分類: Firewall

參考網站：
鳥哥的 Linux 私房菜 — NFS 伺服器
CentOS 7 NFS服务器和客户端设置 – 阿泰的菜园
How to setup NFS Server on CentOS 7 / RHEL 7 / Fedora 22
NFS issue Behind iptables in Centos 7 – Server Fault

# /usr/sbin/rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  33438  status
    100024    1   tcp  45447  status
    100005    1   udp   1002  mountd
    100005    1   tcp   1002  mountd
    100005    2   udp   1002  mountd
    100005    2   tcp   1002  mountd
    100005    3   udp   1002  mountd
    100005    3   tcp   1002  mountd
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    3   tcp   2049  nfs_acl
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    3   udp   2049  nfs_acl
    100021    1   udp  58234  nlockmgr
    100021    3   udp  58234  nlockmgr
    100021    4   udp  58234  nlockmgr
    100021    1   tcp  33450  nlockmgr
    100021    3   tcp  33450  nlockmgr
    100021    4   tcp  33450  nlockmgr

稍微整理一下，其中 tcp/udp 111 及 tcp/udp 2049 是固定的，其它則會變動
# /usr/sbin/rpcinfo -p | awk ‘{print $3,$4,$5}’ | sort | uniq
proto port service
tcp 111 portmapper
tcp 2049 nfs
tcp 2049 nfs_acl
tcp 33450 nlockmgr
tcp 45447 status
tcp 1002 mountd
udp 111 portmapper
udp 2049 nfs
udp 2049 nfs_acl
udp 58234 nlockmgr
udp 33438 status
udp 1002 mountd

[@more@]使用 firewalld 防火牆
# /usr/bin/firewall-cmd –permanent –zone public –add-service mountd
# /usr/bin/firewall-cmd –permanent –zone public –add-service rpc-bind
# /usr/bin/firewall-cmd –permanent –zone public –add-service nfs
# /usr/bin/firewall-cmd –reload

不過個人比較習慣使用原有的 iptables 防火牆，所以底下改用固定 NFS Server Port  的方式處理

備份原檔 /etc/sysconfig/nfs
# cp /etc/sysconfig/nfs /etc/sysconfig/nfs.$(date +%F)

修改設定檔 /etc/sysconfig/nfs
# grep PORT /etc/sysconfig/nfs
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
STATD_OUTGOING_PORT=2020

重新啟動 NFS Server
# systemctl restart nfs-server

如果 nlockmgr Port 還是無法固定，則要修改 /etc/sysctl.conf
# cp /etc/sysctl.conf /etc/sysctl.conf.$(date +%F)
加入下面二行
fs.nfs.nlm_tcpport=32803
fs.nfs.nlm_udpport=32769
# sed -i ‘$a fs.nfs.nlm_tcpport=32803nfs.nfs.nlm_udpport=32769’ /etc/sysctl.conf

讓設定生效
# sysctl -p

再次檢查所使用的 Port 是否有固定
# /usr/sbin/rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp    662  status
    100024    1   tcp    662  status
    100005    1   udp    892  mountd
    100005    1   tcp    892  mountd
    100005    2   udp    892  mountd
    100005    2   tcp    892  mountd
    100005    3   udp    892  mountd
    100005    3   tcp    892  mountd
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    3   tcp   2049  nfs_acl
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    3   udp   2049  nfs_acl
    100021    1   udp  32769  nlockmgr
    100021    3   udp  32769  nlockmgr
    100021    4   udp  32769  nlockmgr
    100021    1   tcp  32803  nlockmgr
    100021    3   tcp  32803  nlockmgr
    100021    4   tcp  32803  nlockmgr

# /usr/sbin/rpcinfo -p | awk ‘{print $3,$4,$5}’ | sort | uniq
proto port service
tcp 111 portmapper
tcp 2049 nfs
tcp 2049 nfs_acl
tcp 32803 nlockmgr
tcp 662 status
tcp 892 mountd
udp 111 portmapper
udp 2049 nfs
udp 2049 nfs_acl
udp 32769 nlockmgr
udp 662 status
udp 892 mountd

