know-how:firewall
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende ÜberarbeitungNächste ÜberarbeitungBeide Seiten der Revision | ||
know-how:firewall [2021/10/18 11:06] – [roadworker mfa - multiple factor auth] cc | know-how:firewall [2022/02/21 13:15] – [Blocks - Multi - IPSET] cc | ||
---|---|---|---|
Zeile 993: | Zeile 993: | ||
auth-user-pass-verify / | auth-user-pass-verify / | ||
auth-user-pass-optional | auth-user-pass-optional | ||
+ | script-security 3 | ||
.... | .... | ||
</ | </ | ||
Zeile 1139: | Zeile 1140: | ||
</ | </ | ||
+ | |||
+ | ====== Traffic Shaping - tc ====== | ||
+ | * FIXME - Großteil " | ||
+ | * FIXME - PLAYGROUND - für bestimmten Traffic Bandbreite insgesamt einschränken , damit zB: ein Pool von Adressen eingeschränkt werden kann wie zB: Windows Updates :) entweder über iptables Markierungen oder über ipset Matches | ||
+ | < | ||
+ | #!/bin/sh -x | ||
+ | |||
+ | # Maximum allowed downlink. Set to 90% of the achievable downlink in mbit | ||
+ | DOWNLINK=60 | ||
+ | |||
+ | # Interface facing the Internet | ||
+ | EXTDEV=wlp2s0 | ||
+ | |||
+ | # Load IFB, all other modules all loaded automatically | ||
+ | modprobe ifb | ||
+ | ip link set dev ifb0 down | ||
+ | |||
+ | # Clear old queuing disciplines (qdisc) on the interfaces and the MANGLE table | ||
+ | tc qdisc del dev $EXTDEV root 2> /dev/null > /dev/null | ||
+ | tc qdisc del dev $EXTDEV ingress 2> /dev/null > /dev/null | ||
+ | tc qdisc del dev ifb0 root 2> /dev/null > /dev/null | ||
+ | tc qdisc del dev ifb0 ingress | ||
+ | iptables -t mangle -F | ||
+ | |||
+ | # appending " | ||
+ | if [ " | ||
+ | then | ||
+ | echo " | ||
+ | exit | ||
+ | fi | ||
+ | |||
+ | ip link set dev ifb0 up | ||
+ | |||
+ | # HTB classes on IFB with rate limiting - default class 3:30 | ||
+ | tc qdisc add dev ifb0 root handle 3: htb default 30 | ||
+ | |||
+ | tc class add dev ifb0 parent 3:3 classid 3:30 htb rate 60mbit ceil 60mbit | ||
+ | tc class add dev ifb0 parent 3:3 classid 3:33 htb rate 10mbit ceil 10mbit | ||
+ | |||
+ | # Packets marked with " | ||
+ | tc filter add dev ifb0 parent 3:0 protocol ip handle 2 fw flowid 3:33 | ||
+ | |||
+ | # Martin Devera, author of HTB, then recommends SFQ for beneath these classes: | ||
+ | tc qdisc add dev ifb0 parent 3:30 handle 30: sfq perturb 10 | ||
+ | tc qdisc add dev ifb0 parent 3:33 handle 33: sfq perturb 10 | ||
+ | |||
+ | # | ||
+ | iptables -t mangle -A PREROUTING -s 88.198.248.254 -j MARK --set-mark 2 | ||
+ | iptables -t mangle -A PREROUTING -j CONNMARK --save-mark | ||
+ | |||
+ | |||
+ | |||
+ | # Forward all ingress traffic on internet interface to the IFB device | ||
+ | tc qdisc add dev $EXTDEV ingress handle ffff: | ||
+ | tc filter add dev $EXTDEV parent ffff: protocol ip \ | ||
+ | u32 match u32 0 0 \ | ||
+ | action connmark \ | ||
+ | action mirred egress redirect dev ifb0 \ | ||
+ | flowid ffff:1 | ||
+ | |||
+ | |||
+ | # Kein markieren mehr der Pakete / iptables fällt weg über ipset | ||
+ | # root@mrWhiteGhost:/ | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | |||
+ | |||
+ | # | ||
+ | #class htb 3:33 root prio 0 rate 10Mbit ceil 10Mbit burst 1600b cburst 1600b | ||
+ | # Sent 28375626 bytes 20582 pkt (dropped 0, overlimits 20488 requeues 0) | ||
+ | # backlog 0b 0p requeues 0 | ||
