\u0417\u0434\u0435\u0441\u044c \u044f \u043d\u0435 \u0441\u0442\u0430\u043d\u0443 \u0440\u0430\u0441\u0441\u043c\u0430\u0442\u0440\u0438\u0432\u0430\u0442\u044c \u043e\u0431\u0449\u0438\u0439 \u043f\u0440\u0438\u043d\u0446\u0438\u043f, \u0442.\u043a. \u044d\u0442\u043e \u0442\u0435\u043c\u0430 \u043e\u0447\u0435\u043d\u044c \u043e\u0431\u0448\u0438\u0440\u043d\u0430\u044f, \u0430 \u0432\u044b\u043b\u043e\u0436\u0443 \u043b\u0438\u0448\u044c \u0443\u0436\u0435 \u0433\u043e\u0442\u043e\u0432\u044b\u0435 \u0441\u043a\u0440\u0438\u043f\u0442\u044b \u0434\u043b\u044f \u0440\u0430\u0437\u043d\u044b\u0445 \u0441\u0438\u0442\u0443\u0430\u0446\u0438\u0439.<\/p>\n\n\n\n
\u0418 \u0442\u0430\u043a \u0434\u043b\u044f \u043d\u0430\u0447\u0430\u043b\u0430 \u0432\u0441\u0435 \u0442\u0430\u043a\u0438 \u0432\u043a\u043b\u044e\u0447\u0438\u043c \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u0444\u043e\u0440\u0432\u0430\u0434\u0438\u043d\u0433\u0430 \u0442\u0440\u0430\u0444\u0438\u043a\u0430 \u0447\u0435\u0440\u0435\u0437 \u043c\u0430\u0448\u0438\u043d\u043a\u0443 \u043d\u0430 linux:<\/p>\n\n\n\n
sudo sed -i \u2018\/#net.ipv4.ip_forward=1\/s\/#net.ipv4.ip_forward=1\/net.ipv4.ip_forward=1\/g\u2019 \/etc\/sysctl.conf<\/p>\n\n\n\n
\u043f\u043e\u0441\u043b\u0435 \u044d\u0442\u043e\u0433\u043e \u043d\u0443\u0436\u043d\u043e \u043f\u0435\u0440\u0435\u0437\u0430\u0433\u0440\u0443\u0437\u0438\u0442\u044c \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440.<\/p>\n\n\n\n
\u0421\u043a\u0440\u0438\u043f\u0442 \u043e\u0447\u0438\u0441\u0442\u043a\u0438 \u0444\u0430\u0439\u0435\u0440\u0432\u043e\u043b\u0430:<\/p>\n\n\n\n
!\/bin\/bash
# \u0423\u0434\u0430\u043b\u044f\u0435\u043c \u0432\u0441\u0435 \u043f\u0440\u0430\u0432\u0438\u043b\u0430
sudo iptables -F
sudo iptables —flush
sudo iptables —table nat —flush
sudo iptables —delete-chain
sudo iptables —table nat —delete-chain
# \u041e\u0442\u043a\u0440\u044b\u0432\u0430\u0435\u043c \u0432\u0441\u0435
sudo iptables -P INPUT ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
# \u0412\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u043c \u0432 \u0430\u0432\u0442\u043e\u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0443
sudo echo «#! \/sbin\/iptables-restore» > \/etc\/network\/if-up.d\/iptables-rules
sudo iptables-save >> \/etc\/network\/if-up.d\/iptables-rules
sudo chmod +x \/etc\/network\/if-up.d\/iptables-rules<\/p>\n\n\n\n
\u0421\u043a\u0440\u0438\u043f\u0442 \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0438 \u0444\u0430\u0439\u0435\u0440\u0432\u043e\u043b\u0430 \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0447\u0435\u0439 \u0441\u0442\u0430\u043d\u0446\u0438\u0438:<\/p>\n\n\n\n
!\/bin\/bash
# \u0423\u0434\u0430\u043b\u044f\u0435\u043c \u0432\u0441\u0435 \u043f\u0440\u0430\u0432\u0438\u043b\u0430
sudo iptables -F
sudo iptables —flush
sudo iptables —table nat —flush
sudo iptables —delete-chain
sudo iptables —table nat —delete-chain
# \u0421\u043d\u0430\u0447\u0430\u043b\u0430 \u0432\u0441\u0435 \u0437\u0430\u043a\u0440\u044b\u0432\u0430\u0435\u043c
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -P FORWARD DROP