使用 firewalld 防火牆
# /usr/bin/firewall-cmd –permanent –add-port=111/tcp
# /usr/bin/firewall-cmd –permanent –add-port=111/udp
# /usr/bin/firewall-cmd –permanent –add-port=662/tcp
# /usr/bin/firewall-cmd –permanent –add-port=662/udp
# /usr/bin/firewall-cmd –permanent –add-port=892/tcp
# /usr/bin/firewall-cmd –permanent –add-port=892/udp
# /usr/bin/firewall-cmd –permanent –add-port=2049/tcp
# /usr/bin/firewall-cmd –permanent –add-port=2049/udp
# /usr/bin/firewall-cmd –permanent –add-port=32803/tcp
# /usr/bin/firewall-cmd –permanent –add-port=32769/udp
# /usr/bin/firewall-cmd –reload

使用 iptables 防火牆
# /usr/sbin/iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 -m multiport –dport 111,2049,662,892,32803 -j ACCEPT
# /usr/sbin/iptables -A INPUT -i eth0 -p udp -s 192.168.1.0/24 -m multiport –dport 111,2049,662,892,32769 -j ACCEPT

Gentoo Linux 果然非常精簡，連 iptables 都沒有內建安裝
# iptables -L -n
-bash: iptables: command not found

安裝 iptables
# emerge iptables

設定開機時啟動
# rc-update add iptables default
 * service iptables added to runlevel default[@more@]
將目前的防火牆規則儲存起來
# /sbin/iptables-save > /var/lib/iptables/rules-save
或
# rc-service iptables save

自己在設定 Linux 防火牆規則時，都是習慣使用 iptables 指令，把規則寫在 Script 檔，設定成開機時執行，比較不習慣使用第三方的套件來建立，因為後續要修改時會比較麻煩。
不過在 Cubie Truck 的 Ubuntu Server 似乎預設就有安裝 ufw(Uncomplicated Firewall)，利用 ufw 來建立防火牆規則。
但在執行 ufw 時會出現一些警告訊息
# ufw status verbose
WARN: /lib is group writable!
WARN: /etc is group writable!
WARN: /etc/default is group writable!
WARN: /usr is group writable!
Status: inactive

看起來似乎是警告這些目錄的權限是群組可以寫入的[@more@]檢查一些這些目錄的權限，預設權限是 775
# ls -ld /lib /etc /etc/default /usr
drwxrwxr-x 96 root root 4096 Oct 18 10:53 /etc
drwxrwxr-x  2 root root 4096 Oct 16 23:18 /etc/default
drwxrwxr-x 21 root root 4096 Oct 16 23:18 /lib
drwxrwxr-x 10 root root 4096 Sep  6 17:54 /usr

把這些目錄的權限改成 751
# chmod 751 /lib /etc /etc/default /usr
# ls -ld /lib /etc /etc/default /usr
drwxr-x–x 96 root root 4096 Oct 18 10:53 /etc
drwxr-x–x  2 root root 4096 Oct 16 23:18 /etc/default
drwxr-x–x 21 root root 4096 Oct 16 23:18 /lib
drwxr-x–x 10 root root 4096 Sep  6 17:54 /usr

再次執行 ufw 時，就不會出現警告訊息了！
# ufw status verbose
Status: inactive

因為是測試及可能對外服務的系統，所以無法設定太嚴格的防火牆規則，所以加裝了 fail2ban 來加強系統的安全。
# apt-get install fail2ban

修改設定檔
# vim /etc/fail2ban/jail.conf
[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3
bantime  = 86400
[@more@]
重新啟動 fail2ban 服務
# /etc/init.d/fail2ban restart
[ ok ] Restarting authentication failure monitor: fail2ban.

