sudo chown {your account name} /dev/bpf*
wireshark for mac找不到interface的解决办法
发表评论
月度归档:2010年09月
iptables 实例杂锦
#/sbin/modprobe iptable_filter
#/sbin/modprobe ip_tables
#/sbin/modprobe iptable_nat
#/sbin/iptables -F -t nat
adsl拨号的转发
/sbin/iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o ppp0 -j MASQUERADE
网卡转发
/sbin/iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o eth0 -j MASQUERADE
封堵 tcp udp 端口, 并打开特定的端口(包括vpn转发,进入的端口)
/sbin/iptables -I INPUT -p tcp -s 172.16.0.0/24 -m multiport –dports 110,80,25,22,443,5432,3306,21,445,10101,5252,8080,8383,139,1723 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 172.16.0.0/24 –dport 5432 -j ACCEPT
/sbin/iptables -A INPUT -p udp -s 172.16.0.0/24 -m multiport –dports 53,111 -j ACCEPT
/sbin/iptables -A INPUT -p gre -s 172.16.0.0/24 -j ACCEPT
#/sbin/iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -s 172.16.0.0/24 -p tcp -m state –state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -s 172.16.0.0/24 -m multiport –dports 80,110,21,25,1723,22,5252,10101,3306,443,5432,8080,2000,1935,8383 -j ACCEPT
/sbin/iptables -A FORWARD -p udp -s 172.16.0.0/24 –dport 53 -j ACCEPT
/sbin/iptables -A FORWARD -p udp -s 172.16.0.0/24 –dport 8000 -j ACCEPT
某游戏端口
#/sbin/iptables -A FORWARD -p udp -s 172.16.0.0/24 –dport 7000 -j ACCEPT
vpn 所需协议
/sbin/iptables -A FORWARD -p gre -s 172.16.0.0/24 -j ACCEPT
运行ping
/sbin/iptables -A FORWARD -p icmp -s 172.16.0.0/24 -j ACCEPT
#加这一句, ICMP应答、FTP传输、DCC等才能穿过防火墙正常工作。大部分还有一些UDP协议都依赖这个机制。不打开, bt们就不能变态了,bt软件不能穿透防火墙了, 需要进行ftp时候再打开, 限制只让 tcp 的包穿透防火墙
#/sbin/iptables -A FORWARD -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -s 172.16.0.0/24 -p tcp -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
#封住 tcp, udp 所有端口 (应该有其他方法)
/sbin/iptables -A FORWARD -p tcp -s 172.16.0.0/24 –dport 0:65535 -j DROP
/sbin/iptables -A FORWARD -p udp -s 172.16.0.0/24 –dport 0:65535 -j DROP
/sbin/iptables -A INPUT -p tcp -s 172.16.0.0/24 –dport 0:65535 -j DROP
/sbin/iptables -A INPUT -p udp -s 172.16.0.0/24 –dport 0:65535 -j DROP
#我的ip, 不受规则限制
/sbin/iptables -I INPUT -s 172.16.0.108 -j ACCEPT
/sbin/iptables -I FORWARD -s 172.16.0.108 -j ACCEPT
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all — 172.16.0.108 anywhere
ACCEPT tcp — 172.16.0.0/24 anywhere multiport dports pop3,http,smtp,ssh,https,postgres,mysql,ftp,microsoft-ds,10101,5252,webcache,8383,netbios-ssn,1723
ACCEPT tcp — 172.16.0.0/24 anywhere state RELATED,ESTABLISHED
ACCEPT tcp — 172.16.0.0/24 anywhere tcp dpt:postgres
ACCEPT udp — 172.16.0.0/24 anywhere multiport dports domain,sunrpc
ACCEPT gre — 172.16.0.0/24 anywhere
DROP tcp — 172.16.0.0/24 anywhere tcp
DROP udp — 172.16.0.0/24 anywhere udp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all — anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all — 172.16.0.108 anywhere
ACCEPT tcp — 172.16.0.0/24 anywhere multiport dports http,pop3,ftp,smtp,1723,ssh,5252,10101,mysql,https,postgres,webcache,sieve,1935,8383