# \u0440\u0430\u0437\u0440\u0435\u0448\u0438\u043c \u043f\u0435\u0440\u0435\u0434\u0430\u0447\u0443 \u043f\u0430\u043a\u0435\u0442\u043e\u0432 \u0447\u0435\u0440\u0435\u0437 \u0432\u0445\u043e\u0434\u044f\u0449\u0438\u0439 \u043f\u0435\u0442\u043b\u0435\u0432\u043e\u0439 \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441 \u0438 \u0438\u0441\u0445\u043e\u0434\u044f\u0449\u0438\u0439 \u043f\u0435\u0442\u043b\u0435\u0432\u043e\u0439 \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441 \u0432 \u0442\u0430\u0431\u043b\u0438\u0446\u0430\u0445 INPUT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
# \u0440\u0430\u0437\u0440\u0435\u0448\u0438\u0442\u044c \u0440\u0430\u0431\u043e\u0442\u0443 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u0430 ICMP
sudo iptables -A INPUT -p icmp —icmp-type 0 -j ACCEPT
sudo iptables -A INPUT -p icmp —icmp-type 8 -j ACCEPT
sudo iptables -A OUTPUT -p icmp -j ACCEPT
# \u0440\u0430\u0437\u0440\u0435\u0448\u0430\u044e\u0449\u0435\u0439 \u0432\u0441\u0435 \u0438\u0441\u0445\u043e\u043b\u044f\u0449\u0438\u0435 \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u044f
sudo iptables -P OUTPUT ACCEPT
# \u0440\u0430\u0437\u0440\u0435\u0448\u0438\u0442\u044c \u043f\u043e\u043f\u0430\u0434\u0430\u043d\u0438\u0435 \u043d\u0430 \u043d\u0430\u0448 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440 \u0442\u043e\u043b\u044c\u043a\u043e \u0442\u0435\u0445 TCP- \u0438 UDP-\u043f\u0430\u043a\u0435\u0442\u043e\u0432, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0431\u044b\u043b\u0438 \u0437\u0430\u043f\u0440\u043e\u0448\u0435\u043d\u044b \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u043c\u0438 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f\u043c\u0438
sudo iptables -A INPUT -p TCP -m state —state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p UDP -m state —state ESTABLISHED,RELATED -j ACCEPT
# \u041c\u043e\u0434\u0443\u043b\u0438 iptables MicrosoftVPN \u043d\u0443\u0436\u043d\u044b \u0434\u043b\u044f \u0437\u0430\u043f\u0443\u0441\u043a\u0430 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u0430 gre, \u0430 \u0442\u0430\u043a \u0436\u0435 \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_gre
modprobe ip_conntrack_pptp
modprobe ip_nat_pptp
# \u0422\u0435\u043f\u0435\u0440\u044c \u043e\u0442\u043a\u0440\u044b\u0432\u0430\u0435\u043c \u043f\u043e\u0440\u0442\u044b \u0434\u043b\u044f \u043d\u0430\u0448\u0438\u0445 \u0441\u0435\u0440\u0432\u0435\u0440\u043d\u044b\u0445 \u0444\u0443\u043d\u043a\u0446\u0438\u0439, \u043f\u0440\u0438\u0447\u0435\u043c \u0441 \u0437\u0430\u0449\u0438\u0442\u043e\u0439 \u043e\u0442 \u043f\u0435\u0440\u0435\u0431\u043e\u0440\u0430
# \u0414\u043b\u044f DNS, \u0435\u0441\u043b\u0438 \u043d\u0443\u0436\u043d\u043e
# \u0437\u0434\u0435\u0441\u044c \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u044f \u0441\u0435\u0442\u044c \u043a\u043e\u043c\u043f\u0430\u043d\u0438\u0438 192.168.1.0\/24
# sudo iptables -A INPUT —protocol udp —dport 53 —match state —state NEW —match string —algo kmp —hex-string «|00 00 02 00 01|» —from 40 —to 45 —match recent —name DNST —update —seconds 600 —jump DROP
# sudo iptables -A INPUT —protocol udp —dport 53 —match state —state NEW —match string —algo kmp —hex-string «|00 00 02 00 01|» —from 40 —to 45 —match recent —name DNST —set —jump ACCEPT
# sudo iptables -A INPUT -p udp —dport 53 -j ACCEPT
# sudo iptables -A OUTPUT -p udp —sport 53 -j ACCEPT
# \u0414\u043b\u044f \u043d\u0430\u0448\u0435\u0433\u043e RDP
sudo iptables -N RDP
sudo iptables -A INPUT -p tcp —dport 4319 -j RDP
sudo iptables -A OUTPUT -p tcp —sport 4319 -j RDP
sudo iptables -A RDP -m state —state NEW -m recent —set —name RDPH —rsource