檢查 fail2ban 的狀態
# fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:           ssh

以 Client  IP 192.168.1.1 嘗試對 Server IP 192.168.1.109 嘗試連線錯誤幾次之後
列出 fail2ban 偵測到的 SSH 攻擊
# fail2ban-client status ssh
Status for the jail: ssh
|- filter
|  |- File list:        /var/log/auth.log
|  |- Currently failed: 1
|  `- Total failed:     1
`- action
   |- Currently banned: 1
   |  `- IP list:       192.168.1.1
   `- Total banned:     1

列出 fail2ban-ssh 的規則
# iptables -t filter -L fail2ban-ssh -n
Chain fail2ban-ssh (1 references)
target     prot opt source               destination
DROP       all  —  192.168.1.1          0.0.0.0/0
RETURN     all  —  0.0.0.0/0            0.0.0.0/0

解除方式：
# iptables -D fail2ban-ssh  -s 192.168.1.1 -j DROP

運作一段時間後，看一下成果：
# iptables -t filter -L fail2ban-ssh -n
Chain fail2ban-ssh (1 references)
target     prot opt source               destination
DROP       all  —  61.174.51.211        0.0.0.0/0
DROP       all  —  122.225.109.100      0.0.0.0/0
DROP       all  —  61.174.51.215        0.0.0.0/0
RETURN     all  —  0.0.0.0/0            0.0.0.0/0

為了系統的安全，所以加上了 iptables 防火牆規則，主要是參考 ols3 的防火牆規則。

# vim /etc/firewall.server[@more@]#! /bin/bash
#
# $IPTABLES 範本
# written by OLS3 (ols3@lxer.idv.tw)
#
# 請自行參考修改，把註解拿掉即可啟用該項設定
#

###—————————————————–###
# 設定 $IPTABLES 的路徑
###—————————————————–###
echo “Set path of iptables”
echo

IPTABLES=”/sbin/iptables”

#載入相關模組
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp

###—————————————————–###
# 外部網段 IP 及介面
###—————————————————–###
echo “Set external ……”
echo

#FW_IP=”192.168.1.1″
#FW_IP_RANGE=”192.168.1.0/24″
FW_IFACE=”ppp0″

# loopback interface
LO_IFACE=”lo”
LO_IP=”127.0.0.1″

## 設定核心的安全相關參數
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 3 > /proc/sys/net/ipv4/tcp_retries1
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

###—————————————————–###
# 清除先前的設定
###—————————————————–###
echo “Flush fiter table ……”
echo

# Flush filter
$IPTABLES -F
$IPTABLES -X

echo “Flush mangle table ……”
echo
# Flush mangle
$IPTABLES -F -t mangle
$IPTABLES -t mangle -X

echo “Flush nat table ……”
echo
# Flush nat
$IPTABLES -F -t nat
$IPTABLES -t nat -X

###—————————————————–###
# 設定 filter table 的預設政策
###—————————————————–###
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

# 允許流經 lookback 介面的封包進出
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# 阻可疑封包
$IPTABLES -A INPUT -i $FW_IFACE -m state –state INVALID -j DROP
$IPTABLES -A INPUT -i $FW_IFACE -p tcp ! –syn -m state –state NEW -j DROP
$IPTABLES -A INPUT -i $FW_IFACE -p tcp –tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -i $FW_IFACE -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A INPUT -i $FW_IFACE -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -i $FW_IFACE -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
$IPTABLES -A INPUT -i $FW_IFACE -p tcp –tcp-flags ACK,FIN FIN -j DROP
$IPTABLES -A INPUT -i $FW_IFACE -p tcp –tcp-flags ACK,URG URG -j DROP
$IPTABLES -A INPUT -i $FW_IFACE -p tcp –tcp-flags ACK,PSH PSH -j DROP
$IPTABLES -A INPUT -i $FW_IFACE -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -i $FW_IFACE -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A INPUT -i $FW_IFACE -p tcp –tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -i $FW_IFACE -p tcp –tcp-flags ALL FIN -j DROP

