INT-firewall konfiguration
From Datateknik
(Difference between revisions)
(→Gamla FirewallD) |
(→Bara ETT nätverkskort) |
||
Line 5: | Line 5: | ||
=Bara ETT nätverkskort= | =Bara ETT nätverkskort= | ||
− | Kontrollera att du bara har ett (1) nätverkskort med kommandot: <tt> | + | Kontrollera att du bara har ett (1) nätverkskort med kommandot: <tt>ip a</tt> |
<br>(två om du räknar loopback) | <br>(två om du räknar loopback) | ||
+ | |||
+ | Källa: https://www.tecmint.com/ifconfig-vs-ip-command-comparing-network-configuration/ | ||
= Detta är ett scripts som ... = | = Detta är ett scripts som ... = |
Revision as of 08:36, 4 February 2020
Nedanstående fungerar ej!
Contents |
Gamla FirewallD
- Tag bort firewalld!
- Om du i en annan kurs måste konfa FirewallD -> titta inte här http://catch-up.cnap.hv.se/wiki/index.php?title=firewalld_konfiguration
Bara ETT nätverkskort
Kontrollera att du bara har ett (1) nätverkskort med kommandot: ip a
(två om du räknar loopback)
Källa: https://www.tecmint.com/ifconfig-vs-ip-command-comparing-network-configuration/
Detta är ett scripts som ...
... tar bort allt gammalt, och skapar en ny ACL
#!/usr/sbin/nft -f flush ruleset table inet filter { chain input { type filter hook input priority 0; policy drop; tcp dport ssh counter packets 0 bytes 0 accept comment "Accept incoming SSH on port 22 via both IPv4 and IPv6" counter packets 0 bytes 0 } chain forward { type filter hook forward priority 0; policy drop; counter packets 0 bytes 0 comment "This should always be ZERO, because this device should NOT route packets" } chain output { type filter hook output priority 0; policy accept; counter packets 0 bytes 0 comment "Count outgoing packets" }
KOLLA HUR DET BLEV
nft list ruleset
... en variant på 'input chain'
chain input { type filter hook input priority 0; policy drop; iif lo counter accept comment "accept loopback" ip protocol icmp icmp type echo-request counter accept comment "incoming ping's from others" ip protocol icmp icmp type echo-reply counter accept comment "incoming reply's by our pings" tcp dport 22 ip saddr { 193.10.128.0/17, # old subnets of HV 212.25.132.0/23, # new subnets of HV } counter accept; tcp dport ssh counter packets 0 bytes 0 accept comment "Accept incoming SSH on port 22 via both IPv4 and IPv6" ct state established,related accept comment "allow reply-packets that we asked for" # by default, return an error ICMP message if the packet wasn't accepted above. counter reject; counter }
KOLLA HUR DET BLEV
nft list ruleset
all subnets of HV
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override Gateway of last resort is 193.10.191.161 to network 0.0.0.0 10.0.0.0/32 is subnetted, 2 subnets O 10.1.1.2 [110/2] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 10.1.1.3 [110/6] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 130.242.0.0/31 is subnetted, 2 subnets O 130.242.6.56 [110/6] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 130.242.6.58 [110/6] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 172.22.0.0/16 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 172.23.0.0/24 is subnetted, 1 subnets O 172.23.0.0 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 192.168.80.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 192.168.83.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 192.168.85.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 192.168.133.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 192.168.193.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 192.168.194.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 192.168.195.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 192.168.196.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 192.168.197.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 192.168.198.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 192.168.199.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 192.168.201.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 192.168.206.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 192.168.236.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 192.168.243.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 192.168.244.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 192.168.245.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 192.168.249.0/24 [110/41] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 192.168.254.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 192.168.255.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.188.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 193.10.189.0/24 is variably subnetted, 5 subnets, 3 masks O 193.10.189.0/25 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.189.128/26 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.189.232/29 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.189.240/29 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.189.248/29 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.190.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 193.10.191.0/24 is variably subnetted, 25 subnets, 6 masks O 193.10.191.0/28 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.191.40/29 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.191.52/30 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.191.57/32 [110/5] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.191.58/32 [110/5] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.191.64/31 [110/6] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.191.84/30 [110/5] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.191.92/30 [110/5] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.191.96/30 [110/105] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.191.100/30 [110/41] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.191.104/30 [110/10005] via 193.10.191.161, 5w3d, GigabitEthernet1/0/1 O 193.10.191.108/30 [110/1005] via 193.10.191.161, 5w3d, GigabitEthernet1/0/1 O 193.10.191.112/30 [110/1005] via 193.10.191.161, 3w5d, GigabitEthernet1/0/1 O 193.10.191.116/30 [110/5] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.191.120/30 [110/1105] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.191.124/30 [110/1105] via 193.10.191.161, 3w5d, GigabitEthernet1/0/1 O 193.10.191.136/30 [110/1105] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.191.144/29 [110/45] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.191.168/29 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.191.184/30 [110/41] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.191.192/28 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.191.208/28 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.191.224/27 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.192.0/22 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.196.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 193.10.197.0/24 is variably subnetted, 2 subnets, 2 masks O 193.10.197.64/26 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.197.128/25 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.198.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.199.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.200.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.201.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.202.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.204.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.205.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.206.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.207.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.234.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 193.10.235.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 212.25.132.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1 O 212.25.133.0/24 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1