# sudo iptables -A RDP -m recent —update —seconds 300 —hitcount 2 —name RDPH —rsource -j LOG —log-prefix «Anti RDPH-Bruteforce: » —log-level 6
sudo iptables -A RDP -m recent —update —seconds 60 —hitcount 2 —name RDPH —rsource -j DROP
sudo iptables -A RDP -j ACCEPT
# \u0414\u043b\u044f \u043d\u0430\u0448\u0435\u0433\u043e SSH
sudo iptables -N SSH
sudo iptables -A INPUT -p tcp —dport 4318 -j SSH
sudo iptables -A OUTPUT -p tcp —sport 4318 -j SSH
sudo iptables -A SSH -m state —state NEW -m recent —set —name SSHH —rsource
# sudo iptables -A SSH -m recent —update —seconds 300 —hitcount 2 —name SSHH —rsource -j LOG —log-prefix «Anti SSHH-Bruteforce: » —log-level 6
sudo iptables -A SSH -m recent —update —seconds 60 —hitcount 2 —name SSHH —rsource -j DROP
sudo iptables -A SSH -j ACCEPT
# \u0414\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u043f\u043e\u0447\u0442\u044b \u043e\u0442\u043a\u0440\u044b\u0442\u044c \u043f\u043e\u0440\u0442\u044b
# SMTP
# sudo iptables -A INPUT -p tcp —dport 25 -j ACCEPT
# sudo iptables -A OUTPUT -p tcp —sport 25 -j ACCEPT
# SSMTP
# sudo iptables -A INPUT -p tcp —dport 465 -j ACCEPT
# sudo iptables -A OUTPUT -p tcp —sport 465 -j ACCEPT
# SMTP Submission
# sudo iptables -A INPUT -p tcp —dport 587 -j ACCEPT
# sudo iptables -A OUTPUT -p tcp —sport 587 -j ACCEPT
# POP3
# sudo iptables -A INPUT -p tcp —dport 110 -j ACCEPT
# sudo iptables -A OUTPUT -p tcp —sport 110 -j ACCEPT
# SPOP3
# sudo iptables -A INPUT -p tcp —dport 995 -j ACCEPT
# sudo iptables -A OUTPUT -p tcp —sport 995 -j ACCEPT
# IMAP
# sudo iptables -A INPUT -p tcp —dport 143 -j ACCEPT
# sudo iptables -A OUTPUT -p tcp —sport 143 -j ACCEPT
# SIMAP
# sudo iptables -A INPUT -p tcp —dport 993 -j ACCEPT
# sudo iptables -A OUTPUT -p tcp —sport 993 -j ACCEPT
# HTTP
# sudo iptables -A INPUT -p tcp —dport 80 -j ACCEPT
# sudo iptables -A OUTPUT -p tcp —sport 80 -j ACCEPT
# sudo iptables -A INPUT -p tcp —dport 8800 -j ACCEPT
# sudo iptables -A OUTPUT -p tcp —sport 8800 -j ACCEPTT
# SHTTP
# sudo iptables -A INPUT -p tcp —dport 443 -j ACCEPT
# sudo iptables -A OUTPUT -p tcp —sport 443 -j ACCEPT
# sudo iptables -A INPUT -p tcp —dport 8843 -j ACCEPT
# sudo iptables -A OUTPUT -p tcp —sport 8843 -j ACCEPT
# \u0414\u043b\u044f VPN
# OpenVPN
# sudo iptables -A INPUT -p udp —dport 1194 -j ACCEPT
# sudo iptables -A OUTPUT -p udp —sport 1194 -j ACCEPT
# KerioVPN
# sudo iptables -A INPUT -p tcp —dport 4090 -j ACCEPT
# sudo iptables -A OUTPUT -p tcp —sport 4090 -j ACCEPT
# sudo iptables -A INPUT -p udp —dport 4090 -j ACCEPT
# sudo iptables -A OUTPUT -p udp —sport 4090 -j ACCEPT
# Microsoft VPN
# sudo iptables -A INPUT -p tcp —dport 1723 -j ACCEPT
# sudo iptables -A OUTPUT -p tcp —sport 1723 -j ACCEPT
# sudo iptables -A INPUT -p tcp —dport 3522 -j ACCEPT
# sudo iptables -A OUTPUT -p tcp —sport 3522 -j ACCEPT
# sudo iptables -A INPUT -p 41 -j ACCEPT
# sudo iptables -A INPUT -p gre -j ACCEPT
# \u043e\u0442\u043a\u0440\u044b\u0442\u044c \u043f\u043e\u0440\u0442 \u0434\u043b\u044f SQL
# sudo iptables -A INPUT -p tcp —dport 1433 -j ACCEPT
# sudo iptables -A OUTPUT -p tcp —sport 1433 -j ACCEPT
# \u0412\u043a\u043b\u044e\u0447\u0430\u0435\u043c \u0437\u0430\u0449\u0438\u0442\u0443 \u043e\u0442 \u043f\u0435\u0440\u0435\u0431\u043e\u0440\u0430 \u043e\u0442\u043a\u0440\u044b\u0442\u044b\u0445 \u043f\u043e\u0440\u0442\u043e\u0432
# sudo iptables -A INPUT -p tcp -m tcp -j DROP
# \u0412\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u043c \u0432 \u0430\u0432\u0442\u043e\u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0443
sudo echo «#! \/sbin\/iptables-restore» > \/etc\/network\/if-up.d\/iptables-rules