# 允許已建立連線和回應的封包通過
$IPTABLES -A INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $FW_IFACE -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $FW_IFACE -m state –state ESTABLISHED,RELATED -j ACCEPT

# 開放本機的 ssh port 22 服務
$IPTABLES -A INPUT -i eth0 -p tcp –dport 22 -j ACCEPT
$IPTABLES -A INPUT -i $FW_IFACE -p tcp –dport 22 -j ACCEPT

# 開放本機的 http port 80 服務
$IPTABLES -A INPUT -i eth0 -p tcp –dport 80 -j ACCEPT
$IPTABLES -A INPUT -i $FW_IFACE -p tcp –dport 80 -j ACCEPT

# 開放本機的 https port 443 服務
$IPTABLES -A INPUT -i eth0 -p tcp –dport 443 -j ACCEPT
$IPTABLES -A INPUT -i $FW_IFACE -p tcp –dport 443 -j ACCEPT

$IPTABLES -A INPUT -p icmp -s 0/0 –icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -p icmp -s 0/0 –icmp-type 0 -j ACCEPT

更改檔案權限
# chmod 700 /etc/firewall.server

設定開機時執行
在 /etc/rc.local 最後一行 exit 0 之前加入 sh /etc/firewall.server
# sed -i ‘/^exit 0/ish /etc/firewall.server’ /etc/rc.local

參考網站：
CentOS 7 Firewalld 防火牆說明介紹 @ 黃昏的甘蔗 :: 隨意窩 Xuite日誌
小懶蟲的blog~: [CentOS 7] 防火牆設定
How to Configure ‘FirewallD’ in RHEL/CentOS 7 and Fedora 21
How To Set Up a Firewall Using FirewallD on CentOS 7 | DigitalOcean

在 CentOS 7

# firewall-cmd –get-zones
work drop internal external trusted home dmz public block

# firewall-cmd –get-default-zone
public

# firewall-cmd –get-active-zones
public
  interfaces: ens33 ppp0

# firewall-cmd –set-default-zone=internal
# firewall-cmd –get-default-zone
internal
[@more@]# firewall-cmd –list-all-zones
work
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:

drop
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:

internal
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:

external
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: yes
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:

trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: ens33
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:

home
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:

dmz
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:

暫時開放 ftp 服務
# firewall-cmd –add-service=ftp

永久開放 ftp 服務
# firewall-cmd –add-service=ftp –permanent
永久關閉
# firewall-cmd –remove-service=ftp –permanent
success
# firewall-cmd –zone=public –add-service=ftp –permanent
# firewall-cmd –zone=home –add-service=ftp –permanent
# firewall-cmd –zone=public –remove-service=ftp –permanent

重新載入
# firewall-cmd –reload
# firewall-cmd –complete-reload
# 列出設定
# firewall-cmd –zone=public –list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33 ppp0
  sources:
  services: dhcpv6-client ocserv openvpn
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:
        rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”ssh” accept
        rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”http” accept

# firewall-cmd –zone=public –list-services
dhcpv6-client ocserv openvpn

# firewall-cmd –zone=public –add-port=4990-4999/udp –permanent
# firewall-cmd –zone=public –list-ports
4990-4999/udp

限定連線來源 IP 及開放的服務
# firewall-cmd –add-rich-rule=”rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”ssh” accept” –permanent
# firewall-cmd –add-rich-rule=”rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”ssh” limit value=10/m accept” –permanent
# firewall-cmd –add-rich-rule=”rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”http” accept” –permanent
# firewall-cmd –add-rich-rule=”rule family=”ipv4″ source address=”192.168.1.0/24″ port port=80 accept” –permanent
# firewall-cmd –remove-rich-rule=”rule family=”ipv4″ source address=”192.168.1.0/24″ port port=80 accept” –permanent

