Ip-tables als Firewall auf Maschinenebene: Unterschied zwischen den Versionen

Aus Glaskugel
Zur Navigation springen Zur Suche springen
Keine Bearbeitungszusammenfassung
Keine Bearbeitungszusammenfassung
Zeile 13: Zeile 13:
:<code>cp /root/vorlage_iptables /etc/sysconfig/iptables</code>
:<code>cp /root/vorlage_iptables /etc/sysconfig/iptables</code>
:<code>service iptables start && service fail2ban start</code>
:<code>service iptables start && service fail2ban start</code>
==folgendes Regelwerk verwenden wir momentan (Stand 18.11.2019)==
<nowiki># Generated by iptables-save v1.4.21 on Wed Oct 23 09:41:57 2019</nowiki><br>
<nowiki>*nat</nowiki><br>
<nowiki>:PREROUTING ACCEPT [2152:124701]</nowiki><br>
<nowiki>:INPUT ACCEPT [1842:104693]</nowiki><br>
<nowiki>:OUTPUT ACCEPT [5477:335938]</nowiki><br>
<nowiki>:POSTROUTING ACCEPT [5477:335938]</nowiki><br>
COMMIT<br>
<nowiki># Completed on Wed Oct 23 09:41:57 2019</nowiki><br>
<nowiki># Generated by iptables-save v1.4.21 on Wed Oct 23 09:41:57 2019</nowiki><br>
<nowiki>*raw</nowiki><br>
<nowiki>:PREROUTING ACCEPT [129693:39002264]</nowiki><br>
<nowiki>:OUTPUT ACCEPT [122067:156550655]</nowiki><br>
COMMIT<br>
<nowiki># Completed on Wed Oct 23 09:41:57 2019</nowiki><br>
<nowiki># Generated by iptables-save v1.4.21 on Wed Oct 23 09:41:57 2019</nowiki><br>
<nowiki>*mangle</nowiki><br>
<nowiki>:PREROUTING ACCEPT [129693:39002264]</nowiki><br>
<nowiki>:INPUT ACCEPT [129693:39002264]</nowiki><br>
<nowiki>:FORWARD ACCEPT [0:0]</nowiki><br>
<nowiki>:OUTPUT ACCEPT [122067:156550655]</nowiki><br>
<nowiki>:POSTROUTING ACCEPT [122067:156550655]</nowiki><br>
COMMIT<br>
<nowiki># Completed on Wed Oct 23 09:41:57 2019</nowiki><br>
<nowiki># Generated by iptables-save v1.4.21 on Wed Oct 23 09:41:57 2019</nowiki><br>
<nowiki>*filter</nowiki><br>
<nowiki>:INPUT DROP [120:6624]</nowiki><br>
<nowiki>:FORWARD ACCEPT [0:0]</nowiki><br>
<nowiki>:OUTPUT ACCEPT [61788:68401442]</nowiki><br>
-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "Ping-Anfragen erlauben" -j ACCEPT<br>
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "bestehende Verbindungen" -j ACCEPT<br>
-A INPUT -s 127.0.0.1/32 -m comment --comment "localhost" -j ACCEPT<br>
-A INPUT -s 37.218.252.213/32 -m comment --comment "Eigene IP-Adresse" -j ACCEPT<br>
-A INPUT -s 89.22.107.170/32 -p tcp -m tcp --dport 10050 -m comment --comment "Zabbix-Server" -j ACCEPT<br>
-A INPUT -s 37.218.252.210/32 -p tcp -m tcp --dport 10050 -m comment --comment "Zabbix-Server" -j ACCEPT<br>
-A INPUT -s 195.110.43.163/32 -p tcp -m tcp --dport 4949 -m comment --comment "Munin-Server" -j ACCEPT<br>
-A INPUT -s 37.218.252.210/32 -p tcp -m tcp --dport 22 -m comment --comment "MGMT-SSH" -j ACCEPT<br>
-A INPUT -s 37.218.252.71/32 -p tcp -m tcp --dport 22 -m comment --comment "MGMT-SSH" -j ACCEPT<br>
-A INPUT -s 37.218.252.210/32 -p tcp -m multiport --dports 7080,7081 -m comment --comment "MGMT-Apache" -j ACCEPT<br>
-A INPUT -s 37.218.252.210/32 -p tcp -m tcp --dport 8447 -m comment --comment "Plesk-Installer" -j ACCEPT<br>
-A INPUT -p tcp -m multiport --dports 25,465,587,110,995,143,993 -m comment --comment "Mail-Services" -j ACCEPT<br>
-A INPUT -p tcp -m multiport --dports 80,443,8443 -m comment --comment "Web-Services" -j ACCEPT<br>
-A INPUT -p tcp -m multiport --dports 20,21,989,990,50000:50100 -m comment --comment "FTP-Services" -j ACCEPT<br>
-A INPUT -p tcp -m tcp --dport 3306 -m comment --comment "MySQL extern" -j ACCEPT<br>
COMMIT<br>
<nowiki># Completed on Wed Oct 23 09:41:57 2019</nowiki><br>
----

