-
IT café
TP-Link WR1043ND - N450 router
Új hozzászólás Aktív témák
-
nimfas
addikt
Sziasztok!
Jelenleg így néz ki az "egyéni szabály", a kérdés az lenne, hogy a 2 brute force szabály nem üti egymást?
Goflex-en (192.168.2.166) fut az FTP szerver.# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
#########################################
iptables --table nat -I zone_wan_prerouting -p $PROTO --dport $PROTECTEDPORT -s 94.23.201.82 -j DNAT --to-destination $ROUTERIP:$BRUTEFORCE_DROPPORT
#########################################
BRUTEFORCE_PROTECTION_START=3
BRUTEFORCE_DROPPORT=55555
PROTO=tcp
ROUTERIP=$(uci get network.lan.ipaddr)
########################################
#SSH Brute Force protection on port 2222
PROTECTEDPORT=2222
SERVICEPORT=22
SERVICE=SSH
echo Enabling Brute Force protection for $SERVICE on port $PROTECTEDPORT
iptables --table nat -I zone_wan_prerouting -p $PROTO --dport $PROTECTEDPORT -m state --state NEW -m recent --set --name $SERVICE -j DNAT --to-destination $ROUTERIP:$SERVICEPORT
iptables --table nat -I zone_wan_prerouting -p $PROTO --dport $PROTECTEDPORT -m state --state NEW -m recent --update --seconds 86400 --hitcount $BRUTEFORCE_PROTECTION_START --name $SERVICE -j DNAT --to-destination $ROUTERIP:$BRUTEFORCE_DROPPORT
iptables --table nat -I zone_wan_prerouting -p $PROTO --dport $PROTECTEDPORT -m state --state NEW -m recent --rcheck --seconds 86400 --hitcount $BRUTEFORCE_PROTECTION_START --name $SERVICE -m limit --limit 1/min -j LOG --log-prefix "BruteForce-${SERVICE} "
#Betörések megakadályozása a 94.23.201.82 IP-ről
iptables --table nat -I zone_wan_prerouting -p $PROTO --dport $PROTECTEDPORT -s 94.23.201.82 -j DNAT --to-destination $ROUTERIP:$BRUTEFORCE_DROPPORT
########################################
########################################
#FTP Brute Force protection on port 2221
PROTECTEDPORT=2221
SERVICEPORT=21
SERVICE=FTP
echo Enabling Brute Force protection for $SERVICE on port $PROTECTEDPORT
iptables --table nat -I zone_wan_prerouting -p $PROTO --dport $PROTECTEDPORT -m state --state NEW -m recent --set --name $SERVICE -j DNAT --to-destination $ROUTERIP:$SERVICEPORT
iptables --table nat -I zone_wan_prerouting -p $PROTO --dport $PROTECTEDPORT -m state --state NEW -m recent --update --seconds 1800 --hitcount $BRUTEFORCE_PROTECTION_START --name $SERVICE -j DNAT --to-destination $ROUTERIP:$BRUTEFORCE_DROPPORT
iptables --table nat -I zone_wan_prerouting -p $PROTO --dport $PROTECTEDPORT -m state --state NEW -m recent --rcheck --seconds 1800 --hitcount $BRUTEFORCE_PROTECTION_START --name $SERVICE -j LOG --log-prefix "BruteForce-${SERVICE} "
########################################
########################################
#SSH Brute Force protection on port 1977
PROTECTEDPORT=1977
SERVICEPORT=22
SERVICE=SSH_GOFLEX
echo Enabling Brute Force protection for $SERVICE on port $PROTECTEDPORT
iptables --table nat -I zone_wan_prerouting -p $PROTO --dport $PROTECTEDPORT -m state --state NEW -m recent --set --name $SERVICE -j DNAT --to-destination 192.168.2.166:$SERVICEPORT
iptables --table nat -I zone_wan_prerouting -p $PROTO --dport $PROTECTEDPORT -m state --state NEW -m recent --update --seconds 60 --hitcount $BRUTEFORCE_PROTECTION_START --name $SERVICE -j DNAT --to-destination 192.168.2.1:$BRUTEFORCE_DROPPORT
iptables --table nat -I zone_wan_prerouting -p $PROTO --dport $PROTECTEDPORT -m state --state NEW -m recent --rcheck --seconds 60 --hitcount $BRUTEFORCE_PROTECTION_START --name $SERVICE -j LOG --log-prefix "BruteForce-${SERVICE} "
########################################
########################################
#FTP Brute Force protection on port 2221
PROTECTEDPORT=2221
SERVICEPORT=21
SERVICE=FTP_GOFLEX
echo Enabling Brute Force protection for $SERVICE on port $PROTECTEDPORT
iptables --table nat -I zone_wan_prerouting -p $PROTO --dport $PROTECTEDPORT -m state --state NEW -m recent --set --name $SERVICE -j DNAT --to-destination 192.168.2.166:$SERVICEPORT
iptables --table nat -I zone_wan_prerouting -p $PROTO --dport $PROTECTEDPORT -m state --state NEW -m recent --update --seconds 60 --hitcount $BRUTEFORCE_PROTECTION_START --name $SERVICE -j DNAT --to-destination 192.168.2.1:$BRUTEFORCE_DROPPORT