也可以直接去編修 /etc/firewalld/zones/public.xml
# cat /etc/firewalld/zones/public.xml
<?xml version=”1.0″ encoding=”utf-8″?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name=”dhcpv6-client”/>
  <service name=”openvpn”/>
  <rule family=”ipv4″>
    <source address=”192.168.1.0/24″/>
    <service name=”ssh”/>
    <accept/>
  </rule>
  <rule family=”ipv4″>
    <source address=”192.168.1.0/24″/>
    <service name=”http”/>
    <accept/>
  </rule>
</zone>

重新載入
# firewall-cmd –reload
# firewall-cmd –complete-reload
或
讓設定生效
# systemctl restart firewalld

檢視設定是否生效
# iptables -L -n | grep 21
ACCEPT     tcp  —  0.0.0.0/0            0.0.0.0/0            tcp dpt:21 ctstate NEW
檢查防火牆狀態
# firewall-cmd –state
running

# systemctl stop firewalld
# firewall-cmd –state
not running

# firewall-cmd –list-all
public (default)
  interfaces:
  sources:
  services: dhcpv6-client ftp ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

在 FirewallD 的服務名稱
# firewall-cmd –get-service
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

查詢服務的啟用狀態
# firewall-cmd –query-service ftp
yes
# firewall-cmd –query-service ssh
yes
# firewall-cmd –query-service samba
no
# firewall-cmd –query-service http
no

修改 firewalld 系統內定的服務
將檔案複製到 /etc/firewalld/services 目錄之下
# cp /usr/lib/firewalld/services/openvpn.xml /etc/firewalld/services
將內定使用的 udp 改成 tcp
# sed -i ‘s/udp/tcp/’ /etc/firewalld/services/openvpn.xml

自行加入要開放的 Port
# firewall-cmd –add-port=3128/tcp –permanent
# firewall-cmd –list-all
public (default)
  interfaces:
  sources:
  services: dhcpv6-client ftp ssh
  ports: 3128/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

直接將原本  iptables 使用的規則移植到 firewalld
# firewall-cmd –permanent –direct –add-rule ipv4 filter INPUT 0 -p udp -s “140.111.74.0/24” –dport 161 -j ACCEPT
success
或者直接修改 /etc/firewalld/direct.xml
# cat /etc/firewalld/direct.xml
<?xml version=”1.0″ encoding=”utf-8″?>
<direct>
   <rule priority=”0″ table=”nat” ipv=”ipv4″ chain=”POSTROUTING”> -s 192.168.18.0/24 -j MASQUERADE</rule>
   <rule priority=”0″ table=”filter” ipv=”ipv4″ chain=”INPUT”>-p tcp -s 192.168.1.0/24 –dport 22 -j ACCEPT</rule>
   <rule priority=”0″ table=”filter” ipv=”ipv4″ chain=”INPUT”>-p udp -s 140.111.74.0/24 –dport 161 -j ACCEPT</rule>
</direct>

查看目前的 Direct 規則
# firewall-cmd –direct –get-all-rules
ipv4 nat POSTROUTING 0 -s 192.168.18.0/24 -j MASQUERADE
ipv4 filter INPUT 0 -p tcp -s 192.168.1.0/24 –dport 22 -j ACCEPT
ipv4 filter INPUT 0 -p udp -s 140.111.74.0/24 –dport 161 -j ACCEPT

NAT
# firewall-cmd –permanent –direct –passthrough ipv4 -t nat -A POSTROUTING -s  10.8.0.0/24 -o ppp0 -j MASQUERADE
# firewall-cmd –reload

# firewall-cmd –permanent –add-rich-rule ‘rule family=ipv4 source address=192.168.1.10/24 forward-port port=8080 protocol=tcp to-port=80’

如果真的不習慣使用 firewalld
安裝 iptables-services 套件
# yum install iptables-services
設定開機時啟動 iptables 服務
# systemctl enable iptables.service
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
啟動 iptables 服務
# systemctl start iptables.service

設定開機時不啟動 firewalld 服務
# systemctl disable firewalld.service
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
設定取消使用 firewalld 服務
# systemctl mask firewalld.service
Created symlink from /etc/systemd/system/firewalld.service to /dev/null.
設定不取消使用 firewalld 服務
# systemctl unmask firewalld.service
Removed symlink /etc/systemd/system/firewalld.service.

