User Tools

Site Tools


сервис_firewall

Сервис Firewall

Конфигурация для рабочей станции

nftables

Linux (iptables)

Настройка фильтра

root@clientN:~# cat firewall.sh
iptables --flush
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP
root@clientN:~# sh firewall.sh

Просмотр правил фильтра

# iptables -t filter -n -L -v --line-numbers
или
# iptables -n -L -v --line-numbers

Удаление правил фильтра

iptables -t ТАБЛИЦА -D ЦЕПОЧКА НОМЕР_ПРАВИЛА

Работа с таблицей состояний

http://conntrack-tools.netfilter.org/conntrack.html

# apt install conntrack

# conntrack -L

Управление состоянием iptables

Вариант 1
Сохранение состояния iptables
root@gate:~# iptables-save > /etc/iptables.rules
Восстановление состояния iptables
root@gate:~# iptables-restore < /etc/iptables.rules
Восстановление состояния iptables при загрузке
root@gate:~# cat /etc/network/interfaces
...
auto eth1
iface eth1 inet static
  pre-up iptables-restore < /etc/iptables.rules
...
Вариант 2
# apt install iptables-persistent

# netfilter-persistent save

CentOS

CentOS 7, AlmaLinux 9

# systemctl status firewalld

# firewall-cmd --get-zones | tr " " "\n"

# firewall-cmd --get-active-zones
!!! даже, если пусто, похоже, в этом случае используется public

# firewall-cmd --get-zone-of-interface=enp0s3
no zone   !!!похоже, в этом случае используется public

# firewall-cmd --list-all

# firewall-cmd --change-interface=enp0s3 --zone=public

# firewall-cmd --get-services | tr " " "\n"

# less /usr/lib/firewalld/services/sip.xml

server# firewall-cmd --zone=public --add-service=http
server# firewall-cmd --zone=public --remove-service=http

gate# firewall-cmd --zone=public --add-port=2222/tcp
gate# firewall-cmd --zone=public --remove-port=2222/tcp

server# firewall-cmd --zone=internal --add-source 192.168.X.0/24
server# firewall-cmd --get-active-zones
server# firewall-cmd --zone=internal --list-all

server# firewall-cmd --zone=internal --add-service=smtp

# firewall-cmd --runtime-to-permanent
  или, возвращаем исходное состояние
# firewall-cmd --reload

# systemctl stop firewalld

CentOS 6

# service iptables save

# cat /etc/sysconfig/iptables

# service iptables stop

FreeBSD (PF)

Настройка

[gate:~] # cat /etc/pf.conf
set skip on lo0

block in all
pass out inet all keep state

Включение

[gate:~] # cat /etc/rc.conf
...
pf_enable=yes
[gate:~] # /etc/rc.d/pf check

[gate:~] # /etc/rc.d/pf start

[gate:~] # /etc/rc.d/pf reload

[gate:~] # pfctl -s rules

[gate:~] # pfctl -vs rules

[gate:~] # pfctl -vs state

[gate:~] # pfctl -F state

Конфигурация для шлюза WAN - LAN

Debian/Ubuntu (iptables)

root@gate:~# cat firewall.sh
iptables --flush

iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 22 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 53 -j ACCEPT
iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 53 -j ACCEPT
#iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 25 -j REJECT
#iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 25 -j ACCEPT
#iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 465 -j ACCEPT
#iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 587 -j ACCEPT
#iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 143 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 80 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -d 192.168.X.10 --dport 5222 -j ACCEPT

#iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 5060 -j ACCEPT
#iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 4569 -j ACCEPT
#iptables -A FORWARD -i eth1 -p udp -d 192.168.X.10 --dport 10000:20000 -j ACCEPT

#iptables -A FORWARD -i eth0 -p tcp --dport 25 -j REJECT
#iptables -A FORWARD -s 192.168.100+X.0/24 -p tcp --dport 80 -j REJECT
#iptables -A FORWARD -s 192.168.100+X.0/24 -p tcp --dport 443 -j REJECT

iptables -A FORWARD -i eth0 -s 192.168.X.0/24 -j ACCEPT
#iptables -A FORWARD -s 192.168.100+X.0/24 -j ACCEPT

iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -j DROP

conntrack -F
root@gate:~# apt install conntrack

root@gate:~# sh firewall.sh

root@gate:~# iptables-save > /etc/iptables.rules
root@gate:~# cat /etc/modules
...
nf_conntrack_ftp

CentOS

...
# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth0 -o eth1 -j ACCEPT
# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
...

