.0.0.0/8 -j DROP
/sbin/iptables -A OUTPUT -d 93.0.0.0/8 -j DROP
/sbin/iptables -A OUTPUT -d 94.0.0.0/8 -j DROP
/sbin/iptables -A OUTPUT -d 194.0.0.0/8 -j DROP
/sbin/iptables -A OUTPUT -d 195.0.0.0/8 -j DROP
/sbin/iptables -A OUTPUT -d 207.0.0.0/8 -j DROP
/sbin/iptables -A OUTPUT -d 203.206.0.0/16 -j DROP
/sbin/iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 5060 -j ACCEPT
/sbin/iptables -A INPUT -s 11.22.33.44/32 -p udp -m udp --dport 5060 -j ACCEPT
#Client from TRUE ADSL
/sbin/iptables -A INPUT -s 58.8.0.0/16 -p udp -m udp --dport 5060 -j ACCEPT
/sbin/iptables -A INPUT -s 58.9.0.0/16 -p udp -m udp --dport 5060 -j ACCEPT
# RTP - the media stream
/sbin/iptables -A INPUT -p udp -m udp --dport 6000:20000 -j ACCEPT
#Block UDP Port 1000-1600
/sbin/iptables -A INPUT -p udp --dport 1000:1600 -j DROP
# Allow myself to be a non-passive FTP client
#/sbin/iptables -A INPUT -p tcp --dport ftp-data --jump ACCEPT
# Do not allow a local user to connect to a remote Telnet
# server and thus give away login and password information:
/sbin/iptables -A OUTPUT -p tcp --dport telnet --jump DROP
/sbin/iptables -A INPUT -p tcp --dport 5099:9999 --jump DROP
/sbin/iptables -A OUTPUT -p tcp --dport 5099:9999 --jump DROP
# Accept packets belonging to established and related connections
#/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Protect DDOS
#/sbin/iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
#/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#/sbin/iptables -A INPUT -p tcp --syn -j DROP
#Protect Log Flood
/sbin/iptables -A INPUT -m limit --limit 10/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "Packet died: "
#TCP SSH port
/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 203.11.22.0/24 --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 180.11.0.0/16 --dport 22 -j ACCEPT
#Protect SSH
/sbin/iptables -A INPUT -m recent --update --seconds 40 --hitcount 5 --name SSH --rsource -j DROP
/sbin/iptables -A INPUT -m recent --set --name SSH --rsource -j ACCEPT
#Service Mysql(Limit 3 IP)
/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j DROP
/sbin/iptables -A OUTPUT -p tcp --dport mysql -j DROP
#ICMP(Ping) - Allow All IP
#/sbin/iptables -A INPUT -m state --state NEW -m tcp -p icmp --icmp-type any -j ACCEPT
# Drop 1,2,6,7,15 not match in tables packet(only RHEL)
#Accept all pinging client
/sbin/iptables -A INPUT -p ICMP --icmp-type any -j ACCEPT
# No Answer for all ICMP Error
/sbin/iptables -A INPUT -p ICMP --icmp-type 0 -j DROP
/sbin/iptables -A INPUT -p ICMP --icmp-type 3 -j DROP
/sbin/iptables -A INPUT -p ICMP --icmp-type 4 -j DROP
/sbin/iptables -A INPUT -p ICMP --icmp-type 5 -j DROP
/sbin/iptables -A INPUT -p ICMP --icmp-type 8 -j DROP
/sbin/iptables -A INPUT -p ICMP --icmp-type 9 -j DROP
/sbin/iptables -A INPUT -p ICMP --icmp-type 10 -j DROP
/sbin/iptables -A INPUT -p ICMP --icmp-type 11 -j DROP
/sbin/iptables -A INPUT -p ICMP --icmp-type 12 -j DROP
/sbin/iptables -A INPUT -p ICMP --icmp-type 13 -j DROP
/sbin/iptables -A INPUT -p ICMP --icmp-type 14 -j DROP
#Example Config
#/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
# Save settings with /sbin/service iptables save
# List iptables chains with 'iptables -L -v'
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/service iptables save
/sbin/iptables -L -v
[root@pc ~]#
ทดไว้เมื่อยามมีเวลา เดี๋ยวเวลารีบๆ จะได้หยิบฉวยทัน
** ยัง bug อยู่.. ค่อยๆ แก้ไป
| Create Date : 06 ธันวาคม 2552 |
| Last Update : 4 เมษายน 2554 9:58:10 น. |
|
0 comments
|
| Counter : 801 Pageviews. |
|
 |
|
|
|
|
|
| dokawa |
 |
|
|
|
|
![](http://1.bp.blogspot.com/_VN8zHqq8Ns8/SLepX1xMFkI/AAAAAAAABPM/V7-gN94R70U/s1600/fire_tables.png"<br)
ฝากข้อความหลังไมค์
Rss Feed
ผู้ติดตามบล็อก : 1 คน [