更多的 FirewallD 請參考：https://fedoraproject.org/wiki/FirewallD

一般在設定 Server 的防火牆規則時，大部分都集中在 IPv4，不過目前宜蘭縣的 IPv6 環境應該非常完整，所以 IPv6 的部分也不能忽視。
參考網站：ip6tables: IPv6 Firewall For Linux

原本沒有設定的畫面
# ip6tables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[@more@]以 Ubuntu Server 14.04 為例
IPv6 的防火牆規則寫在 /etc/rc.local 檔案之中

# vim /etc/rc.local
###—————————————————–###
# 設定 ip6tables 的路徑
###—————————————————–###
echo “Set path of ip6tables”

IP6TABLES=”/sbin/ip6tables”

###—————————————————–###
# 設定對外的網路卡編號
###—————————————————–###
FW_IFACE=”eth0″

###—————————————————–###
# 清除先前的設定
###—————————————————–###
echo “Flush fiter table ……”
echo

$IP6TABLES -F
$IP6TABLES -X
$IP6TABLES -Z

$IP6TABLES -t mangle -F
$IP6TABLES -t mangle -X

###—————————————————–###
# 設定 filter table 的預設政策
###—————————————————–###
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP

# 允許已建立連線和回應的封包通過
$IP6TABLES -A INPUT -i $FW_IFACE -m state –state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A OUTPUT -o $FW_IFACE -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

# 預定開放的服務 22 / 80
$IP6TABLES -A INPUT -i $FW_IFACE -p tcp –dport 80 -j ACCEPT
$IP6TABLES -A INPUT -i $FW_IFACE -p tcp -s 2001:288:a229:1::/64 –dport 22 -j ACCEPT

# 開放 ipv6 icmp
$IP6TABLES -A INPUT -i $FW_IFACE -p ipv6-icmp -j ACCEPT
$IP6TABLES -A OUTPUT -o $FW_IFACE -p ipv6-icmp  -j ACCEPT

讓設定生效
# service rc.local start

IPv6 防火牆規則
# ip6tables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all      ::/0                 ::/0                 state RELATED,ESTABLISHED
ACCEPT     tcp      ::/0                 ::/0                 tcp dpt:80
ACCEPT     tcp      2001:288:a229:1::/64  ::/0                 tcp dpt:22
ACCEPT     icmpv6    ::/0                 ::/0

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all      ::/0                 ::/0                 state NEW,RELATED,ESTABLISHED
ACCEPT     icmpv6    ::/0                 ::/0

使用 NFS Server 感覺比較麻煩的是，NFS Server 除了固定的 tcp/udp 111 和 tcp/udp 2049 外，其它的 Port 都是動態產生，如果要在防火牆上做設定，不太容易，最好能固定使用某些 Port，方便處理。
# rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  56027  status
    100024    1   tcp  32961  status
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    2   tcp   2049
    100227    3   tcp   2049
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    2   udp   2049
    100227    3   udp   2049
    100021    1   udp  44022  nlockmgr
    100021    3   udp  44022  nlockmgr
    100021    4   udp  44022  nlockmgr
    100021    1   tcp  48020  nlockmgr
    100021    3   tcp  48020  nlockmgr
    100021    4   tcp  48020  nlockmgr
    100005    1   udp  33475  mountd
    100005    1   tcp  45010  mountd
    100005    2   udp  60988  mountd
    100005    2   tcp  44341  mountd
    100005    3   udp  51772  mountd
    100005    3   tcp  40966  mountd
[@more@]這方面的資料在 CentOS Linux 有很多的參考資料，如：鳥哥的 Linux 私房菜 — NFS 伺服器，但在 Ubuntu Server 上似乎不多，尤其是中文的部份，後來在英文的網站中，找到了 SecuringNFS – Debian Wiki 這一篇，根據網站上的說明，實際設定一下，可以正常成功。
1. 修改設定檔 /etc/default/nfs-common
# vim /etc/default/nfs-common
STATDOPTS=”–port 32765 –outgoing-port 32766″