sudo iptables-save >> \/etc\/network\/if-up.d\/iptables-rules
sudo chmod +x \/etc\/network\/if-up.d\/iptables-rules<\/p>\n\n\n\n
\u0412 \u044d\u0442\u043e\u043c \u0441\u043a\u0440\u0438\u043f\u0442\u0435 \u043c\u043d\u043e\u0433\u043e \u043f\u0440\u043e \u0437\u0430\u043f\u0430\u0441, \u0447\u0442\u043e \u0431\u044b \u0440\u0430\u0431\u043e\u0442\u0430\u043b\u0438 \u0438 \u043d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0441\u0435\u0440\u0432\u0435\u0440\u043d\u044b\u0435 \u0444\u0443\u043d\u043a\u0446\u0438\u0438, \u0435\u0441\u043b\u0438 \u044d\u0442\u043e \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e, \u0442\u043e \u043d\u0443\u0436\u043d\u043e \u0440\u0430\u0441\u043a\u043e\u043c\u043c\u0435\u043d\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u043d\u0443\u0436\u043d\u043e\u0435. \u0417\u0430\u043f\u0443\u0441\u043a\u0430\u0442\u044c \u043b\u0443\u0447\u0448\u0435 \u0432\u0441\u0435-\u0442\u0430\u043a \u043e\u0442 root-\u0430.<\/p>\n\n\n\n
\u0421\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0439 \u0441\u043a\u0440\u0438\u043f\u0442 \u0434\u043b\u044f \u0440\u0430\u0437\u0434\u0430\u0447\u0438 \u0438\u043d\u0442\u0435\u0440\u043d\u0435\u0442\u0430 \u0432 \u0441\u0435\u0442\u0438:<\/p>\n\n\n\n
!\/bin\/bash
# \u041f\u0443\u0441\u0442\u044c eth1 (192.168.1.1\/24) \u044d\u0442\u043e \u0441\u0435\u0442\u044c \u0438\u043d\u0442\u0435\u0440\u043d\u0435\u0442\u0430, eth0 (10.41.0.1\/24) \u044d\u0442\u043e \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u0430\u044f \u0441\u0435\u0442\u044c
# \u0423\u0434\u0430\u043b\u044f\u0435\u043c \u0432\u0441\u0435 \u043f\u0440\u0430\u0432\u0438\u043b\u0430
sudo iptables -F
sudo iptables —flush
sudo iptables —table nat —flush
sudo iptables —delete-chain
sudo iptables —table nat —delete-chain
# \u0421\u043d\u0430\u0447\u0430\u043b\u0430 \u0432\u0441\u0435 \u0437\u0430\u043a\u0440\u044b\u0432\u0430\u0435\u043c
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -P FORWARD DROP
# \u0440\u0430\u0437\u0440\u0435\u0448\u0438\u043c \u043f\u0435\u0440\u0435\u0434\u0430\u0447\u0443 \u043f\u0430\u043a\u0435\u0442\u043e\u0432 \u0447\u0435\u0440\u0435\u0437 \u0432\u0445\u043e\u0434\u044f\u0449\u0438\u0439 \u043f\u0435\u0442\u043b\u0435\u0432\u043e\u0439 \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441 \u0438 \u0438\u0441\u0445\u043e\u0434\u044f\u0449\u0438\u0439 \u043f\u0435\u0442\u043b\u0435\u0432\u043e\u0439 \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441 \u0432 \u0442\u0430\u0431\u043b\u0438\u0446\u0430\u0445 INPUT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
# \u0440\u0430\u0437\u0440\u0435\u0448\u0438\u0442\u044c \u0440\u0430\u0431\u043e\u0442\u0443 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u0430 ICMP
sudo iptables -A INPUT -p icmp —icmp-type 0 -j ACCEPT
sudo iptables -A INPUT -p icmp —icmp-type 8 -j ACCEPT
sudo iptables -A OUTPUT -p icmp -j ACCEPT
# \u0440\u0430\u0437\u0440\u0435\u0448\u0430\u044e\u0449\u0435\u0439 \u0432\u0441\u0435 \u0438\u0441\u0445\u043e\u043b\u044f\u0449\u0438\u0435 \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u044f
sudo iptables -P OUTPUT ACCEPT
