Firewall
configuration
vi /etc/rc.d/rc.local
#Coming up firewall
/etc/rc.d/firewall.sh.ok
touch
/etc/rc.d/firewall.sh.ok
chmod 755
/etc/rc.d/firewall.sh.ok
vi
/etc/rc.d/firewall.sh.ok
#!/bin/bash
#Stop iptables and
run below rules
systemctl stop
firewalld
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t
mangle
INTERFAZ_WAN=enp3s0
WAN_IP=192.168.10.5
INTERFAZ_LAN=enp5s0
LAN_IP=192.168.1.5
LAN=192.168.1.0/24
#Enabling ip
forwarding
echo "1" >
/proc/sys/net/ipv4/ip_forward
#enable syn cookies
(prevent against the common 'syn flood attack')
echo "1" >
/proc/sys/net/ipv4/tcp_syncookies
#do source
validation by reversed path
echo "1" >
/proc/sys/net/ipv4/conf/all/rp_filter
#Enable tracking
mechanism
/sbin/modprobe -a
ip_conntrack_ftp ip_nat_ftp
echo 30 >
/proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 >
/proc/sys/net/ipv4/tcp_keepalive_intvl
#Allow loopback
interface
iptables -A INPUT -s
127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT
-s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
#iptables -P INPUT
ACCEPT
iptables -P INPUT
DROP
iptables -P : chain
target
iptables -A INPUT -m
state --state ESTABLISHED,RELATED -j ACCEPT
-m : match
#Allow SSH to
internet ip of the firewall.
iptables -A INPUT -i
eth1 -d $WAN_IP -p tcp --dport 22 -m recent --rcheck --seconds 60
--hitcount 1 --name SSH -j LOG --log-level 7 --log-prefix "SSH:
"
iptables -A INPUT -i
eth1 -d $WAN_IP -p tcp --dport 22 -m recent --update --seconds 60
--hitcount 1 --name SSH -j DROP
iptables -A INPUT -i
eth1 -d $WAN_IP -p tcp --dport 22 -m state --state NEW -m recent
--set --name SSH -j ACCEPT
Wan 192.168.10.5
lan 192.168.1.5
lan 192.168.1.5
vi
/etc/sysconfig/network-scripts/ifcfg-enp5s0
vi
/etc/sysconfig/network-scripts/ifcfg-enp3s0
ip address not
display
solution
ifup enp5s0
No comments:
Post a Comment