arch dhcp サーバー nat 楽天ミニでUSBテザリング ipset(BLACKLIST試論)
具体的には下の写真の格好です
問題1:ISC-DHCPの複数の脆弱性 でなんかコワーイ、今は解決したんかいな?
問題2: dnsmasq はある時はこの設定で動いても次は動かなかったりと実に不安定
<<<<<<<<<<<<<<<<<寄り道
托鉢してます
あくまで個人的想像ですが |
---|
お釈迦様は高齢になっても弟子とともに 托鉢にいったのではないか。 衣も 糞尿衣といって死者のきていた衣を川であらったもの(死者が長年きてたので黄ばんだ)をきてたのではないか。 |
参照はhttps://www.youtube.com/watch?v=Z9LAcuSScCw |
元に戻ります<<<<<<<<<<<<<<
まずは 手始めに単純なのをこなします
公式リポジトリの dhcp パッケージをインストール
# ifconfig
enp16s0: ーーー>IN
wlan0: ーーーー>OUT(internet)
です。
crontab
は
crontab -l | ./comment-out.bat -
@reboot shutdown -h +250 ; /home/think/ufw-nat.bat
で
# # ./comment-out.bat ufw-nat.bat
は
ufw disable
ufw enable
ufw default deny
ufw allow Deluge
ufw limit ssh/tcp
ufw status
ipset destroy ; ipset create myset hash:net ; iptables -I INPUT -m set --match-set myset src -j DROP
INN=`ifconfig | grep enp0s |cut -d : -f 1`
echo $INN
sleep 1
ifconfig $INN 139.96.30.100
sleep 1
systemctl start dhcpd4
です
なお
# ./comment-out.bat /etc/dhcpd.conf
は
option domain-name-servers 8.8.8.8, 8.8.4.4;
option subnet-mask 255.255.255.0;
option routers 139.96.30.100;
subnet 139.96.30.0 netmask 255.255.255.0 {
range 139.96.30.150 139.96.30.155;
}
です。
https://ubuntu-nikki.hatenadiary.org/entry/20100921/1285077768 に助けてもらいました。
# diff /etc/default/ufw /etc/default/ufw-ori
19c19
< DEFAULT_FORWARD_POLICY="ACCEPT"
---
> DEFAULT_FORWARD_POLICY="DROP"
# diff /etc/ufw/sysctl.conf /etc/ufw/sysctl.conf-ori
8c8
< net/ipv4/ip_forward=1
---
> #net/ipv4/ip_forward=1
# head -30 /etc/ufw/before.rules | ./comment-out.bat -
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 139.96.30.0/24 -o wlan0 -j MASQUERADE
COMMIT
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
以下略
以下一応記述
# ./comment-out.bat /etc/default/ufw
IPV6=yes
DEFAULT_INPUT_POLICY="DROP"
DEFAULT_OUTPUT_POLICY="ACCEPT"
DEFAULT_FORWARD_POLICY="ACCEPT"
DEFAULT_APPLICATION_POLICY="SKIP"
MANAGE_BUILTINS=no
IPT_SYSCTL=/etc/ufw/sysctl.conf
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
# ./comment-out.bat /etc/ufw/sysctl.conf
net/ipv4/ip_forward=1
net/ipv4/conf/default/rp_filter=1
net/ipv4/conf/all/rp_filter=1
net/ipv4/conf/default/accept_source_route=0
net/ipv4/conf/all/accept_source_route=0
net/ipv6/conf/default/accept_source_route=0
net/ipv6/conf/all/accept_source_route=0
net/ipv4/conf/default/accept_redirects=0
net/ipv4/conf/all/accept_redirects=0
net/ipv6/conf/default/accept_redirects=0
net/ipv6/conf/all/accept_redirects=0
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/icmp_ignore_bogus_error_responses=1
net/ipv4/icmp_echo_ignore_all=0
net/ipv4/conf/default/log_martians=0
net/ipv4/conf/all/log_martians=0
net/ipv4/tcp_sack=1
mysetの作り方は後で述べます
これにて
# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
★ここにあり DROP all -- anywhere anywhere match-set myset src
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:ssdp
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere multiport dports 6881:6891 /* 'dapp_Deluge' */
tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
ufw-user-limit tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW recent: UPDATE seconds: 30 hit_count: 6 name: DEFAULT side: source mask: 255.255.255.255
ufw-user-limit-accept tcp -- anywhere anywhere tcp dpt:ssh
Chain ufw-user-limit (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
となってます
以上
これからが本番
## 今は実際は以下です、セキュリティのためちょっと複雑です
PC----LAN HUB---**endevourLINUX**---usb---wifiMINI---internet
ifconfig が以下です
enp0s25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 139.96.30.100 netmask 255.255.0.0 broadcast 139.96.255.255
enp0s29f7u2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.42.37 netmask 255.255.255.0 broadcast 192.168.42.255
## このenp0s29f7u2がUSBテザリングのです。 したがって natのwlan0をenp0s29f7u2におきかえるだけでいいです。
wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 6a:16:a6:0e:07:99 txqueuelen 1000 (Ethernet)
RX packets 499367 bytes 626265031 (597.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 202466 bytes 25823640 (24.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
## wlan0 は何も仕事をしてませんね
ipset 危ない国からのアクセスを落とす
https://wiki.archlinux.jp/index.php/Ipset みて
pacman -S ipset
curl -O http://nami.jp/ipv4bycc/cidr.txt.gz && gunzip -f cidr.txt.gz
sed -n 's/^\(CC\|HH\|RR\|KK\|LL\|II\)\t//p' cidr.txt > ccc
sort ccc > ccc-s
cp ccc-s BLACKLIST
sed "s/^/ipset add myset /g" BLACKLIST > BLACKLIST-1
BLACKLIST-1の最初の行を確認してから
sh BLACKLIST-1
-----
crontab -l
@reboot systemctl hibernate +250 ; /home/think/nat.bat ; ipset create myset hash:net ; iptables -I INPUT -m set --match-set myset src -j DROP
これで以下です
# ipset list
Name: myset
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 448
References: 1
Number of entries: 0
Members:
# iptables -L | grep myset
DROP all -- anywhere anywhere match-set myset src
上のufwを使わない簡略版は以下です
nat.bat-start
OUTT='enp16s0'
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o $OUTT -j MASQUERADE
ipset destroy
ipset create myset hash:net
ipset flush myset
iptables -A INPUT -m set --match-set myset src -j DROP
iptables-save
iptables -L
#----
INN=`ifconfig | grep enp0s |cut -d : -f 1`
sleep 1
ifconfig $INN 139.96.30.100
sleep 1
systemctl start dhcpd4
簡略版なので
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere match-set ruwa src
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ちょっとたよりないほどですねー
速度は USB テザリングで
Author And Source
この問題について(arch dhcp サーバー nat 楽天ミニでUSBテザリング ipset(BLACKLIST試論)), 我々は、より多くの情報をここで見つけました https://qiita.com/tyokai/items/a290d9f490c71da6c23a著者帰属:元の著者の情報は、元のURLに含まれています。著作権は原作者に属する。
Content is automatically searched and collected through network algorithms . If there is a violation . Please contact us . We will adjust (correct author information ,or delete content ) as soon as possible .