# \u0440\u0430\u0437\u0440\u0435\u0448\u0438\u0442\u044c \u043f\u043e\u043f\u0430\u0434\u0430\u043d\u0438\u0435 \u043d\u0430 \u043d\u0430\u0448 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440 \u0442\u043e\u043b\u044c\u043a\u043e \u0442\u0435\u0445 TCP- \u0438 UDP-\u043f\u0430\u043a\u0435\u0442\u043e\u0432, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0431\u044b\u043b\u0438 \u0437\u0430\u043f\u0440\u043e\u0448\u0435\u043d\u044b \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u043c\u0438 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f\u043c\u0438
sudo iptables -A INPUT -p TCP -m state —state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p UDP -m state —state ESTABLISHED,RELATED -j ACCEPT
# \u0422\u0435\u043f\u0435\u0440\u044c \u043e\u0442\u043a\u0440\u044b\u0432\u0430\u0435\u043c \u043f\u043e\u0440\u0442\u044b \u0434\u043b\u044f \u043d\u0430\u0448\u0438\u0445 \u0441\u0435\u0440\u0432\u0435\u0440\u043d\u044b\u0445 \u0444\u0443\u043d\u043a\u0446\u0438\u0439, \u043f\u0440\u0438\u0447\u0435\u043c \u0441 \u0437\u0430\u0449\u0438\u0442\u043e\u0439 \u043e\u0442 \u043f\u0435\u0440\u0435\u0431\u043e\u0440\u0430
# \u0414\u043b\u044f DNS, \u0435\u0441\u043b\u0438 \u043d\u0443\u0436\u043d\u043e
# sudo iptables -A INPUT —protocol udp —dport 53 —match state —state NEW —match string —algo kmp —hex-string «|00 00 02 00 01|» —from 40 —to 45 —match recent —name DNST —update —seconds 600 —jump DROP
# sudo iptables -A INPUT —protocol udp —dport 53 —match state —state NEW —match string —algo kmp —hex-string «|00 00 02 00 01|» —from 40 —to 45 —match recent —name DNST —set —jump ACCEPT
# sudo iptables -A INPUT -p udp —dport 53 -j ACCEPT
# sudo iptables -A OUTPUT -p udp —sport 53 -j ACCEPT
# \u0414\u043b\u044f \u043c\u043e\u0435\u0433\u043e RDP
sudo iptables -N RDP
sudo iptables -A INPUT -p tcp —dport 4319 -j RDP
sudo iptables -A OUTPUT -p tcp —sport 4319 -j RDP
sudo iptables -A RDP -m state —state NEW -m recent —set —name RDPH —rsource
# sudo iptables -A RDP -m recent —update —seconds 300 —hitcount 2 —name RDPH —rsource -j LOG —log-prefix «Anti RDPH-Bruteforce: » —log-level 6
sudo iptables -A RDP -m recent —update —seconds 60 —hitcount 2 —name RDPH —rsource -j DROP
sudo iptables -A RDP -j ACCEPT
# \u0414\u043b\u044f \u043c\u043e\u0435\u0433\u043e SSH
sudo iptables -N SSH
sudo iptables -A INPUT -p tcp —dport 4318 -j SSH
sudo iptables -A OUTPUT -p tcp —sport 4318 -j SSH
sudo iptables -A SSH -m state —state NEW -m recent —set —name SSHH —rsource
# sudo iptables -A SSH -m recent —update —seconds 300 —hitcount 2 —name SSHH —rsource -j LOG —log-prefix «Anti SSHH-Bruteforce: » —log-level 6
sudo iptables -A SSH -m recent —update —seconds 60 —hitcount 2 —name SSHH —rsource -j DROP
sudo iptables -A SSH -j ACCEPT
# \u041c\u043e\u0434\u0443\u043b\u0438 iptables MicrosoftVPN \u043d\u0443\u0436\u043d\u044b \u0434\u043b\u044f \u0437\u0430\u043f\u0443\u0441\u043a\u0430 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u0430 gre, \u0430 \u0442\u0430\u043a \u0436\u0435 \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_gre
modprobe ip_conntrack_pptp
modprobe ip_nat_pptp
# \u0412\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435 NAT
# \u0440\u0430\u0437\u0440\u0435\u0448\u0430\u0435\u043c \u0443\u0436\u0435 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043d\u044b\u0435 \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u044f \u0432 \u0446\u0435\u043f\u043e\u0447\u043a\u0435 FORWARD, \u0442\u0430\u0431\u043b\u0438\u0446\u0435 filter
sudo iptables -A FORWARD -m conntrack —ctstate ESTABLISHED,RELATED -j ACCEPT
