INT-firewall konfiguration
From Datateknik
(Difference between revisions)
(→Detta är ett scripts som ...) |
(→... en variant på 'input chain') |
||
| (10 intermediate revisions by one user not shown) | |||
| Line 1: | Line 1: | ||
Nedanstående fungerar <font color="red">ej</font>! | Nedanstående fungerar <font color="red">ej</font>! | ||
=Gamla FirewallD= | =Gamla FirewallD= | ||
| − | *Tag bort | + | *Tag bort firewall'''d'''! |
* Om du i en annan kurs måste konfa FirewallD -> titta inte här http://catch-up.cnap.hv.se/wiki/index.php?title=firewalld_konfiguration | * Om du i en annan kurs måste konfa FirewallD -> titta inte här http://catch-up.cnap.hv.se/wiki/index.php?title=firewalld_konfiguration | ||
=Bara ETT nätverkskort= | =Bara ETT nätverkskort= | ||
| − | Kontrollera att du bara har ett (1) nätverkskort med kommandot: <tt> | + | Kontrollera att du bara har ett (1) nätverkskort med kommandot: <tt>ip a</tt> |
<br>(två om du räknar loopback) | <br>(två om du räknar loopback) | ||
| + | |||
| + | Källa: https://www.tecmint.com/ifconfig-vs-ip-command-comparing-network-configuration/ | ||
= Detta är ett scripts som ... = | = Detta är ett scripts som ... = | ||
| Line 38: | Line 40: | ||
KOLLA HUR DET BLEV | KOLLA HUR DET BLEV | ||
| − | + | <br><code>nft list ruleset</code> | |
| − | = ... en variant på 'input chain' | + | = ... en variant på 'input chain' = |
chain input { | chain input { | ||
type filter hook input priority 0; policy '''drop'''; | type filter hook input priority 0; policy '''drop'''; | ||
| − | + | ||
iif lo counter accept comment "accept loopback" | iif lo counter accept comment "accept loopback" | ||
| − | + | ||
| − | ip protocol icmp icmp type echo-request counter accept comment "incoming ping's from others" | + | ip protocol icmp icmp type echo-request counter '''accept''' comment "incoming ping's from others" |
| − | ip protocol icmp icmp type echo-reply counter accept comment "incoming reply's by our pings" | + | ip protocol icmp icmp type echo-reply counter '''accept''' comment "incoming reply's by our pings" |
| − | + | ||
| − | + | ip saddr { | |
193.10.128.0/17, # old subnets of HV | 193.10.128.0/17, # old subnets of HV | ||
212.25.132.0/23, # new subnets of HV | 212.25.132.0/23, # new subnets of HV | ||
| − | + | } tcp dport 22 counter '''accept'''; | |
| − | + | ||
| − | tcp dport ssh counter packets 0 bytes 0 accept comment "Accept incoming SSH on port 22 via both IPv4 and IPv6" | + | tcp dport ssh counter packets 0 bytes 0 '''accept''' comment "Accept incoming SSH on port 22 via both IPv4 and IPv6" |
| + | |||
| + | ct state established,related '''accept''' comment "allow reply-packets that we asked for" | ||
| − | |||
| − | |||
# by default, return an error ICMP message if the packet wasn't accepted above. | # by default, return an error ICMP message if the packet wasn't accepted above. | ||
| − | counter reject; | + | counter '''reject'''; |
counter | counter | ||
} | } | ||
| − | + | '''KOLLA HUR DET BLEV''' | |
| − | KOLLA HUR DET BLEV | + | <br><code>nft list ruleset</code> |
| − | + | ||
= all subnets of HV = | = all subnets of HV = | ||
| Line 76: | Line 77: | ||
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP | o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP | ||
+ - replicated route, % - next hop override | + - replicated route, % - next hop override | ||
| − | + | ||
| − | Gateway of last resort is 193.10.191.161 to network 0.0.0.0 | + | Gateway of last resort is 193.10.191.161 to network 0.0.0.0 |
| − | + | ||
10.0.0.0/32 is subnetted, 2 subnets | 10.0.0.0/32 is subnetted, 2 subnets | ||
O 10.1.1.2 [110/2] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 | O 10.1.1.2 [110/2] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 | ||
Latest revision as of 08:42, 4 February 2020
Nedanstående fungerar ej!
Contents |
[edit] Gamla FirewallD
- Tag bort firewalld!
