已登入: Logged in as: 登入
搜尋:
Page last modified 17:50, 13 Jun 2012 by alang

基本iptables 與 fail2ban 並用時

    內容表格
    1. 1. for CentOS

    版本為 04:38, 27 Dec 2024

    到這個版本。

    返回到 版本存檔.

    查閱目前版本

    此 iptables 規則可用於已安裝有 FreePBX 以及 fail2ban 的系統,尤其是主機放在公眾網路時。

    for CentOS

    編輯 /etc/sysconfig/iptables

    iptables:

    *filter
:INPUT DROP [636:118995]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [45625:6667023]
:fail2ban-APACHE - [0:0]
:fail2ban-ASTERISK - [0:0]
:fail2ban-BadBots - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-VSFTPD - [0:0]
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-BadBots
-A INPUT -p tcp -m tcp --dport 21 -j fail2ban-VSFTPD
-A INPUT -p tcp -j fail2ban-APACHE
-A INPUT -j fail2ban-ASTERISK
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -i ! eth0 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9080 -j ACCEPT
-A INPUT -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -p udp -m udp --dport 5000:5082 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4445 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5038 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p udp -m udp --dport 69 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9022 -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
-A fail2ban-APACHE -j RETURN
-A fail2ban-ASTERISK -j RETURN
-A fail2ban-BadBots -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-VSFTPD -j RETURN
COMMIT
# Completed on Tue Feb  8 11:35:49 2011
# Generated by iptables-save v1.3.5 on Tue Feb  8 11:35:49 2011
*mangle
:PREROUTING ACCEPT [59114:43092827]
:INPUT ACCEPT [58517:43020696]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [45625:6667023]
:POSTROUTING ACCEPT [45627:6667307]
COMMIT
# Completed on Tue Feb  8 11:35:49 2011
# Generated by iptables-save v1.3.5 on Tue Feb  8 11:35:49 2011
*nat
:PREROUTING ACCEPT [1620:224741]
:POSTROUTING ACCEPT [3827:274034]
:OUTPUT ACCEPT [3827:274034]
COMMIT
# Completed on Tue Feb  8 11:35:49 2011

    重啟 iptables

    service iptables stop
service iptables start

    TIPs:

    port 113 POP3

    port 4445 Flash Operator Panel

    Powered by MindTouch Core