FreeBSD (pf)

[gate:~] # cat /etc/pf.conf
corp_net="192.168.X/24"
#pppoe_corp_net="192.168.100+X/24"

ssh_server="192.168.X.10"
dns_server="192.168.X.10"
www_server="192.168.X.10"
mail_server="192.168.X.10"
asterisk_server="192.168.X.10"

set skip on lo0

block in all

#block return in quick inet proto tcp from any to $mail_server port 25
#block return out quick inet proto tcp from $corp_net to !$corp_net port 25

pass in inet from any to {em0,em1}

pass in inet from $corp_net to any
#pass in inet from $dns_server to any
#pass in inet from $pppoe_corp_net to any

pass out inet all keep state

pass in inet proto tcp from any to $ssh_server port 22
pass in inet proto tcp from any to $mail_server port 25
pass in inet proto {udp,tcp} from any to $dns_server port 53
pass in inet proto tcp from any to $www_server port 80
pass in inet proto tcp from any to $mail_server port 143

#pass in inet proto udp from any to $asterisk_server port 5006
#pass in inet proto udp from any to $asterisk_server port 10000:20000
#pass in inet proto udp from any to $asterisk_server port 4569
[gate:~] # /etc/rc.d/pf check

[gate:~] # /etc/rc.d/pf reload

FreeBSD (ipfw statefull)

# cat /etc/ipfw.rules
ipfw -q -f flush
ipfw -q add check-state
ipfw -q add deny all from any to any frag
ipfw -q add deny tcp from any to any established

ipfw -q add allow tcp from 192.168.X.0/24 to any setup keep-state
ipfw -q add allow udp from 192.168.X.0/24 to any keep-state
ipfw -q add allow icmp from 192.168.X.0/24 to any keep-state

#ipfw -q add allow tcp from any to 192.168.X.10 22 keep-state
ipfw -q add allow tcp from any to 192.168.X.10 22-80 keep-state
#ipfw -q add allow udp from any to 192.168.X.10 53 keep-state
#ipfw -q add allow ip from any to 192.168.X.10 keep-state

FreeBSD (ipfw stateless)

# cat /etc/ipfw.rules
ipfw -q -f flush

ipfw -q add allow ip from 192.168.X.0/24 to any
ipfw -q add allow tcp from any to 192.168.X.0/24 established
ipfw -q add allow udp from any 1024-65535 to any 1024-65535
ipfw -q add allow udp from any 53 to any 1024-65535
ipfw -q add allow icmp from any to any

ipfw -q add allow tcp from any to 192.168.X.10 22-23
ipfw -q add allow udp from any to 192.168.X.10 53

Протоколирование отброшенных пакетов

Debian/Ubuntu (iptables)

root@gate:~# cat firewall.sh
...
iptables -A ... -j LOG --log-prefix "iptables denied: " --log-level 7
iptables -A ... -j DROP
root@gate:~# sh firewall.sh

root@gate:~# iptables-save > /etc/iptables.rules

root@gate:~# tail -f /var/log/syslog

FreeBSD (pf)

[gate:~] # cat /etc/rc.conf
...
pflog_enable="YES"
[gate:~] # /etc/rc.d/pflog start

[gate:~] # ifconfig

[gate:~] # cat /etc/pf.conf
...
block in log all
[gate:~] # /etc/rc.d/pf check

[gate:~] # /etc/rc.d/pf reload

[gate:~] # tcpdump -n -i pflog0

[gate:~] # tcpdump -n -r /var/log/pflog

Конфигурация для шлюза WAN - LAN - DMZ

Debian/Ubuntu (iptables)

root@gate:~# cat firewall.sh
iptables --flush

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth2 -j ACCEPT

#### for openvpn ####
iptables -A FORWARD -i tun+ -j ACCEPT

iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -j DROP
iptables -A OUTPUT -o eth2 -j DROP
root@gate:~# sh firewall.sh

root@gate:~# iptables-save > /etc/iptables.rules
  или
root@gate:~# netfilter-persistent save