# \u0440\u0430\u0437\u0440\u0435\u0448\u0430\u0435\u043c \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0442\u044c \u043d\u043e\u0432\u044b\u0435 \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u044f \u0432 \u0446\u0435\u043f\u043e\u0447\u043a\u0435 FORWARD, \u0442\u0430\u0431\u043b\u0438\u0446\u0435 filter
sudo iptables -A FORWARD -m conntrack —ctstate NEW -i eth0 -j ACCEPT
# \u0412\u0441\u0435 \u043e\u0441\u0442\u0430\u043b\u044c\u043d\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043f\u0440\u043e\u0445\u043e\u0434\u044f\u0442 \u0447\u0435\u0440\u0435\u0437 \u0446\u0435\u043f\u043e\u0447\u043a\u0443 FORWARD — \u043e\u0442\u0431\u0440\u0430\u0441\u044b\u0432\u0430\u0442\u044c
sudo iptables -P FORWARD DROP
# \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u043c \u043c\u0430\u0441\u043a\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 (\u043f\u043e\u0434\u043c\u0435\u043d\u0443 \u0430\u0434\u0440\u0435\u0441\u0430 \u043e\u0442\u043f\u0440\u0430\u0432\u0438\u0442\u0435\u043b\u044f \u043f\u0430\u043a\u0435\u0442\u0430 \u0432 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0430\u0445) \u0432\u0441\u0435\u0445 \u043f\u0430\u043a\u0435\u0442\u043e\u0432, \u0438\u0441\u0445\u043e\u0434\u044f\u0449\u0438\u0445 \u0441 \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 eth0
sudo iptables -t nat -A POSTROUTING -o eth1 -s 10.41.0.0\/24 -j MASQUERADE
# \u0417\u0430\u043f\u0440\u0435\u0449\u0430\u0435\u043c \u0434\u043e\u0441\u0442\u0443\u043f \u0441\u043d\u0430\u0440\u0443\u0436\u0438 \u0432\u043e \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u044e\u044e \u0441\u0435\u0442\u044c
iptables -A FORWARD -i eth1 -o eth1 -j REJECT
# \u041f\u0435\u0440\u0435\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u043c DNS
sudo iptables -t nat -A PREROUTING -p udp —in-interface eth1 —dport 53 -j DNAT —to-destination 10.41.0.13
sudo iptables -t nat -A POSTROUTING -p udp —dst 10.41.0.13 —dport 53 -j SNAT —to-source 192.168.1.1
sudo iptables -A FORWARD -i eth1 -p udp -d 10.41.0.13 —dport 53 -j ACCEPT
sudo iptables -t nat -A PREROUTING -p tcp —in-interface eth1 —dport 53 -j DNAT —to-destination 10.41.0.13
sudo iptables -t nat -A POSTROUTING -p tcp —dst 10.41.0.13 —dport 53 -j SNAT —to-source 192.168.1.1
sudo iptables -A FORWARD -i eth1 -p tcp -d 10.41.0.13 —dport 53 -j ACCEPT
# \u0414\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u043f\u043e\u0447\u0442\u044b \u043e\u0442\u043a\u0440\u044b\u0442\u044c \u043f\u043e\u0440\u0442\u044b
# SMTP
sudo iptables -t nat -A PREROUTING -p tcp —in-interface eth1 —dport 25 -j DNAT —to-destination 10.41.0.2
sudo iptables -t nat -A POSTROUTING -p tcp —dst 10.41.0.2 —dport 25 -j SNAT —to-source 192.168.1.1
sudo iptables -A FORWARD -i eth1 -p tcp -d 10.41.0.2 —dport 25 -j ACCEPT
# SSMTP
sudo iptables -t nat -A PREROUTING -p tcp —in-interface eth1 —dport 465 -j DNAT —to-destination 10.41.0.2
sudo iptables -t nat -A POSTROUTING -p tcp —dst 10.41.0.2 —dport 465 -j SNAT —to-source 192.168.1.1
sudo iptables -A FORWARD -i eth1 -p tcp -d 10.41.0.2 —dport 465 -j ACCEPT
# SMTP Submission
sudo iptables -t nat -A PREROUTING -p tcp —in-interface eth1 —dport 587 -j DNAT —to-destination 10.41.0.2
sudo iptables -t nat -A POSTROUTING -p tcp —dst 10.41.0.2 —dport 587 -j SNAT —to-source 192.168.1.1
