Autentificare
facebook MW pe Facebook
twitter MW pe Twitter
© Mobilewave.ro
versiunea desktop
Inițiator acum 5 ani
EviL
MW Moderator
Ultimul acum 5 ani
EviL
MW Moderator
Cauta in topic
Unelte topic
Dacă vă place acest articol trimiteți mai departe!

Reguli iptables router - archlinux

355 vizualizări
0 răspunsuri
autor subiect #1
EviL
MW Moderator
3089 mesaje
din 25/11/2005
181 aprecieri
25 iunie 2014, 01:02:08
Salut , 

Odata cu trecerea la abonamentul de 500 de mb la RDS am fost nevoit sa inlocuiesc routerul deoarece cel vechi un mikrotik nu facea fata (hardware) , am optat pentru o solutie custom bazata pe hardware x86_64 - pcengines - http://www.pcengines.ch/apu1c.htm . Initial am pus pe el pfsense ( distributie bazata pe freebsd ) insa nu am reusit sa scot rezultate prea bune (viteza de download ajungea pana pe la ~ 300 mbps) asa ca am pus pe el ArchLinux cu care am reusit sa ating viteza maxima din abonament.

As avea nevoie de sugestii din partea voastra (daca aveti) cu privire la regulile de firewall , mentionez ca pt asta folosesc iptables/ip6tables , ppp0 fiind conexiune pppoe wan pe interfata wan0 , br0 fiind bridge pe interfata lan0 lan1 si wlan0 (prin  hostap) , ca servicii folosite : UPNP , openVPN , HTTP , SMPT , SSH .

Mai jos gasiti regulile actuale de firewall .

IPTABLES

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Allow traffic on already established/related connections"
-A INPUT -s 127.0.0.0/8 -i ppp0 -j DROP -m comment --comment "Drop Private/LAN on WAN"
-A INPUT -s 192.168.0.0/16 -i ppp0 -j DROP -m comment --comment "Drop Private/LAN on WAN"
-A INPUT -s 172.16.0.0/12 -i ppp0 -j DROP -m comment --comment "Drop Private/LAN on WAN"
-A INPUT -s 10.0.0.0/8 -i ppp0 -j DROP -m comment --comment "Drop Private/LAN on WAN"
-A INPUT -i ppp0 -p tcp --syn --dport 22 -m connlimit --connlimit-above 5 -j REJECT -m comment --comment "Allow 5 ssh connections per client on WAN"
-A INPUT -i ppp0 -p tcp --syn --dport 80 -m connlimit --connlimit-above 50 --connlimit-mask 24 -j DROP -m comment --comment "Allow 50 http connections per client on WAN"
-A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT -m comment --comment "Limit ICPM/PING 1/s"
-A INPUT -p icmp -j REJECT --reject-with icmp-host-prohibited -m comment --comment "DROP ICPM/PING flood"
-A INPUT -m comment --comment "Allow INPUT interface chain" -j interfaces
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j open  -m comment --comment "Allow INPUT custom chain"
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Forward traffic on already established/related connections"
-A FORWARD -j fw-interfaces  -m comment --comment "Allow FORWARD interface chain"
-A FORWARD -j fw-open  -m comment --comment "Allow FORWARD custom chain"
-A FORWARD -i ppp0 ! -o ppp0 -j fw-open-upnp  -m comment --comment "UPNP FORWARD chain"
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
-A fw-interfaces -i br0 -j ACCEPT  -m comment --comment "Allow LAN traffic FORWARD"
-A fw-open -i tun+ -o ppp0 -j ACCEPT  -m comment --comment "Allow OPENVPN internet connection share"
-A interfaces -i lo -j ACCEPT  -m comment --comment "Allow loopback traffic"
-A interfaces -i tun+ -j ACCEPT  -m comment --comment "Allow VPN traffic INPUT"
-A interfaces -i br0 -j ACCEPT  -m comment --comment "Allow LAN INPUT traffic"
-A interfaces -i br0 -j fw-interfaces
-A open -i ppp0 -p tcp -m tcp --dport 25 -m state --state NEW -m comment --comment "WAN SMTP Access" -j ACCEPT
-A open -i ppp0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "WAN HTTP Access" -j ACCEPT
-A open -i ppp0 -p tcp -m tcp --dport 443 -m state --state NEW -m comment --comment "WAN OPENVPN Access" -j ACCEPT
-A open -i ppp0 -p tcp -m tcp --dport 22 -m state --state NEW -m comment --comment "WAN SSH Access" -j ACCEPT
-A open -i ppp0 -p tcp -m tcp --dport 6080 -m state --state NEW -m comment --comment "WAN DEV WEB Access" -j ACCEPT
-A PREROUTING -i ppp0 -j pre-nat-upnp -m comment --comment "PREROUTE UPNP connections"
-A POSTROUTING -s 172.16.0.0/12 -o ppp0 -j MASQUERADE  -m comment --comment "ICS MASQUERADE LAN"
-A POSTROUTING -s 10.10.10.0/24 -o ppp0 -j MASQUERADE  -m comment --comment "ICS MASQUERADE OPENVPN"
IP6TABLES



-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT  -m comment --comment "Allow traffic on already established/related connections"
-A INPUT -p ipv6-icmp -m limit --limit 1/sec -j ACCEPT  -m comment --comment "Limit ICPM/PING 1/s"
-A INPUT -p ipv6-icmp -j REJECT --reject-with icmp6-adm-prohibited  -m comment --comment "DROP ICPM/PING flood"
-A INPUT -i lo -j ACCEPT -m comment --comment "Allow INPUT interface chain"
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -j open -m comment --comment "Allow INPUT custom chain"
-A INPUT -p tcp -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Forward traffic on already established/related connections"
-A FORWARD -j fw-interfaces  -m comment --comment "Allow FORWARD interface chain"
-A FORWARD -j fw-open  -m comment --comment "Allow FORWARD custom chain"
-A FORWARD -i ppp0 ! -o ppp0 -j fw-open-upnp  -m comment --comment "UPNP FORWARD chain"
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
-A fw-interfaces -i br0 -j ACCEPT  -m comment --comment "Allow LAN traffic FORWARD"
-A fw-open -i tun+ -o ppp0 -j ACCEPT  -m comment --comment "Allow OPENVPN internet connection share"
-A interfaces -i lo -j ACCEPT  -m comment --comment "Allow loopback traffic"
-A interfaces -i br0 -j ACCEPT  -m comment --comment "Allow LAN INPUT traffic"
-A interfaces -i br0 -j fw-interfaces
-A open -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -m state --state NEW -m comment --comment "WAN SMTP Access"
-A open -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -m state --state NEW -m comment --comment "WAN HTTP Access"
-A open -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -m state --state NEW -m comment --comment "WAN OPENVPN Access"
-A open -i ppp0 -m state --state NEW -m udp -p udp --dport 546 --sport 547 -s fe80::/64 -d fe80::/64 -j ACCEPT -m comment --comment "Allow dhcp6c aquire ipv6 /64 block"
-A open -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -m state --state NEW -m comment --comment "WAN SSH Access"
-A open -i ppp0 -p tcp -m tcp --dport 6080 -m state --state NEW -m comment --comment "WAN DEV WEB Access" -j ACCEPT
-A POSTROUTING -s fd67:6efe:918d:9396::/64 -o ppp0 -m comment --comment "ICS MASQUERADE IPv6 OPENVPN" -j MASQUERADE
Multumesc , 
1 apreciază
Înapoi la Linux
cine e aici?
Subiectul a fost creat la .
versiunea desktop
0.023⋅4⋅0