FreeBSD (pf)

[gate:~] # cat /etc/pf.conf
lan_net="192.168.100+X/24"
dmz_net="192.168.X/24"
vpn_nets="{ 192.168.200+X/24, 192.168.100+Y/24}"

nat on em1 from $lan_net to any -> (em1)

block in all
pass out inet all keep state

block out from any to $lan_net
#pass out from $vpn_nets to $lan_net

pass in inet from any to {em0,em1,em2}

pass in inet from any to $dmz_net

pass in inet from $dmz_net to !$lan_net

pass in inet from $lan_net to any

pass in inet from $vpn_nets to $lan_net

Конфигурация для защиты от bruteforce

Debian/Ubuntu (iptables)

Ограничение частоты подключений

root@gate:~# cat firewall.sh
iptables --flush
...
iptables -A FORWARD -p tcp --dport 80 -i eth1 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j LOG
iptables -A FORWARD -p tcp --dport 80 -i eth1 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -A FORWARD -p tcp --dport 80 -i eth1 -m conntrack --ctstate NEW -m recent --set

#iptables -A FORWARD -p tcp -i eth1 -m conntrack --ctstate NEW -m recent --update --seconds 1 --hitcount 10 -j LOG
#iptables -A FORWARD -p tcp -i eth1 -m conntrack --ctstate NEW -m recent --update --seconds 1 --hitcount 10 -j DROP
#iptables -A FORWARD -p tcp -i eth1 -m conntrack --ctstate NEW -m recent --set
...
root@gate:~# tail -f /var/log/syslog
root@gate:~# journalctl -f

root@gate:~# cat /proc/net/xt_recent/DEFAULT
root@gate:~# watch cat /proc/net/xt_recent/DEFAULT

root@gate:~# echo -10.5.7.1 >/proc/net/xt_recent/DEFAULT

root@gate:~# echo / >/proc/net/xt_recent/DEFAULT

nftables

Блокировка абонентов, превысивших частоту подключений

gate# cat /etc/nftables.conf
...
table inet filter {
        set denylist {
                type ipv4_addr
                size 65535
                flags dynamic,timeout
                timeout 5m
        }
...
        chain forward {
                type filter hook forward priority filter; policy accept;
                ip protocol tcp ct state new,untracked limit rate over 10/second add @denylist { ip saddr }
                ip saddr @denylist drop
        }
...

FreeBSD (pf)

http://www.opennet.ru/base/sec/bruteforce_pf.txt.html

gate# cat /etc/pf.conf
table <fail2ban> persist
block in quick from <fail2ban>

pass in on em1 proto tcp to \
     port 22 flags S/SA keep state \
     (max-src-conn-rate 4/60, overload <fail2ban> flush)
# pfctl -t fail2ban -T show

# pfctl -t fail2ban -T delete 172.16.1.254

# pfctl -t fail2ban -T add 172.16.1.254
# pfctl -k 172.16.1.254

# pfctl -t fail2ban -T flush

Мониторинг соединений

Debian/Ubuntu (iptables)

root@gate:~# conntrack -L

root@gate:~# iptstate

root@gate:~# conntrack -F

FreeBSD (pf)

[gate:~] # pfctl -vs state

[gate:~] # pfctl -k 0.0.0.0/0 -k 172.16.1.254

[gate:~] # pfctl -F states

[gate:~] # pkg install pftop

[gate:~] # pftop

Transparent Firewall

NetFilter

Дополнительные материалы

FreeBSD ipfilter

# touch /etc/ipf.rules

# cat /etc/rc.conf
...
ipfilter_enable=yes
# service ipfilter start

# ipfstat -hio

Пример пользовательского интерфейса для управления pf

сервис_firewall.txt · Last modified: 2024/05/07 16:18 by val