ok. я пользуюсь или vi или far для редактирования post-xxx файлов. то есть сейчас мой post-firewall выглядит так
#!/bin/sh
iptables -I INPUT -p tcp --dport хххх -j ACCEPT
iptables -I INPUT -p tcp --dport 8080 -j ACCEPT
iptables -t nat -I PREROUTING -i ! $3 -p tcp -m state --state NEW --dport хххх-m recent --set --name SSH_ATTACKER --rsource
iptables -I INPUT -i ! $3 -p tcp -m state --state NEW --dport хххх -m recent --update --seconds 600 --hitcount 3 --name SSH_ATTACKER --rsource -j DROP
logger '----iptables initialized----'
---------------------------------
Примечание - ХХХХ это мой порт. 8080 тоже открыт времменно (на всякий пожарный) :)
----------------------------
iptables -L -vn
Code:Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4 200 DROP tcp -- !br0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:XXXX recent: UPDATE seconds: 600 hit_count: 3 name: SSH_ATTACKER side: source
211 22258 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
362 38177 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:XXXX
2 152 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
16208 1453K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1451 87060 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
4658 1610K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
441 159K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
88 20114 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 735 packets, 38292 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
519K 479M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- !br0 vlan1 0.0.0.0/0 0.0.0.0/0
70 5462 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
Chain OUTPUT (policy ACCEPT 22838 packets, 3255K bytes)
pkts bytes target prot opt in out source destination
Chain MACS (0 references)
pkts bytes target prot opt in out source destination
Chain SECURITY (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `DROP '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
----
iptables -L -vnt nat
Code:Chain PREROUTING (policy ACCEPT 1358 packets, 157K bytes)
pkts bytes target prot opt in out source destination
4 200 tcp -- !br0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:XXXX recent: SET name: SSH_ATTACKER side: source
146 24959 VSERVER all -- * * 0.0.0.0/0 99.238.7.36
Chain POSTROUTING (policy ACCEPT 1576 packets, 96278 bytes)
pkts bytes target prot opt in out source destination
735 38292 MASQUERADE all -- * vlan1 !99.238.7.36 0.0.0.0/0
5 956 MASQUERADE all -- * br0 192.168.1.0/24 192.168.1.0/24
Chain OUTPUT (policy ACCEPT 1532 packets, 92894 bytes)
pkts bytes target prot opt in out source destination
Chain VSERVER (1 references)
pkts bytes target prot opt in out source destination
13 608 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6881 to:192.168.1.196:6881
36 3732 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:6881 to:192.168.1.196:6881
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:31220 to:192.168.1.1:4662
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:31220 to:192.168.1.1:4662