LINUX.ORG.RU

История изменений

Исправление mrmilesprower, (текущая версия) :

Не работает разметка для спойлера, поэтому выложил на pastebin. https://pastebin.com/Ezfe70X6

Исправление mrmilesprower, :

Generated by iptables-save v1.6.1 on Thu Dec 9 18:36:40 2021

*nat :PREROUTING ACCEPT [80373:4180330] :INPUT ACCEPT [33878:1967818] :OUTPUT ACCEPT [9376:687201] :POSTROUTING ACCEPT [9376:687201] -A POSTROUTING -s 10.8.0.0/24 -o ens3 -j MASQUERADE COMMIT

Completed on Thu Dec 9 18:36:40 2021

Generated by iptables-save v1.6.1 on Thu Dec 9 18:36:40 2021

*filter :INPUT DROP [3793:185501] :FORWARD DROP [0:0] :OUTPUT ACCEPT [3:120] :ufw-after-forward - [0:0] :ufw-after-input - [0:0] :ufw-after-logging-forward - [0:0] :ufw-after-logging-input - [0:0] :ufw-after-logging-output - [0:0] :ufw-after-output - [0:0] :ufw-before-forward - [0:0] :ufw-before-input - [0:0] :ufw-before-logging-forward - [0:0] :ufw-before-logging-input - [0:0] :ufw-before-logging-output - [0:0] :ufw-before-output - [0:0] :ufw-logging-allow - [0:0] :ufw-logging-deny - [0:0] :ufw-not-local - [0:0] :ufw-reject-forward - [0:0] :ufw-reject-input - [0:0] :ufw-reject-output - [0:0] :ufw-skip-to-policy-forward - [0:0] :ufw-skip-to-policy-input - [0:0] :ufw-skip-to-policy-output - [0:0] :ufw-track-forward - [0:0] :ufw-track-input - [0:0] :ufw-track-output - [0:0] :ufw-user-forward - [0:0] :ufw-user-input - [0:0] :ufw-user-limit - [0:0] :ufw-user-limit-accept - [0:0] :ufw-user-logging-forward - [0:0] :ufw-user-logging-input - [0:0] :ufw-user-logging-output - [0:0] :ufw-user-output - [0:0] -A INPUT -i ens3 -p udp -m udp –dport 1194 -j ACCEPT -A INPUT -i tun0 -j ACCEPT -A INPUT -j ufw-before-logging-input -A INPUT -j ufw-before-input -A INPUT -j ufw-after-input -A INPUT -j ufw-after-logging-input -A INPUT -j ufw-reject-input -A INPUT -j ufw-track-input -A FORWARD -i tun0 -o ens3 -j ACCEPT -A FORWARD -i ens3 -o tun0 -j ACCEPT -A FORWARD -j ufw-before-logging-forward -A FORWARD -j ufw-before-forward -A FORWARD -j ufw-after-forward -A FORWARD -j ufw-after-logging-forward -A FORWARD -j ufw-reject-forward -A FORWARD -j ufw-track-forward -A OUTPUT -j ufw-before-logging-output -A OUTPUT -j ufw-before-output -A OUTPUT -j ufw-after-output -A OUTPUT -j ufw-after-logging-output -A OUTPUT -j ufw-reject-output -A OUTPUT -j ufw-track-output -A ufw-after-input -p udp -m udp –dport 137 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp –dport 138 -j ufw-skip-to-policy-input -A ufw-after-input -p tcp -m tcp –dport 139 -j ufw-skip-to-policy-input -A ufw-after-input -p tcp -m tcp –dport 445 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp –dport 67 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp –dport 68 -j ufw-skip-to-policy-input -A ufw-after-input -m addrtype –dst-type BROADCAST -j ufw-skip-to-policy-input -A ufw-after-logging-forward -m limit –limit 3/min –limit-burst 10 -j LOG –log-prefix "[UFW BLOCK] " -A ufw-after-logging-input -m limit –limit 3/min –limit-burst 10 -j LOG –log-prefix "[UFW BLOCK] " -A ufw-before-forward -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-forward -p icmp -m icmp –icmp-type 3 -j ACCEPT -A ufw-before-forward -p icmp -m icmp –icmp-type 11 -j ACCEPT -A ufw-before-forward -p icmp -m icmp –icmp-type 12 -j ACCEPT -A ufw-before-forward -p icmp -m icmp –icmp-type 8 -j ACCEPT -A ufw-before-forward -j ufw-user-forward -A ufw-before-input -i lo -j ACCEPT -A ufw-before-input -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-input -m conntrack –ctstate INVALID -j ufw-logging-deny -A ufw-before-input -m conntrack –ctstate INVALID -j DROP -A ufw-before-input -p icmp -m icmp –icmp-type 3 -j ACCEPT -A ufw-before-input -p icmp -m icmp –icmp-type 11 -j ACCEPT -A ufw-before-input -p icmp -m icmp –icmp-type 12 -j ACCEPT -A ufw-before-input -p icmp -m icmp –icmp-type 8 -j ACCEPT -A ufw-before-input -p udp -m udp –sport 67 –dport 68 -j ACCEPT -A ufw-before-input -j ufw-not-local -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp –dport 5353 -j ACCEPT -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp –dport 1900 -j ACCEPT -A ufw-before-input -j ufw-user-input -A ufw-before-output -o lo -j ACCEPT -A ufw-before-output -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-output -j ufw-user-output -A ufw-logging-allow -m limit –limit 3/min –limit-burst 10 -j LOG –log-prefix "[UFW ALLOW] " -A ufw-logging-deny -m conntrack –ctstate INVALID -m limit –limit 3/min –limit-burst 10 -j RETURN -A ufw-logging-deny -m limit –limit 3/min –limit-burst 10 -j LOG –log-prefix "[UFW BLOCK] " -A ufw-not-local -m addrtype –dst-type LOCAL -j RETURN -A ufw-not-local -m addrtype –dst-type MULTICAST -j RETURN -A ufw-not-local -m addrtype –dst-type BROADCAST -j RETURN -A ufw-not-local -m limit –limit 3/min –limit-burst 10 -j ufw-logging-deny -A ufw-not-local -j DROP -A ufw-skip-to-policy-forward -j DROP -A ufw-skip-to-policy-input -j DROP -A ufw-skip-to-policy-output -j ACCEPT -A ufw-track-output -p tcp -m conntrack –ctstate NEW -j ACCEPT -A ufw-track-output -p udp -m conntrack –ctstate NEW -j ACCEPT -A ufw-user-input -p tcp -m tcp –dport 22 -m comment –comment «'dapp_OpenSSH'» -j ACCEPT -A ufw-user-input -p tcp -m multiport –dports 80,443 -m comment –comment «'dapp_apache2'» -j ACCEPT -A ufw-user-input -p tcp -m tcp –dport 6379 -j ACCEPT -A ufw-user-input -p tcp -m multiport –dports 3478,3479,5349,5350,49152:65535 -m comment –comment «'dapp_Turnserver'» -j ACCEPT -A ufw-user-input -p udp -m multiport –dports 3478,3479,5349,5350,49152:65535 -m comment –comment «'dapp_Turnserver'» -j ACCEPT -A ufw-user-input -p tcp -m tcp –dport 5432 -j ACCEPT -A ufw-user-input -p udp -m udp –dport 5432 -j ACCEPT -A ufw-user-input -p tcp -m multiport –dports 3000,3001,4000 -m comment –comment «'dapp_NodeJS'» -j ACCEPT -A ufw-user-input -p udp -m multiport –dports 3000,3001,4000 -m comment –comment «'dapp_NodeJS'» -j ACCEPT -A ufw-user-input -p tcp -m tcp –dport 9100 -m comment –comment «'dapp_TorServer'» -j ACCEPT -A ufw-user-input -p udp -m udp –dport 9100 -m comment –comment «'dapp_TorServer'» -j ACCEPT -A ufw-user-input -p tcp -m multiport –dports 1883,5222,5269,5280,5443 -m comment –comment «'dapp_ejabberd'» -j ACCEPT -A ufw-user-input -p udp -m multiport –dports 1883,5222,5269,5280,5443 -m comment –comment «'dapp_ejabberd'» -j ACCEPT -A ufw-user-input -p tcp -m tcp –dport 1194 -m comment –comment «'dapp_ovpn'» -j ACCEPT -A ufw-user-input -p udp -m udp –dport 1194 -m comment –comment «'dapp_ovpn'» -j ACCEPT -A ufw-user-input -p tcp -m tcp –dport 9980 -j ACCEPT -A ufw-user-input -p udp -m udp –dport 9980 -j ACCEPT -A ufw-user-input -p tcp -m tcp –dport 3443 -j ACCEPT -A ufw-user-input -p udp -m udp –dport 3443 -j ACCEPT -A ufw-user-limit -m limit –limit 3/min -j LOG –log-prefix "[UFW LIMIT BLOCK] " -A ufw-user-limit -j REJECT –reject-with icmp-port-unreachable -A ufw-user-limit-accept -j ACCEPT COMMIT

