iptables и ipset (нужна помощь по iptables и ipset)

viktor6 · Сообщение **viktor6** » 22.11.2012 16:54

Уважаемые гуру нужна ваша помощь по установки и настройке iptables и ipset
поставил это дело но вот чето ругается оно

# /etc/init.d/iptables restart
Stoping iptables: done.
FATAL: Module ip_set not found.
ipset v2.5.0: Error from kernel: Protocol not available
FATAL: Module ip_set not found.
ipset v2.5.0: Error from kernel: Protocol not available
FATAL: Module ip_set not found.
ipset v2.5.0: Error from kernel: Protocol not available
FATAL: Module ip_set not found.
ipset v2.5.0: Error from kernel: Protocol not available
Starting iptables:FATAL: Module ip_set not found.
ipset v2.5.0: Error from kernel: Protocol not available
FATAL: Module ip_set not found.
ipset v2.5.0: Error from kernel: Protocol not available
FATAL: Module ip_set not found.
ipset v2.5.0: Error from kernel: Protocol not available
FATAL: Module ip_set not found.
ipset v2.5.0: Error from kernel: Protocol not available
FATAL: Module ip_set not found.
ipset v2.5.0: Error from kernel: Protocol not available
 done.

еще не каких правил не создавал

Код: Выделить всё

# iptables -V
iptables v1.4.8
root@debian:/home/viktor# ipset -V
ipset v2.5.0 Protocol version 2.
I'm of protocol version 2.
Kernel module is not loaded in, cannot verify kernel version.

проблему решил так

Код: Выделить всё

aptitude install xtables-addons-source xtables-addons-common
m-a -v -t auto-install xtables-addons

skeletor · Сообщение **skeletor** » 22.11.2012 17:08

Вот ответ

Код: Выделить всё

Kernel module is not loaded in, cannot verify kernel version.

Подгрузите модуль вручную, через modprobe. Возможно вы используете модуль не от своей версии ядра.

viktor6 · Сообщение **viktor6** » 22.11.2012 17:42

skeletor писал(а): ↑
22.11.2012 17:08
Вот ответ
Код: Выделить всё
Kernel module is not loaded in, cannot verify kernel version.
Подгрузите модуль вручную, через modprobe. Возможно вы используете модуль не от своей версии ядра.

