User Tools
сервис_firewall
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
сервис_firewall [2024/04/08 18:26] val [Linux (iptables)] |
сервис_firewall [2024/05/07 16:18] (current) val [Debian/Ubuntu (iptables)] |
||
|---|---|---|---|
| Line 84: | Line 84: | ||
| ==== CentOS ==== | ==== CentOS ==== | ||
| - | === CentOS 7 === | + | === CentOS 7, AlmaLinux 9 === |
| * [[https://bozza.ru/art-259.html|Настройка firewalld CentOS 7 с примерами команд]] | * [[https://bozza.ru/art-259.html|Настройка firewalld CentOS 7 с примерами команд]] | ||
| Line 372: | Line 372: | ||
| root@gate:~# iptables-save > /etc/iptables.rules | root@gate:~# iptables-save > /etc/iptables.rules | ||
| + | или | ||
| + | root@gate:~# netfilter-persistent save | ||
| </code> | </code> | ||
| Line 404: | Line 406: | ||
| ==== Debian/Ubuntu (iptables) ==== | ==== Debian/Ubuntu (iptables) ==== | ||
| + | |||
| + | === Ограничение частоты подключений === | ||
| <code> | <code> | ||
| root@gate:~# cat firewall.sh | root@gate:~# cat firewall.sh | ||
| Line 412: | Line 416: | ||
| iptables -A FORWARD -p tcp --dport 80 -i eth1 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP | iptables -A FORWARD -p tcp --dport 80 -i eth1 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP | ||
| iptables -A FORWARD -p tcp --dport 80 -i eth1 -m conntrack --ctstate NEW -m recent --set | iptables -A FORWARD -p tcp --dport 80 -i eth1 -m conntrack --ctstate NEW -m recent --set | ||
| + | |||
| + | #iptables -A FORWARD -p tcp -i eth1 -m conntrack --ctstate NEW -m recent --update --seconds 1 --hitcount 10 -j LOG | ||
| + | #iptables -A FORWARD -p tcp -i eth1 -m conntrack --ctstate NEW -m recent --update --seconds 1 --hitcount 10 -j DROP | ||
| + | #iptables -A FORWARD -p tcp -i eth1 -m conntrack --ctstate NEW -m recent --set | ||
| ... | ... | ||
| </code><code> | </code><code> | ||
| root@gate:~# tail -f /var/log/syslog | root@gate:~# tail -f /var/log/syslog | ||
| + | root@gate:~# journalctl -f | ||
| root@gate:~# cat /proc/net/xt_recent/DEFAULT | root@gate:~# cat /proc/net/xt_recent/DEFAULT | ||
| + | root@gate:~# watch cat /proc/net/xt_recent/DEFAULT | ||
| root@gate:~# echo -10.5.7.1 >/proc/net/xt_recent/DEFAULT | root@gate:~# echo -10.5.7.1 >/proc/net/xt_recent/DEFAULT | ||
| Line 423: | Line 433: | ||
| </code> | </code> | ||
| + | ==== nftables ==== | ||
| + | |||
| + | === Блокировка абонентов, превысивших частоту подключений === | ||
| + | |||
| + | * [[https://access.redhat.com/documentation/ru-ru/red_hat_enterprise_linux/7/html/security_guide/sec-using_nftables_to_limit_the_amount_of_connections|Using nftables to limit the amount of connections]] | ||
| + | |||
| + | <code> | ||
| + | gate# cat /etc/nftables.conf | ||
| + | </code><code> | ||
| + | ... | ||
| + | table inet filter { | ||
| + | set denylist { | ||
| + | type ipv4_addr | ||
| + | size 65535 | ||
| + | flags dynamic,timeout | ||
| + | timeout 5m | ||
| + | } | ||
| + | ... | ||
| + | chain forward { | ||
| + | type filter hook forward priority filter; policy accept; | ||
| + | ip protocol tcp ct state new,untracked limit rate over 10/second add @denylist { ip saddr } | ||
| + | ip saddr @denylist drop | ||
| + | } | ||
| + | ... | ||
| + | </code> | ||
| ==== FreeBSD (pf) ==== | ==== FreeBSD (pf) ==== | ||
сервис_firewall.1712589963.txt.gz · Last modified: 2024/04/08 18:26 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
