已登入: Logged in as: 登入
搜尋:
Page last modified 17:59, 13 Jun 2012 by alang

基本iptables 與 fail2ban 並用時

    內容表格
    1. 1. for CentOS

    版本為 04:58, 27 Dec 2024

    到這個版本。

    返回到 版本存檔.

    查閱目前版本

    此 iptables 規則可用於已安裝有 FreePBX 以及 fail2ban 的系統,尤其是主機放在公眾網路時。

    for CentOS

    編輯 /etc/sysconfig/iptables

    iptables:

    *filter
:INPUT DROP [636:118995]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [45625:6667023]
:fail2ban-APACHE - [0:0]
:fail2ban-ASTERISK - [0:0]
:fail2ban-BadBots - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-VSFTPD - [0:0]
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-BadBots
-A INPUT -p tcp -m tcp --dport 21 -j fail2ban-VSFTPD
-A INPUT -p tcp -j fail2ban-APACHE
-A INPUT -j fail2ban-ASTERISK
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -i ! eth0 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9080 -j ACCEPT
-A INPUT -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -p udp -m udp --dport 5000:5082 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4445 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5038 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p udp -m udp --dport 69 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9022 -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
-A fail2ban-APACHE -j RETURN
-A fail2ban-ASTERISK -j RETURN
-A fail2ban-BadBots -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-VSFTPD -j RETURN
COMMIT
# Completed on Tue Feb  8 11:35:49 2011
# Generated by iptables-save v1.3.5 on Tue Feb  8 11:35:49 2011
*mangle
:PREROUTING ACCEPT [59114:43092827]
:INPUT ACCEPT [58517:43020696]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [45625:6667023]
:POSTROUTING ACCEPT [45627:6667307]
COMMIT
# Completed on Tue Feb  8 11:35:49 2011
# Generated by iptables-save v1.3.5 on Tue Feb  8 11:35:49 2011
*nat
:PREROUTING ACCEPT [1620:224741]
:POSTROUTING ACCEPT [3827:274034]
:OUTPUT ACCEPT [3827:274034]
COMMIT
# Completed on Tue Feb  8 11:35:49 2011

    重啟 iptables

    service iptables stop
service iptables start

    TIPs:

    port 113 郵件服務遠端認證用

    port 4445 Flash Operator Panel

    port 9001 webmin

    port 9080 2nd Web port

    port 4569 IAX2

    port 5038 Asterisk Manager Interface

    port 123 NTP

    Powered by MindTouch Core