ACCEPT udp — 172.16.0.0/24 anywhere udp dpt:domain
ACCEPT udp — 172.16.0.0/24 anywhere udp dpt:8000
ACCEPT udp — 172.16.0.0/24 anywhere udp dpt:afs3-fileserver
ACCEPT gre — 172.16.0.0/24 anywhere
ACCEPT icmp — 172.16.0.0/24 anywhere
DROP tcp — 172.16.0.0/24 anywhere tcp
DROP udp — 172.16.0.0/24 anywhere udp
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
=======================================================
封ip
/sbin/iptables -A FORWARD -s 172.16.0.*** -j DROP
取消ip封闭
/sbin/iptables -D FORWARD -s 172.16.0.*** -j DROP
=======================================================
路由端口转发, 电驴为高id用户, 但是试过后,好像不行
/sbin/iptables -t nat -A PREROUTING -p udp -m udp –dport 19145 -j DNAT –to-destination 172.16.0.108:19145
/sbin/iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -d 172.16.0.108 -p udp -m udp –dport 19145 -j SNAT –to-source 172.16.0.2
/sbin/iptables -t nat -A PREROUTING -p tcp -m tcp –dport 19145 -j DNAT –to-destination 172.16.0.108:19145
/sbin/iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -d 172.16.0.108 -p tcp -m tcp –dport 19145 -j SNAT –to-source 172.16.0.2
#/sbin/iptables -t nat -A PREROUTING -p udp -m udp –dport 4662 -j DNAT –to-destination 172.16.0.108:4662
#/sbin/iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -d 172.16.0.108 -p udp -m udp –dport 4662 -j SNAT –to-source 172.16.0.2
#/sbin/iptables -t nat -A PREROUTING -p tcp -m tcp –dport 4662 -j DNAT –to-destination 172.16.0.108:4662
#/sbin/iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -d 172.16.0.108 -p tcp -m tcp –dport 4662 -j SNAT –to-source 172.16.0.2
=============================================================
###### 用mac地址封闭上网
######注意顺序问题
#/sbin/iptables -A FORWARD -m mac –mac-source 00:00:BA:A5:7D:12 -p tcp -m multiport –dports 80,110,21,25,1723,22,5252,10101,3306,443,5432,8080,2000,1935,8383 -j ACCEPT
#/sbin/iptables -A FORWARD -m mac –mac-source 00:00:BA:A5:7D:12 -p udp –dport 53 -j ACCEPT
#/sbin/iptables -A FORWARD -p icmp -j ACCEPT
######这一行保持在最后. 用iptables -L 查看
#/sbin/iptables -A FORWARD -m mac –mac-source 00:00:BA:A5:7D:12 -j DROP
nginx+php虚拟目录下支持php脚本
sudo apt-get install nginx php5-cli php5-cgi
sudo apt-get install lighttpd rcconf
sudo vim /etc/nginx/sites-available/default
location /myweb {
root /home/admin;
autoindex on;
index index.htm index.html index.php;
}
location ~ \.php$ {
root /var/www/nginx-default;
if ( $uri ~ ^/myweb/ ) {
root /home/ihefeadmin;
}
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
#fastcgi_param SCRIPT_FILENAME /var/www/nginx-default$fastcgi_script_name;
include fastcgi_params;
}
sudo vim /etc/nginx/fastcgi_params
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
spawn-fcgi -a 127.0.0.1 -p 9000 -C 10 -u www-data -f /usr/bin/php-cgi
cd /etc/init.d
cp nginx php-cgi
vim php-cgi
nginx –> php-cgi
DAEMON=/usr/bin/spawn-fcgi
DAEMON_OPTS=”-a 127.0.0.1 -p 9000 -C 10 -u www-data -f /usr/bin/php-cgi”
…
stop)
echo -n “Stopping $DESC: ”
pkill -9 php-cgi
echo “$NAME.”