2. 修改設定檔 /etc/default/nfs-kernel-server
# vim /etc/default/nfs-kernel-server
RPCMOUNTDOPTS=”-p 32767″

3. 修改設定檔 /etc/default/quota
# vim /etc/default/quota
RPCRQUOTADOPTS=”-p 32769″

4. 修改 /etc/services 加入下面的設定
# vim /etc/services
rpc.nfsd        2049/tcp                        # RPC nfsd
rpc.nfsd        2049/udp                        # RPC nfsd
rpc.nfs-cb      32764/tcp                       # RPC nfs callback
rpc.nfs-cb      32764/udp                       # RPC nfs callback
rpc.statd-bc    32765/tcp                       # RPC statd broadcast
rpc.statd-bc    32765/udp                       # RPC statd broadcast
rpc.statd       32766/tcp                       # RPC statd listen
rpc.statd       32766/udp                       # RPC statd listen
rpc.mountd      32767/tcp                       # RPC mountd
rpc.mountd      32767/udp                       # RPC mountd
rpc.lockd       32768/tcp                       # RPC lockd/nlockmgr
rpc.lockd       32768/udp                       # RPC lockd/nlockmgr
rpc.quotad      32769/tcp                       # RPC quotad
rpc.quotad      32769/udp                       # RPC quotad

5. 修改設定檔 /etc/modprobe.d/local.conf
# vim /etc/modprobe.d/local.conf
options lockd nlm_udpport=32768 nlm_tcpport=32768
options nfs callback_tcpport=32764

6. 重新啟動 Ubuntu Server

7. 檢查成果
# rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  32765  status
    100024    1   tcp  32765  status
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    2   tcp   2049
    100227    3   tcp   2049
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    2   udp   2049
    100227    3   udp   2049
    100021    1   udp  32768  nlockmgr
    100021    3   udp  32768  nlockmgr
    100021    4   udp  32768  nlockmgr
    100021    1   tcp  32768  nlockmgr
    100021    3   tcp  32768  nlockmgr
    100021    4   tcp  32768  nlockmgr
    100005    1   udp  32767  mountd
    100005    1   tcp  32767  mountd
    100005    2   udp  32767  mountd
    100005    2   tcp  32767  mountd
    100005    3   udp  32767  mountd
    100005    3   tcp  32767  mountd

8. 加入防火牆的設定
# NFS Port 111,2049,32764:32769
# eth1 對內網路卡 192.168.66.0/24 內部網路網段
# vim /etc/rc.local
iptables -A INPUT -i eth1 -p tcp -s 192.168.66.0/24 -m state –state NEW -m multiport –dport 111,2049,32764:32769 -j ACCEPT
iptables -A INPUT -i eth1 -p udp -s 192.168.66.0/24 -m state –state NEW -m multiport –dport 111,2049,32764:32769 -j ACCEPT

9. 重新啟動防火牆
# service rc.local start

使用 Apache / MySQL / PHP 來架設網站的人，可能都會有安裝 phpMyAdmin 來管理網頁資料庫，但因為 phpMyAdmin 這一個套件可能存在一些安全性上的漏洞，所以有些攻擊方式，就會搜尋網頁上是否有安裝 phpMyAdmin，並嘗試進行攻擊。
來自網頁上的攻擊
# grep admin /var/log/httpd/error_log
[error] [client 70.87.15.74] File does not exist: /var/www/html/admin
[error] [client 70.87.15.74] File does not exist: /var/www/html/dbadmin
[error] [client 70.87.15.74] File does not exist: /var/www/html/myadmin
[error] [client 70.87.15.74] File does not exist: /var/www/html/mysqladmin
[error] [client 70.87.15.74] File does not exist: /var/www/html/phpadmin
[error] [client 70.87.15.74] File does not exist: /var/www/html/phpmyadmin
[error] [client 70.87.15.74] File does not exist: /var/www/html/php-my-admin
[error] [client 70.87.15.74] File does not exist: /var/www/html/phpmyadmin1
[error] [client 70.87.15.74] File does not exist: /var/www/html/phpmyadmin2[@more@]阻擋的方式
底下文章內容參考 網路系統組 / Network Systems [security:fail2ban]
修改 fail2ban 設定檔，加入下面的設定檔
# vim /etc/fail2ban/jail.conf
[apache-notexist]