собрал теперь нужна помощь по правилам первый пост отредактировал

Код: Выделить всё

# iptables-restore < /etc/iptables.up.rules
iptables-restore v1.4.8: Set searchbot doesn't exist.

Error occurred at line: 71
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

iptables.up.rules

Код: Выделить всё

# Generated by iptables-save v1.4.8 on Sun Jan  8 22:32:25 2012
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sun Jan  8 22:32:25 2012
# Generated by iptables-save v1.4.8 on Sun Jan  8 22:32:25 2012
*mangle
:PREROUTING ACCEPT [1742563:1081902521]
:INPUT ACCEPT [1601744:1069111192]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1386773:3510511668]
:POSTROUTING ACCEPT [1387846:3510588812]
-A OUTPUT -j DSCP --set-dscp 0x12
-A OUTPUT -p tcp -m tcp --sport 20 -j DSCP --set-dscp 0x22
-A OUTPUT -p tcp -m tcp --sport 21 -j DSCP --set-dscp 0x22
-A OUTPUT -p tcp -m tcp --sport 22 -j DSCP --set-dscp 0x26
-A OUTPUT -p tcp -m tcp --dport 22 -j DSCP --set-dscp 0x26
-A OUTPUT -p tcp -m tcp --sport 53 -j DSCP --set-dscp 0x0e
-A OUTPUT -p udp -m udp --sport 53 -j DSCP --set-dscp 0x0e
-A OUTPUT -p tcp -m tcp --dport 53 -j DSCP --set-dscp 0x0e
-A OUTPUT -p udp -m udp --dport 53 -j DSCP --set-dscp 0x0e
-A OUTPUT -p tcp -m tcp --sport 80 -j DSCP --set-dscp 0x1e
-A OUTPUT -p tcp -m tcp --dport 80 -j DSCP --set-dscp 0x1e
-A OUTPUT -p icmp -j DSCP --set-dscp 0x0a
COMMIT
# Completed on Sun Jan  8 22:32:25 2012
# Generated by iptables-save v1.4.8 on Sun Jan  8 22:32:25 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1386091:3510450264]
:bad-packets - [0:0]
:fail2ban - [0:0]
:invalid_ban - [0:0]
:limitACCESS - [0:0]
:limit_service - [0:0]
:netbios_in_reject - [0:0]
:noc - [0:0]
:permanent_ban - [0:0]
:reject_func - [0:0]
:rpfilter_ok - [0:0]
:scan_ban - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j noc
-A INPUT -j fail2ban
-A INPUT -j permanent_ban
-A INPUT -j bad-packets
-A INPUT -j invalid_ban
-A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "invalid drop: "
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -j scan_ban
-A INPUT -m conntrack --ctstate NEW -j netbios_in_reject
-A INPUT -j rpfilter_ok
-A INPUT -j LOG --log-prefix "input drop: "
-A INPUT -j CHAOS
-A FORWARD -j LOG --log-prefix "forward drop: "
-A FORWARD -j DROP
-A bad-packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A bad-packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A bad-packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A bad-packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A bad-packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A bad-packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A bad-packets -p tcp -m conntrack --ctstate NEW -m tcp --tcp-flags SYN,ACK SYN,ACK -j reject_func
-A bad-packets -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "NEW and not SYN drop: "
-A bad-packets -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A fail2ban -m set --match-set searchbot src -j RETURN
-A fail2ban -m set --match-set china_nets src -j DROP
-A fail2ban -m set --match-set hackers src -j DROP
-A fail2ban -m set --match-set china_hosts src -j DROP
-A fail2ban -p tcp -m set --match-set fail2ban-pam-generic src -j DROP
-A fail2ban -p tcp -m set --match-set fail2ban-ipt_drop src -j DROP
-A fail2ban -p tcp -m multiport --dports 80,443 -m set --match-set fail2ban-apache-noscript src -j DROP
-A fail2ban -p tcp -m multiport --dports 21,20,990,989 -m set --match-set fail2ban-proftpd src -j DROP
-A fail2ban -p tcp -m multiport --dports 22 -m set --match-set fail2ban-ssh src -j DROP
-A fail2ban -p tcp -m multiport --dports 80,443 -m set --match-set fail2ban-apache src -j DROP
-A limitACCESS -d 77.121.4.50/32 -i eth0 -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 1 --connlimit-mask 32 -j LOG --log-prefix "limitACCESS drop: "
-A limitACCESS -d 77.121.4.50/32 -i eth0 -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 1 --connlimit-mask 32 -j DROP
-A limitACCESS -d 77.121.4.50/32 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A limit_service -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 32 -j reject_func
-A limit_service -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 5 --connlimit-mask 32 -j reject_func
-A limit_service -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 100 --connlimit-mask 32 -j reject_func
-A limit_service -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A limit_service -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A limit_service -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A limit_service -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A limit_service -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A limit_service -p icmp -j LOG --log-prefix "another icmp drop: "