vpn穿透
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE
iptables -A INPUT -p gre -j ACCEPT
iptables -A FORWARD -p gre -j ACCEPT
//=====================================================
#!/bin/sh
iptables="/sbin/iptables"
modprobe="/sbin/modprobe"
depmod="/sbin/depmod"
EXTIF="eth1"
INTIF="eth2"
load () {
$depmod -a
$modprobe ip_tables
$modprobe ip_conntrack
$modprobe ip_conntrack_ftp
$modprobe ip_conntrack_irc
$modprobe iptable_nat
$modprobe ip_nat_ftp
$modprobe ip_conntrack_pptp
$modprobe ip_nat_pptp
echo "enable forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "enable dynamic addr"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# start firewall
#default policies
$iptables -P INPUT DROP
$iptables -F INPUT
$iptables -P OUTPUT DROP
$iptables -F OUTPUT
$iptables -P FORWARD DROP
$iptables -F FORWARD
$iptables -t nat -F
echo " opening loopback interface for socket based services."
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
echo " allow all connections OUT and ONLY existing related ones IN"
$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -o $EXTIF -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$iptables -A FORWARD -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
$iptables -A INPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
$iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
echo " enabling SNAT (MASQUERADE) functionality on $EXTIF"
$iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A OUTPUT -o $INTIF -j ACCEPT
echo " Allowing packets with ICMP data (pings)"
$iptables -A INPUT -p icmp -j ACCEPT
$iptables -A OUTPUT -p icmp -j ACCEPT
$iptables -A INPUT -p udp -i $INTIF --dport 67 -m state --state NEW -j ACCEPT
echo " port 137 for netBios"
$iptables -A INPUT -i $INTIF -p udp --dport 137 -j ACCEPT
$iptables -A OUTPUT -o $INTIF -p udp --dport 137 -j ACCEPT
echo " opening port 53 for DNS queries"
$iptables -A INPUT -p udp -i $EXTIF --sport 53 -j ACCEPT
#echo " opening port 22 for internal ssh"
$iptables -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT
$iptables -A INPUT -p gre -j ACCEPT
$iptables -A FORWARD -p gre -j ACCEPT
echo " opening port 1723 for VPN Server"
$iptables -A INPUT -p tcp -i $EXTIF --dport 1723 -m state --state NEW -j ACCEPT
echo " opening port 80 for webserver"
$iptables -A INPUT -p tcp -i $EXTIF --dport 80 -m state --state NEW -j ACCEPT
echo " opening port 21 for FTP Server"
$iptables -A INPUT -p tcp -i $EXTIF --dport 21 -m state --state NEW -j ACCEPT
echo " opening ssh for web on port 2609 for firewig"
$iptables -A INPUT -p tcp --dport 2609 -j ACCEPT
$iptables -A OUTPUT -p tcp --dport 2609 -j ACCEPT
echo " opening ssh for web on port 22 for betty"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 22 -j DNAT --to 192.168.10.96:2302
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.96 --dport 2302 -j ACCEPT
#echo " opening Apache webserver for HoH"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 80 -j DNAT --to 192.168.10.96:80
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.96 --dport 80 -j ACCEPT
}
flush() {
echo "flushing rules...."
$iptables -P FORWARD ACCEPT
$iptables -F INPUT
$iptables -P INPUT ACCEPT
}
case "$1" in
start|restart)
flush
load
;;
stop)
flush
;;
*)
echo "usage: start|stop|restart."
;;
esac
exit 0
}
stunnel配置
sudo apt-get install stunnel
sudo vim /etc/default/stunnel4
ENABLED=1
openssl req -new -x509 -days 36500 -nodes -out stunnel.pem -keyout stunnel.pem
sudo vim /etc/stunnel/stunnel.conf
cert = /etc/stunnel/stunnel.pem
key = /etc/stunnel/stunnel.pem
sudo /etc/init.d/stunnel4 restart