+ | # lended: 20582 borrowed: 0 giants: 0 | ||
+ | # tokens: -16889 ctokens: -16889 | ||
+ | # | ||
+ | #class htb 3:30 root prio 0 rate 60Mbit ceil 60Mbit burst 1590b cburst 1590b | ||
+ | # Sent 1760229 bytes 3364 pkt (dropped 0, overlimits 884 requeues 0) | ||
+ | # backlog 0b 0p requeues 0 | ||
+ | # lended: 3364 borrowed: 0 giants: 0 | ||
+ | # tokens: 3125 ctokens: 3125 | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | exit 0 | ||
+ | </ | ||
+ | |||
+ | |||
====== GeoIP - iptables matches ====== | ====== GeoIP - iptables matches ====== | ||
Zeile 1275: | Zeile 1367: | ||
====== WEB Module ====== | ====== WEB Module ====== | ||
+ | ===== Blocks - Multi - IPSET ===== | ||
+ | * In Kombination mit dnsmasq und seiner Funktionalität ipsets aktualisieren zu können | ||
+ | * www-data muss dnsmasq neu starten können zB: visudo -> www-data | ||
+ | * **Achtung: | ||
+ | * **merge-ipsets.sh** | ||
+ | |||
+ | < | ||
+ | #!/bin/bash | ||
+ | function bailout | ||
+ | { | ||
+ | echo -e " | ||
+ | exit 2 | ||
+ | |||
+ | } | ||
+ | |||
+ | which dnsmasq >/ | ||
+ | |||
+ | |||
+ | LOCATION_DNSMASQS="/ | ||
+ | TMP_LOCATION=$(mktemp) | ||
+ | FINAL_LOCATION="/ | ||
+ | |||
+ | if [ ! -w $FINAL_LOCATION ] | ||
+ | then | ||
+ | rm $TMP_LOCATION | ||
+ | |||
+ | bailout "FAIL: Final config file: $FINAL_LOCATION cannot be written to " | ||
+ | |||
+ | fi | ||
+ | |||
+ | |||
+ | grep -h " | ||
+ | do | ||
+ | nr_matches=$(echo $hosts | awk ' | ||
+ | host_entry=$(echo $hosts | awk ' | ||
+ | |||
+ | if (($nr_matches > 1 )) && | ||
+ | then | ||
+ | | ||
+ | |||
+ | while read found_sets | ||
+ | do | ||
+ | build_entry+="/ | ||
+ | |||
+ | done <<< | ||
+ | |||
+ | |||
+ | echo $build_entry >> $TMP_LOCATION | ||
+ | echo $build_entry | ||
+ | |||
+ | fi | ||
+ | | ||
+ | |||
+ | |||
+ | done | ||
+ | |||
+ | filesize_tmp=$(stat -c %s $TMP_LOCATION) | ||
+ | |||
+ | if [ $filesize_tmp == " | ||
+ | then | ||
+ | |||
+ | rm $TMP_LOCATION | ||
+ | |||
+ | echo "No double ipsets found in $LOCATION_DNSMASQS" | ||
+ | |||
+ | exit 0 | ||
+ | |||
+ | fi | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | cmp -s $TMP_LOCATION $FINAL_LOCATION | ||
+ | |||
+ | compare_ret=" | ||
+ | |||
+ | if [ $compare_ret == " | ||
+ | then | ||
+ | rm $TMP_LOCATION | ||
+ | echo " | ||
+ | exit 0 | ||
+ | fi | ||
+ | |||
+ | |||
+ | dnsmasq --test --conf-file=$TMP_LOCATION | ||
+ | |||
+ | ipset_tests=" | ||
+ | if [ $ipset_tests != " | ||
+ | then | ||
+ | rm $TMP_LOCATION | ||
+ | bailout "FAIL: Malformed config file: $TMP_LOCATION" | ||
+ | fi | ||
+ | |||
+ | #2022-02-21 cc: Keep Ownership intact | ||
+ | cat $TMP_LOCATION > $FINAL_LOCATION | ||
+ | |||
+ | rm $TMP_LOCATION | ||
+ | |||
+ | systemctl reload dnsmasq || bailout "FAIL: Cannot reload dnsmasq" | ||
+ | |||
+ | |||
+ | exit 0 | ||
+ | </ | ||
+ | |||
===== Blocks - IPSET ===== | ===== Blocks - IPSET ===== | ||
* In Kombination mit dnsmasq und seiner Funktionalität ipsets aktualisieren zu können | * In Kombination mit dnsmasq und seiner Funktionalität ipsets aktualisieren zu können | ||
- | * www-data muss dnsmasq neu starten können zB: visudo -> www-data | + | * www-data muss dnsmasq neu starten können zB: visudo -> www-data |
* {{ : | * {{ : | ||
know-how/firewall.txt · Zuletzt geändert: 2024/06/27 13:29 von cc