ok. я пользуюсь или vi или far для редактирования post-xxx файлов. то есть сейчас мой post-firewall выглядит так
#!/bin/sh
iptables -I INPUT -p tcp --dport хххх -j ACCEPT
iptables -I INPUT -p tcp --dport 8080 -j ACCEPT
iptables -t nat -I PREROUTING -i ! $3 -p tcp -m state --state NEW --dport хххх-m recent --set --name SSH_ATTACKER --rsource
iptables -I INPUT -i ! $3 -p tcp -m state --state NEW --dport хххх -m recent --update --seconds 600 --hitcount 3 --name SSH_ATTACKER --rsource -j DROP
logger '----iptables initialized----'
---------------------------------
Примечание - ХХХХ это мой порт. 8080 тоже открыт времменно (на всякий пожарный)
----------------------------
iptables -L -vn
Code:Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4 200 DROP tcp -- !br0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:XXXX recent: UPDATE seconds: 600 hit_count: 3 name: SSH_ATTACKER side: source 211 22258 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 362 38177 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:XXXX 2 152 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 16208 1453K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 1451 87060 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW 4658 1610K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW 441 159K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 88 20114 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 735 packets, 38292 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 519K 479M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP all -- !br0 vlan1 0.0.0.0/0 0.0.0.0/0 70 5462 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT Chain OUTPUT (policy ACCEPT 22838 packets, 3255K bytes) pkts bytes target prot opt in out source destination Chain MACS (0 references) pkts bytes target prot opt in out source destination Chain SECURITY (0 references) pkts bytes target prot opt in out source destination 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5 0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain logaccept (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `ACCEPT ' 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain logdrop (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `DROP ' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
----
iptables -L -vnt nat
Code:Chain PREROUTING (policy ACCEPT 1358 packets, 157K bytes) pkts bytes target prot opt in out source destination 4 200 tcp -- !br0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:XXXX recent: SET name: SSH_ATTACKER side: source 146 24959 VSERVER all -- * * 0.0.0.0/0 99.238.7.36 Chain POSTROUTING (policy ACCEPT 1576 packets, 96278 bytes) pkts bytes target prot opt in out source destination 735 38292 MASQUERADE all -- * vlan1 !99.238.7.36 0.0.0.0/0 5 956 MASQUERADE all -- * br0 192.168.1.0/24 192.168.1.0/24 Chain OUTPUT (policy ACCEPT 1532 packets, 92894 bytes) pkts bytes target prot opt in out source destination Chain VSERVER (1 references) pkts bytes target prot opt in out source destination 13 608 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6881 to:192.168.1.196:6881 36 3732 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:6881 to:192.168.1.196:6881 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:31220 to:192.168.1.1:4662 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:31220 to:192.168.1.1:4662
Reply With Quote