Completed on Thu Dec 9 18:36:40 2021

Исходная версия mrmilesprower, :

[cut]

Generated by iptables-save v1.6.1 on Thu Dec 9 18:36:40 2021

*nat :PREROUTING ACCEPT [80373:4180330] :INPUT ACCEPT [33878:1967818] :OUTPUT ACCEPT [9376:687201] :POSTROUTING ACCEPT [9376:687201] -A POSTROUTING -s 10.8.0.0/24 -o ens3 -j MASQUERADE COMMIT

Completed on Thu Dec 9 18:36:40 2021

Generated by iptables-save v1.6.1 on Thu Dec 9 18:36:40 2021

*filter :INPUT DROP [3793:185501] :FORWARD DROP [0:0] :OUTPUT ACCEPT [3:120] :ufw-after-forward - [0:0] :ufw-after-input - [0:0] :ufw-after-logging-forward - [0:0] :ufw-after-logging-input - [0:0] :ufw-after-logging-output - [0:0] :ufw-after-output - [0:0] :ufw-before-forward - [0:0] :ufw-before-input - [0:0] :ufw-before-logging-forward - [0:0] :ufw-before-logging-input - [0:0] :ufw-before-logging-output - [0:0] :ufw-before-output - [0:0] :ufw-logging-allow - [0:0] :ufw-logging-deny - [0:0] :ufw-not-local - [0:0] :ufw-reject-forward - [0:0] :ufw-reject-input - [0:0] :ufw-reject-output - [0:0] :ufw-skip-to-policy-forward - [0:0] :ufw-skip-to-policy-input - [0:0] :ufw-skip-to-policy-output - [0:0] :ufw-track-forward - [0:0] :ufw-track-input - [0:0] :ufw-track-output - [0:0] :ufw-user-forward - [0:0] :ufw-user-input - [0:0] :ufw-user-limit - [0:0] :ufw-user-limit-accept - [0:0] :ufw-user-logging-forward - [0:0] :ufw-user-logging-input - [0:0] :ufw-user-logging-output - [0:0] :ufw-user-output - [0:0] -A INPUT -i ens3 -p udp -m udp –dport 1194 -j ACCEPT -A INPUT -i tun0 -j ACCEPT -A INPUT -j ufw-before-logging-input -A INPUT -j ufw-before-input -A INPUT -j ufw-after-input -A INPUT -j ufw-after-logging-input -A INPUT -j ufw-reject-input -A INPUT -j ufw-track-input -A FORWARD -i tun0 -o ens3 -j ACCEPT -A FORWARD -i ens3 -o tun0 -j ACCEPT -A FORWARD -j ufw-before-logging-forward -A FORWARD -j ufw-before-forward -A FORWARD -j ufw-after-forward -A FORWARD -j ufw-after-logging-forward -A FORWARD -j ufw-reject-forward -A FORWARD -j ufw-track-forward -A OUTPUT -j ufw-before-logging-output -A OUTPUT -j ufw-before-output -A OUTPUT -j ufw-after-output -A OUTPUT -j ufw-after-logging-output -A OUTPUT -j ufw-reject-output -A OUTPUT -j ufw-track-output -A ufw-after-input -p udp -m udp –dport 137 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp –dport 138 -j ufw-skip-to-policy-input -A ufw-after-input -p tcp -m tcp –dport 139 -j ufw-skip-to-policy-input -A ufw-after-input -p tcp -m tcp –dport 445 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp –dport 67 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp –dport 68 -j ufw-skip-to-policy-input -A ufw-after-input -m addrtype –dst-type BROADCAST -j ufw-skip-to-policy-input -A ufw-after-logging-forward -m limit –limit 3/min –limit-burst 10 -j LOG –log-prefix "[UFW BLOCK] " -A ufw-after-logging-input -m limit –limit 3/min –limit-burst 10 -j LOG –log-prefix "[UFW BLOCK] " -A ufw-before-forward -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-forward -p icmp -m icmp –icmp-type 3 -j ACCEPT -A ufw-before-forward -p icmp -m icmp –icmp-type 11 -j ACCEPT -A ufw-before-forward -p icmp -m icmp –icmp-type 12 -j ACCEPT -A ufw-before-forward -p icmp -m icmp –icmp-type 8 -j ACCEPT -A ufw-before-forward -j ufw-user-forward -A ufw-before-input -i lo -j ACCEPT -A ufw-before-input -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-input -m conntrack –ctstate INVALID -j ufw-logging-deny -A ufw-before-input -m conntrack –ctstate INVALID -j DROP -A ufw-before-input -p icmp -m icmp –icmp-type 3 -j ACCEPT -A ufw-before-input -p icmp -m icmp –icmp-type 11 -j ACCEPT -A ufw-before-input -p icmp -m icmp –icmp-type 12 -j ACCEPT -A ufw-before-input -p icmp -m icmp –icmp-type 8 -j ACCEPT -A ufw-before-input -p udp -m udp –sport 67 –dport 68 -j ACCEPT -A ufw-before-input -j ufw-not-local -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp –dport 5353 -j ACCEPT -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp –dport 1900 -j ACCEPT -A ufw-before-input -j ufw-user-input -A ufw-before-output -o lo -j ACCEPT -A ufw-before-output -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-output -j ufw-user-output -A ufw-logging-allow -m limit –limit 3/min –limit-burst 10 -j LOG –log-prefix "[UFW ALLOW] " -A ufw-logging-deny -m conntrack –ctstate INVALID -m limit –limit 3/min –limit-burst 10 -j RETURN -A ufw-logging-deny -m limit –limit 3/min –limit-burst 10 -j LOG –log-prefix "[UFW BLOCK] " -A ufw-not-local -m addrtype –dst-type LOCAL -j RETURN -A ufw-not-local -m addrtype –dst-type MULTICAST -j RETURN -A ufw-not-local -m addrtype –dst-type BROADCAST -j RETURN -A ufw-not-local -m limit –limit 3/min –limit-burst 10 -j ufw-logging-deny -A ufw-not-local -j DROP -A ufw-skip-to-policy-forward -j DROP -A ufw-skip-to-policy-input -j DROP -A ufw-skip-to-policy-output -j ACCEPT -A ufw-track-output -p tcp -m conntrack –ctstate NEW -j ACCEPT -A ufw-track-output -p udp -m conntrack –ctstate NEW -j ACCEPT -A ufw-user-input -p tcp -m tcp –dport 22 -m comment –comment «'dapp_OpenSSH'» -j ACCEPT -A ufw-user-input -p tcp -m multiport –dports 80,443 -m comment –comment «'dapp_apache2'» -j ACCEPT -A ufw-user-input -p tcp -m tcp –dport 6379 -j ACCEPT -A ufw-user-input -p tcp -m multiport –dports 3478,3479,5349,5350,49152:65535 -m comment –comment «'dapp_Turnserver'» -j ACCEPT -A ufw-user-input -p udp -m multiport –dports 3478,3479,5349,5350,49152:65535 -m comment –comment «'dapp_Turnserver'» -j ACCEPT -A ufw-user-input -p tcp -m tcp –dport 5432 -j ACCEPT -A ufw-user-input -p udp -m udp –dport 5432 -j ACCEPT -A ufw-user-input -p tcp -m multiport –dports 3000,3001,4000 -m comment –comment «'dapp_NodeJS'» -j ACCEPT -A ufw-user-input -p udp -m multiport –dports 3000,3001,4000 -m comment –comment «'dapp_NodeJS'» -j ACCEPT -A ufw-user-input -p tcp -m tcp –dport 9100 -m comment –comment «'dapp_TorServer'» -j ACCEPT -A ufw-user-input -p udp -m udp –dport 9100 -m comment –comment «'dapp_TorServer'» -j ACCEPT -A ufw-user-input -p tcp -m multiport –dports 1883,5222,5269,5280,5443 -m comment –comment «'dapp_ejabberd'» -j ACCEPT -A ufw-user-input -p udp -m multiport –dports 1883,5222,5269,5280,5443 -m comment –comment «'dapp_ejabberd'» -j ACCEPT -A ufw-user-input -p tcp -m tcp –dport 1194 -m comment –comment «'dapp_ovpn'» -j ACCEPT -A ufw-user-input -p udp -m udp –dport 1194 -m comment –comment «'dapp_ovpn'» -j ACCEPT -A ufw-user-input -p tcp -m tcp –dport 9980 -j ACCEPT -A ufw-user-input -p udp -m udp –dport 9980 -j ACCEPT -A ufw-user-input -p tcp -m tcp –dport 3443 -j ACCEPT -A ufw-user-input -p udp -m udp –dport 3443 -j ACCEPT -A ufw-user-limit -m limit –limit 3/min -j LOG –log-prefix "[UFW LIMIT BLOCK] " -A ufw-user-limit -j REJECT –reject-with icmp-port-unreachable -A ufw-user-limit-accept -j ACCEPT COMMIT

Completed on Thu Dec 9 18:36:40 2021

[/cut]