Version vom 18. November 2019, 15:36 Uhr

Das Regelwerk für die iptables ist bereits als Vorlage auf jedem Shared-Server angelegt.
(Ansonsten wie folgt aus unserem hauseigenen "Repo" zu beziehen: wget --user=Shopbenutzer12 --password='9k2aS2s' -P /root/ https://www.estugo.de/files/scripts/vorlage_iptables)

Um die Regeln nun auf einem anderen Server auszurollen, muss die Vorlage auf dem Zielsystem angepasst werden in (aktuell) Zeile 23
-A INPUT -s 37.218.252.213/32 -m comment --comment "Eigene IP-Adresse" -j ACCEPT
Hier muss selbstverständlich die korrekte IP-Adresse eingetragen werden.
mcedit /root/vorlage_iptables
Danach habe ich Folgende 4 Befehle nach einander durchgeführt, um die Regeln zu aktivieren
service fail2ban stop && service iptables stop
iptables -F
cp /root/vorlage_iptables /etc/sysconfig/iptables
service iptables start && service fail2ban start

folgendes Regelwerk verwenden wir momentan (Stand 18.11.2019)

# Generated by iptables-save v1.4.21 on Wed Oct 23 09:41:57 2019
*nat
:PREROUTING ACCEPT [2152:124701]
:INPUT ACCEPT [1842:104693]
:OUTPUT ACCEPT [5477:335938]
:POSTROUTING ACCEPT [5477:335938]
COMMIT
# Completed on Wed Oct 23 09:41:57 2019
# Generated by iptables-save v1.4.21 on Wed Oct 23 09:41:57 2019
*raw
:PREROUTING ACCEPT [129693:39002264]
:OUTPUT ACCEPT [122067:156550655]
COMMIT
# Completed on Wed Oct 23 09:41:57 2019
# Generated by iptables-save v1.4.21 on Wed Oct 23 09:41:57 2019
*mangle
:PREROUTING ACCEPT [129693:39002264]
:INPUT ACCEPT [129693:39002264]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [122067:156550655]
:POSTROUTING ACCEPT [122067:156550655]
COMMIT
# Completed on Wed Oct 23 09:41:57 2019
# Generated by iptables-save v1.4.21 on Wed Oct 23 09:41:57 2019
*filter
:INPUT DROP [120:6624]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [61788:68401442]
-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "Ping-Anfragen erlauben" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "bestehende Verbindungen" -j ACCEPT
-A INPUT -s 127.0.0.1/32 -m comment --comment "localhost" -j ACCEPT
-A INPUT -s 37.218.252.213/32 -m comment --comment "Eigene IP-Adresse" -j ACCEPT
-A INPUT -s 89.22.107.170/32 -p tcp -m tcp --dport 10050 -m comment --comment "Zabbix-Server" -j ACCEPT
-A INPUT -s 37.218.252.210/32 -p tcp -m tcp --dport 10050 -m comment --comment "Zabbix-Server" -j ACCEPT
-A INPUT -s 195.110.43.163/32 -p tcp -m tcp --dport 4949 -m comment --comment "Munin-Server" -j ACCEPT
-A INPUT -s 37.218.252.210/32 -p tcp -m tcp --dport 22 -m comment --comment "MGMT-SSH" -j ACCEPT
-A INPUT -s 37.218.252.71/32 -p tcp -m tcp --dport 22 -m comment --comment "MGMT-SSH" -j ACCEPT
-A INPUT -s 37.218.252.210/32 -p tcp -m multiport --dports 7080,7081 -m comment --comment "MGMT-Apache" -j ACCEPT
-A INPUT -s 37.218.252.210/32 -p tcp -m tcp --dport 8447 -m comment --comment "Plesk-Installer" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 25,465,587,110,995,143,993 -m comment --comment "Mail-Services" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443,8443 -m comment --comment "Web-Services" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 20,21,989,990,50000:50100 -m comment --comment "FTP-Services" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -m comment --comment "MySQL extern" -j ACCEPT
COMMIT
# Completed on Wed Oct 23 09:41:57 2019

Abgerufen von „https://wissen.hostingprimus.com/index.php?title=Ip-tables_als_Firewall_auf_Maschinenebene&oldid=1028