sudo iptables -A FORWARD -i eth1 -p tcp -d 10.41.0.2 —dport 587 -j ACCEPT
# POP3
sudo iptables -t nat -A PREROUTING -p tcp —in-interface eth1 —dport 110 -j DNAT —to-destination 10.41.0.2
sudo iptables -t nat -A POSTROUTING -p tcp —dst 10.41.0.2 —dport 110 -j SNAT —to-source 192.168.1.1
sudo iptables -A FORWARD -i eth1 -p tcp -d 10.41.0.2 —dport 110 -j ACCEPT
# SPOP3
sudo iptables -t nat -A PREROUTING -p tcp —in-interface eth1 —dport 995 -j DNAT —to-destination 10.41.0.2
sudo iptables -t nat -A POSTROUTING -p tcp —dst 10.41.0.2 —dport 995 -j SNAT —to-source 192.168.1.1
sudo iptables -A FORWARD -i eth1 -p tcp -d 10.41.0.2 —dport 995 -j ACCEPT
# IMAP
sudo iptables -t nat -A PREROUTING -p tcp —in-interface eth1 —dport 143 -j DNAT —to-destination 10.41.0.2
sudo iptables -t nat -A POSTROUTING -p tcp —dst 10.41.0.2 —dport 143 -j SNAT —to-source 192.168.1.1
sudo iptables -A FORWARD -i eth1 -p tcp -d 10.41.0.2 —dport 143 -j ACCEPT
# SIMAP
sudo iptables -t nat -A PREROUTING -p tcp —in-interface eth1 —dport 993 -j DNAT —to-destination 10.41.0.2
sudo iptables -t nat -A POSTROUTING -p tcp —dst 10.41.0.2 —dport 993 -j SNAT —to-source 192.168.1.1
sudo iptables -A FORWARD -i eth1 -p tcp -d 10.41.0.2 —dport 993 -j ACCEPT
# HTTP
sudo iptables -t nat -A PREROUTING -p tcp —in-interface eth1 —dport 80 -j DNAT —to-destination 10.41.0.2
sudo iptables -t nat -A POSTROUTING -p tcp —dst 10.41.0.2 —dport 80 -j SNAT —to-source 192.168.1.1
sudo iptables -A FORWARD -i eth1 -p tcp -d 10.41.0.2 —dport 80 -j ACCEPT
sudo iptables -t nat -A PREROUTING -p tcp —in-interface eth1 —dport 8800 -j DNAT —to-destination 10.41.0.2
sudo iptables -t nat -A POSTROUTING -p tcp —dst 10.41.0.2 —dport 8800j SNAT —to-source 192.168.1.1
sudo iptables -A FORWARD -i eth1 -p tcp -d 10.41.0.2 —dport 8800 -j ACCEPT
# SHTTP
sudo iptables -t nat -A PREROUTING -p tcp —in-interface eth1 —dport 443 -j DNAT —to-destination 10.41.0.2
sudo iptables -t nat -A POSTROUTING -p tcp —dst 10.41.0.2 —dport 443 -j SNAT —to-source 192.168.1.1
sudo iptables -A FORWARD -i eth1 -p tcp -d 10.41.0.2 —dport 443 -j ACCEPT
sudo iptables -t nat -A PREROUTING -p tcp —in-interface eth1 —dport 8843 -j DNAT —to-destination 10.41.0.2
sudo iptables -t nat -A POSTROUTING -p tcp —dst 10.41.0.2 —dport 8843 -j SNAT —to-source 192.168.1.1
sudo iptables -A FORWARD -i eth1 -p tcp -d 10.41.0.2 —dport 8843 -j ACCEPT
# \u0414\u043b\u044f VPN
# OpenVPN
sudo iptables -N OpenVPN
sudo iptables -t nat -A PREROUTING -p udp —in-interface eth1 —dport 1194 -j DNAT —to-destination 10.41.0.2
sudo iptables -A FORWARD -i eth1 -p udp -d 10.41.0.2 —dport 1194 -j OpenVPN
sudo iptables -A OpenVPN -m recent —set —name OpenVPNH —rsource
# sudo iptables -A OpenVPN -m recent —update —seconds 60 —hitcount 2 —name OpenVPNH —rsource -j LOG —log-prefix «Anti OpenVPNH-Bruteforce: » —log-level 6
sudo iptables -A OpenVPN -m recent —update —seconds 300 —hitcount 2 —name OpenVPNH —rsource -j DROP
sudo iptables -A OpenVPN -j ACCEPT
# Microsoft VPN
sudo iptables -A FORWARD -p gre -j ACCEPT
sudo iptables -t nat -A PREROUTING —dst 192.168.1.1 -p tcp —dport 1723 -j DNAT —to-destination 10.41.0.2
sudo iptables -t nat -A POSTROUTING —dst 10.41.0.2 -p tcp —dport 1723 -j SNAT —to-source 10.41.0.11
sudo iptables -t nat -A OUTPUT —dst 185.97.115.98 -p tcp —dport 1723 -j DNAT —to-destination 10.41.0.2
sudo iptables -I FORWARD 1 -i eth1 -o eth0 -d 10.41.0.2 -p tcp -m tcp —dport 1723 -j ACCEPT