enabled  = true
filter   = apache-notexist
action   = iptables[name=HTTP, port=http, protocol=tcp]
logpath  = /var/log/httpd/*error_log
maxretry = 3
bantime  = 600

新增 fail2ban 的 apache-noexist filter 設定檔
# vim /etc/fail2ban/filter.d/apache-notexist.conf
[Definition]

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named “host”. The tag “<HOST>” can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>S+)
# Values:  TEXT
#
failregex = [[]client <HOST>[]] (File does not exist): .*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

# service fail2ban restart
Stopping fail2ban:                                         [  OK  ]
Starting fail2ban:                                         [  OK  ]

# fail2ban-client status
Status
|- Number of jail:      3
`- Jail list:           apache-notexist, pure-ftpd, ssh-iptables

嘗試幾次錯誤連線

# fail2ban-client status apache-notexist
Status for the jail: apache-notexist
|- filter
|  |- File list:        /var/log/httpd/ssl_error_log /var/log/httpd/error_log
|  |- Currently failed: 0
|  `- Total failed:     3
`- action
   |- Currently banned: 1
   |  `- IP list:       192.168.1.1
   `- Total banned:     1

# iptables -t filter -L fail2ban-HTTP -n
Chain fail2ban-HTTP (1 references)
target     prot opt source               destination
DROP       all  —  192.168.1.1          0.0.0.0/0
RETURN     all  —  0.0.0.0/0            0.0.0.0/0

在 CentOS 6.x 下安裝
# yum install pure-ftpd –enablerepo=rpmforge

啟動 Pure-FTPd FTP Server
# /etc/init.d/pure-ftpd start
Starting pure-ftpd:                                        [  OK  ]

修改 /etc/rsyslog.conf 設定檔，讓 Pure-FTPd FTP Server 設定檔能獨立成一個檔案
# vim /etc/rsyslog.conf
ftp.*                                                /var/log/pureftpd.log

重新啟動 Syslog Server
# /etc/init.d/rsyslog restart

檢查 log 檔是否有產生
# ls -l /var/log/pureftpd.log
-rw——-. 1 root root 0 Jan  1 14:54 /var/log/pureftpd.log
[@more@]修改 fail2ban 設定檔
# vim /etc/fail2ban/jail.conf
加入下面的設定
[pure-ftpd]
enabled  = true
filter   = pure-ftpd
action   = iptables[name=pure-ftpd, port=ftp, protocol=tcp]
logpath  = /var/log/pureftpd.log
maxretry = 3
bantime  = 86400

重新啟動 fail2ban
# service fail2ban restart

# fail2ban-client status
Status
|- Number of jail:      2
`- Jail list:           pure-ftpd, ssh-iptables

嘗試錯誤連線幾次

# fail2ban-client status pure-ftpd
Status for the jail: pure-ftpd
|- filter
|  |- File list:        /var/log/pureftpd.log
|  |- Currently failed: 0
|  `- Total failed:     3
`- action
   |- Currently banned: 1
   |  `- IP list:       192.168.1.1
   `- Total banned:     1

# iptables -t filter -L fail2ban-pure-ftpd -n
Chain fail2ban-pure-ftpd (1 references)
target     prot opt source               destination
DROP       all  —  192.168.1.1          0.0.0.0/0
RETURN     all  —  0.0.0.0/0            0.0.0.0/0