iptables --table nat -I zone_wan_prerouting -p $PROTO --dport $PROTECTEDPORT -m state --state NEW -m recent --rcheck --seconds 60 --hitcount $BRUTEFORCE_PROTECTION_START --name $SERVICE -j LOG --log-prefix "BruteForce-${SERVICE} "
########################################
########################################
#Block URL on certain time for specified IP
#
#URL_STRING=facebook.com
#LOCAL_IP=192.168.1.188
#TIME_START=10:00
#TIME_END=16:00
#
#echo Blocking $URL_STRING from $LOCAL_IP at time interval $TIME_START - $TIME_END
#iptables -I FORWARD -s $LOCAL_IP -m string --string $URL_STRING --algo bm -m time --weekdays Mon,Tue,Wed,Thu,Fri --timestart $TIME_START --timestop $TIME_END -j DROP
########################################Firewall config:
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '9094'
option dest_port '21'
option name 'FTP-Forward'
option enabled '0'
option dest_ip '192.168.2.1'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '9095'
option dest_port '22'
option name 'SSH-Forward'
option dest_ip '192.168.2.1'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip '192.168.2.166'
option src_dport '1977'
option name 'Goflex SSH-Forward'
option dest_port '22'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '2221'
option dest_ip '192.168.2.166'
option dest_port '21'
option name 'Goflex FTP-Forward'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '22'
option dest_port '22'
option name 'Tp-link SSH'
option dest_ip '192.168.2.1'
config redirect
option _name 'GOFlexNet TransmissionWeb'
option src 'wan'
option proto 'tcpudp'
option src_dport '9091'
option target 'DNAT'
option dest 'lan'
option dest_ip '192.168.2.166'
config redirect
option _name 'GoFlex Net Transmission'
option src 'wan'
option proto 'tcpudp'
option src_dport '21234'
option dest_ip '192.168.2.166'
option target 'DNAT'
option dest 'lan'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option dest_ip '192.168.2.134'
option dest_port '80'
option name 'Emeleti-Beltéri-80port'
option src_ip '46.251.11.217'
option src_dport '80'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option dest_ip '192.168.2.134'
option dest_port '21'
option name 'Emeleti-Beltéri-21port'
option src_ip '46.251.11.217'
option src_port '21'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option dest_ip '192.168.2.134'
option dest_port '23'
option src_ip '46.251.11.217'
option src_port '23'
option name 'Emeleti-Beltéri-23port'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option name 'FSZ'
option dest_ip '192.168.2.134'
option enabled '0'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan wan1 wan2'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option src 'lan'
option name 'Block-Internet-Access'
option src_ip '192.168.1.110'
option target 'DROP'
option dest 'wan'
option extra '-m time --localtz --weekdays Mon,Tue,Wed,Thu,Fri --timestart 10:00 --timestop 22:00'
option enabled '0'
config rule
option target 'ACCEPT'
option name 'Transmission-web'
option family 'ipv4'
option dest_port '9091'
option proto 'tcp'
option src '*'
option enabled '0'
config rule
option target 'ACCEPT'
option name 'Transmission'
option family 'ipv4'
option dest_port '21234'
option src 'wan'
config rule
option target 'ACCEPT'
option proto 'tcp'
option dest_port '443'
option family 'ipv4'
option name 'Luci-HTTPS'
option src 'wan'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '50000-50100'
option name 'FTP-WAN-Passive-Ports'
option family 'ipv4'
option enabled '0'
config rule
option name 'ssh_goflex_wan'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip '192.168.2.166'
option dest_port '22'
option target 'ACCEPT'
config rule
option name 'ssh_goflex'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip '192.168.2.166'
option dest_port '21'
option target 'ACCEPT'
config rule
option enabled '1'
option target 'ACCEPT'
option src 'lan'
option dest 'wan'
option name 'Huawei'
option dest_ip '192.168.1.1'Előre is köszönöm!
Új hozzászólás Aktív témák
- Marvel Snap
- Kerti grill és bográcsozó házilag (BBQ, tervek, ötletek, receptek)
- AMD K6-III, és minden ami RETRO - Oldschool tuning
- Azonnali informatikai kérdések órája
- Ukrajnai háború
- Intel Core i5 / i7 / i9 "Alder Lake-Raptor Lake/Refresh" (LGA1700)
- Tudományos Pandémia Klub
- Politika
- Samsung LCD és LED TV-k
- Bluetooth hangszórók
- További aktív témák...
Állásajánlatok
Cég: Ozeki Kft.
Város: Debrecen