- Om du i en annan kurs måste konfa FirewallD -> titta inte här http://catch-up.cnap.hv.se/wiki/index.php?title=firewalld_konfiguration
[edit] Bara ETT nätverkskort
Kontrollera att du bara har ett (1) nätverkskort med kommandot: ip a
(två om du räknar loopback)
Källa: https://www.tecmint.com/ifconfig-vs-ip-command-comparing-network-configuration/
[edit] Detta är ett scripts som ...
... tar bort allt gammalt, och skapar en ny ACL
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
policy drop;
tcp dport ssh counter packets 0 bytes 0 accept comment "Accept incoming SSH on port 22 via both IPv4 and IPv6"
counter packets 0 bytes 0
}
chain forward {
type filter hook forward priority 0;
policy drop;
counter packets 0 bytes 0 comment "This should always be ZERO, because this device should NOT route packets"
}
chain output {
type filter hook output priority 0;
policy accept;
counter packets 0 bytes 0 comment "Count outgoing packets"
}
KOLLA HUR DET BLEV
nft list ruleset
[edit] ... en variant på 'input chain'
chain input {
type filter hook input priority 0; policy drop;
iif lo counter accept comment "accept loopback"
ip protocol icmp icmp type echo-request counter accept comment "incoming ping's from others"
ip protocol icmp icmp type echo-reply counter accept comment "incoming reply's by our pings"
ip saddr {
193.10.128.0/17, # old subnets of HV
212.25.132.0/23, # new subnets of HV
} tcp dport 22 counter accept;
tcp dport ssh counter packets 0 bytes 0 accept comment "Accept incoming SSH on port 22 via both IPv4 and IPv6"
ct state established,related accept comment "allow reply-packets that we asked for"
# by default, return an error ICMP message if the packet wasn't accepted above.
counter reject;
counter
}
KOLLA HUR DET BLEV
nft list ruleset
[edit] all subnets of HV
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 193.10.191.161 to network 0.0.0.0
10.0.0.0/32 is subnetted, 2 subnets
O 10.1.1.2 [110/2] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 10.1.1.3 [110/6] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
130.242.0.0/31 is subnetted, 2 subnets
O 130.242.6.56 [110/6] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 130.242.6.58 [110/6] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 172.22.0.0/16 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
172.23.0.0/24 is subnetted, 1 subnets
O 172.23.0.0 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 192.168.80.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 192.168.83.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 192.168.85.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 192.168.133.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 192.168.193.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 192.168.194.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 192.168.195.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 192.168.196.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 192.168.197.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 192.168.198.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 192.168.199.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 192.168.201.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 192.168.206.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 192.168.236.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 192.168.243.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 192.168.244.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 192.168.245.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 192.168.249.0/24 [110/41] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 192.168.254.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 192.168.255.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.188.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
193.10.189.0/24 is variably subnetted, 5 subnets, 3 masks
O 193.10.189.0/25
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.189.128/26
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.189.232/29
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.189.240/29
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.189.248/29
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.190.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
193.10.191.0/24 is variably subnetted, 25 subnets, 6 masks
O 193.10.191.0/28
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.191.40/29
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.191.52/30
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.191.57/32
[110/5] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.191.58/32
[110/5] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.191.64/31
[110/6] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.191.84/30
[110/5] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.191.92/30
[110/5] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.191.96/30
[110/105] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.191.100/30
[110/41] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.191.104/30
[110/10005] via 193.10.191.161, 5w3d, GigabitEthernet1/0/1
O 193.10.191.108/30
[110/1005] via 193.10.191.161, 5w3d, GigabitEthernet1/0/1
O 193.10.191.112/30
[110/1005] via 193.10.191.161, 3w5d, GigabitEthernet1/0/1
O 193.10.191.116/30
[110/5] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.191.120/30
[110/1105] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.191.124/30
[110/1105] via 193.10.191.161, 3w5d, GigabitEthernet1/0/1
O 193.10.191.136/30
[110/1105] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.191.144/29
[110/45] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.191.168/29
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.191.184/30
[110/41] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.191.192/28
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.191.208/28
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.191.224/27
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.192.0/22
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.196.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
193.10.197.0/24 is variably subnetted, 2 subnets, 2 masks
O 193.10.197.64/26
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.197.128/25
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.198.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.199.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.200.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.201.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.202.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.204.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.205.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.206.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.207.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.234.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 193.10.235.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 212.25.132.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O 212.25.133.0/24
[110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