# \u0411\u043b\u043e\u043a\u0438\u0440\u0443\u0435\u043c \u043e\u0441\u0442\u0430\u043b\u044c\u043d\u043e\u0435
sudo iptables -A INPUT -p tcp -m tcp -j DROP
# \u0412\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u043c \u0432 \u0430\u0432\u0442\u043e\u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0443
sudo echo «#! \/sbin\/iptables-restore» > \/etc\/network\/if-up.d\/iptables-rules
sudo iptables-save >> \/etc\/network\/if-up.d\/iptables-rules
sudo chmod +x \/etc\/network\/if-up.d\/iptables-rules<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
\u0417\u0434\u0435\u0441\u044c \u044f \u043d\u0435 \u0441\u0442\u0430\u043d\u0443 \u0440\u0430\u0441\u0441\u043c\u0430\u0442\u0440\u0438\u0432\u0430\u0442\u044c \u043e\u0431\u0449\u0438\u0439 \u043f\u0440\u0438\u043d\u0446\u0438\u043f, \u0442.\u043a. \u044d\u0442\u043e \u0442\u0435\u043c\u0430 \u043e\u0447\u0435\u043d\u044c \u043e\u0431\u0448\u0438\u0440\u043d\u0430\u044f, \u0430 \u0432\u044b\u043b\u043e\u0436\u0443 \u043b\u0438\u0448\u044c \u0443\u0436\u0435 \u0433\u043e\u0442\u043e\u0432\u044b\u0435 \u0441\u043a\u0440\u0438\u043f\u0442\u044b \u0434\u043b\u044f \u0440\u0430\u0437\u043d\u044b\u0445 \u0441\u0438\u0442\u0443\u0430\u0446\u0438\u0439. \u0418 \u0442\u0430\u043a \u0434\u043b\u044f \u043d\u0430\u0447\u0430\u043b\u0430 \u0432\u0441\u0435 \u0442\u0430\u043a\u0438 \u0432\u043a\u043b\u044e\u0447\u0438\u043c \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u0444\u043e\u0440\u0432\u0430\u0434\u0438\u043d\u0433\u0430 \u0442\u0440\u0430\u0444\u0438\u043a\u0430 \u0447\u0435\u0440\u0435\u0437 \u043c\u0430\u0448\u0438\u043d\u043a\u0443 \u043d\u0430 linux: sudo sed -i \u2018\/#net.ipv4.ip_forward=1\/s\/#net.ipv4.ip_forward=1\/net.ipv4.ip_forward=1\/g\u2019 \/etc\/sysctl.conf \u043f\u043e\u0441\u043b\u0435 \u044d\u0442\u043e\u0433\u043e \u043d\u0443\u0436\u043d\u043e \u043f\u0435\u0440\u0435\u0437\u0430\u0433\u0440\u0443\u0437\u0438\u0442\u044c \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440. \u0421\u043a\u0440\u0438\u043f\u0442 \u043e\u0447\u0438\u0441\u0442\u043a\u0438 \u0444\u0430\u0439\u0435\u0440\u0432\u043e\u043b\u0430: !\/bin\/bash# \u0423\u0434\u0430\u043b\u044f\u0435\u043c \u0432\u0441\u0435 \u043f\u0440\u0430\u0432\u0438\u043b\u0430 sudo iptables -F […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"_links":{"self":[{"href":"http:\/\/ast-1c.kz\/almasoft\/index.php?rest_route=\/wp\/v2\/posts\/746"}],"collection":[{"href":"http:\/\/ast-1c.kz\/almasoft\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ast-1c.kz\/almasoft\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ast-1c.kz\/almasoft\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/ast-1c.kz\/almasoft\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=746"}],"version-history":[{"count":7,"href":"http:\/\/ast-1c.kz\/almasoft\/index.php?rest_route=\/wp\/v2\/posts\/746\/revisions"}],"predecessor-version":[{"id":757,"href":"http:\/\/ast-1c.kz\/almasoft\/index.php?rest_route=\/wp\/v2\/posts\/746\/revisions\/757"}],"wp:attachment":[{"href":"http:\/\/ast-1c.kz\/almasoft\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=746"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ast-1c.kz\/almasoft\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=746"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ast-1c.kz\/almasoft\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=746"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}