INT-firewall konfiguration

From Datateknik
Revision as of 08:36, 4 February 2020 by Imra (Talk | contribs)

Jump to: navigation, search

Nedanstående fungerar ej!

Contents

Gamla FirewallD

Bara ETT nätverkskort

Kontrollera att du bara har ett (1) nätverkskort med kommandot: ip a
(två om du räknar loopback)

Källa: https://www.tecmint.com/ifconfig-vs-ip-command-comparing-network-configuration/

Detta är ett scripts som ...

... tar bort allt gammalt, och skapar en ny ACL

 #!/usr/sbin/nft -f
 
 flush ruleset
 
 table inet filter {
   chain input { 
     type filter hook input priority 0;
     policy drop;

     tcp dport ssh counter packets 0 bytes 0 accept comment "Accept incoming SSH on port 22 via both IPv4 and IPv6" 

     counter packets 0 bytes 0
 }
 
   chain forward {
     type filter hook forward priority 0;
     policy drop;
     counter packets 0 bytes 0 comment "This should always be ZERO, because this device should NOT route packets"
 }
 
   chain output {
     type filter hook output priority 0;
     policy accept;
     counter packets 0 bytes 0 comment "Count outgoing packets"
 }

KOLLA HUR DET BLEV
nft list ruleset

... en variant på 'input chain'

  chain input { 
    type filter hook input priority 0; policy drop;

    iif lo counter accept comment "accept loopback"

    ip protocol icmp icmp type echo-request counter accept comment "incoming ping's from others"
    ip protocol icmp icmp type echo-reply counter accept comment "incoming reply's by our pings"

    tcp dport 22 ip saddr {
      193.10.128.0/17,       # old subnets of HV
      212.25.132.0/23,       # new subnets of HV
   }  counter accept;

    tcp dport ssh counter packets 0 bytes 0 accept comment "Accept incoming SSH on port 22 via both IPv4 and IPv6" 

    ct state established,related accept comment "allow reply-packets that we asked for"

    # by default, return an error ICMP message if the packet wasn't accepted above.
    counter reject;
    counter 
}

KOLLA HUR DET BLEV
nft list ruleset

all subnets of HV

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2
      i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
      ia - IS-IS inter area, * - candidate default, U - per-user static route
      o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
      + - replicated route, % - next hop override

Gateway of last resort is 193.10.191.161 to network 0.0.0.0

     10.0.0.0/32 is subnetted, 2 subnets
O        10.1.1.2 [110/2] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        10.1.1.3 [110/6] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
     130.242.0.0/31 is subnetted, 2 subnets
O        130.242.6.56 [110/6] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        130.242.6.58 [110/6] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     172.22.0.0/16 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
     172.23.0.0/24 is subnetted, 1 subnets
O        172.23.0.0 [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     192.168.80.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     192.168.83.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     192.168.85.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     192.168.133.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     192.168.193.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     192.168.194.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     192.168.195.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     192.168.196.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     192.168.197.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     192.168.198.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     192.168.199.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     192.168.201.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     192.168.206.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     192.168.236.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     192.168.243.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     192.168.244.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     192.168.245.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     192.168.249.0/24 [110/41] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     192.168.254.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     192.168.255.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     193.10.188.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
     193.10.189.0/24 is variably subnetted, 5 subnets, 3 masks
O        193.10.189.0/25
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.189.128/26
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.189.232/29
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.189.240/29
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.189.248/29
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     193.10.190.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
     193.10.191.0/24 is variably subnetted, 25 subnets, 6 masks
O        193.10.191.0/28
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.191.40/29
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.191.52/30
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.191.57/32
          [110/5] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.191.58/32
          [110/5] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.191.64/31
          [110/6] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.191.84/30
          [110/5] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.191.92/30
          [110/5] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.191.96/30
          [110/105] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.191.100/30
          [110/41] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.191.104/30
          [110/10005] via 193.10.191.161, 5w3d, GigabitEthernet1/0/1
O        193.10.191.108/30
          [110/1005] via 193.10.191.161, 5w3d, GigabitEthernet1/0/1
O        193.10.191.112/30
          [110/1005] via 193.10.191.161, 3w5d, GigabitEthernet1/0/1
O        193.10.191.116/30
          [110/5] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.191.120/30
          [110/1105] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.191.124/30
          [110/1105] via 193.10.191.161, 3w5d, GigabitEthernet1/0/1
O        193.10.191.136/30
          [110/1105] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.191.144/29
          [110/45] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.191.168/29
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.191.184/30
          [110/41] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.191.192/28
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.191.208/28
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.191.224/27
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     193.10.192.0/22
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     193.10.196.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
     193.10.197.0/24 is variably subnetted, 2 subnets, 2 masks
O        193.10.197.64/26
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O        193.10.197.128/25
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     193.10.198.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     193.10.199.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     193.10.200.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     193.10.201.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     193.10.202.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     193.10.204.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     193.10.205.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     193.10.206.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     193.10.207.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     193.10.234.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     193.10.235.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     212.25.132.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
O     212.25.133.0/24
          [110/1006] via 193.10.191.161, 7w0d, GigabitEthernet1/0/1
Personal tools
Namespaces

Variants
Actions
Navigation
Tools