-A limit_service -p icmp -j DROP
-A limit_service -p tcp -m tcp --dport 20 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A limit_service -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A limit_service -p tcp -m tcp --dport 53 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A limit_service -p udp -m udp --dport 53 -j ACCEPT
-A limit_service -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A limit_service -p tcp -m tcp --dport 123 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A limit_service -p udp -m udp --dport 123 -j ACCEPT
-A limit_service -p tcp -m conntrack --ctstate NEW -m recent --update --seconds 3600 --hitcount 8 --name ssh --rsource -m tcp --dport 2002 -j LOG --log-prefix "ssh recent0 drop: "
-A limit_service -p tcp -m conntrack --ctstate NEW -m recent --update --seconds 3600 --hitcount 8 --name ssh --rsource -m tcp --dport 2002 -j reject_func
-A limit_service -p tcp -m conntrack --ctstate NEW -m recent --set --name ssh --rsource -m tcp --dport 2002
-A limit_service -p tcp -m conntrack --ctstate NEW -m recent ! --rcheck --seconds 15 --hitcount 2 --name ssh --rsource -m tcp --dport 2002 -j LOG --log-prefix "ssh recent1 drop: "
-A limit_service -p tcp -m conntrack --ctstate NEW -m recent ! --rcheck --seconds 15 --hitcount 2 --name ssh --rsource -m tcp --dport 2002 -j reject_func
-A limit_service -p tcp -m tcp --dport 2002 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A limit_service -p tcp -m tcp --dport 10000 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A limit_service -p tcp -m tcp --dport 20077:20079 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A limit_service -p udp -m udp --dport 26901 -j ACCEPT
-A limit_service -p udp -m udp --dport 26902 -j ACCEPT
-A limit_service -p udp -m udp --dport 27015:27018 -j ACCEPT
-A limit_service -p udp -m udp --dport 46959 -j ACCEPT
-A limit_service -p udp -m udp --dport 51742 -j ACCEPT
-A limit_service -p udp -m udp --dport 59932 -j ACCEPT
-A limit_service -p tcp -j CHAOS
-A netbios_in_reject -p tcp -m tcp --dport 135:139 -j reject_func
-A netbios_in_reject -p udp -m udp --dport 135:139 -j reject_func
-A netbios_in_reject -p tcp -m tcp --dport 445 -j reject_func
-A netbios_in_reject -p tcp -m tcp --sport 135:139 -j reject_func
-A netbios_in_reject -p udp -m udp --sport 135:139 -j reject_func
-A netbios_in_reject -p tcp -m tcp --sport 445 -j reject_func
-A noc -s 212.90.160.40/32 -i eth0 -j ACCEPT
-A noc -s 212.90.177.186/32 -i eth0 -j ACCEPT
-A noc -s 77.121.1.12/32 -i eth0 -j ACCEPT
-A noc -s 93.79.167.123/32 -i eth0 -j ACCEPT
-A permanent_ban -d 224.0.0.0/24 -p udp -j DROP
-A permanent_ban -s 194.79.21.169/32 -j limitACCESS
-A permanent_ban -m set --match-set permanent_ban_h src -j CHAOS
-A permanent_ban -m set --match-set permanent_ban_n src -j CHAOS
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
-A rpfilter_ok -d 77.121.4.50/32 -i eth0 -j limit_service
-A scan_ban -p tcp -m lscan --stealth -j CHAOS
-A scan_ban -p tcp -m lscan --synscan -j CHAOS
-A scan_ban -p tcp -m lscan --cnscan -j CHAOS
-A scan_ban -p tcp -m lscan --grscan -j CHAOS
COMMIT
# Completed on Sun Jan  8 22:32:25 2012
# Generated by iptables-save v1.4.8 on Sun Jan  8 22:32:25 2012
*raw
:PREROUTING ACCEPT [1742563:1081902521]
:OUTPUT ACCEPT [1386773:3510511668]
COMMIT
# Completed on Sun Jan  8 22:32:25 2012

Encore · Сообщение **Encore** » 22.11.2012 18:09

Set searchbot doesn't exist

viktor6 · Сообщение **viktor6** » 22.11.2012 18:43

Encore писал(а): ↑
22.11.2012 18:09
Set searchbot doesn't exist

вот на это ругается что тут не правильно?

Код: Выделить всё

-A fail2ban -m set --match-set searchbot src -j RETURN
-A fail2ban -m set --match-set china_nets src -j DROP
-A fail2ban -m set --match-set hackers src -j DROP
-A fail2ban -m set --match-set china_hosts src -j DROP

-A permanent_ban -m set --set permanent_ban_h src -j CHAOS

Encore · Сообщение **Encore** » 23.11.2012 10:54

line 71:-A fail2ban -m set --match-set searchbot src -j RETURN
см.
ipset -n list
или
ipset list

viktor6 · Сообщение **viktor6** » 23.11.2012 11:38

Encore писал(а): ↑
23.11.2012 10:54
line 71:-A fail2ban -m set --match-set searchbot src -j RETURN
см.
ipset -n list
или
ipset list

Я новичек и нечего мне это не говорит

Код: Выделить всё

# ipset --list
Name: fail2ban-apache-noscript
Type: iphash
References: 1
Header: hashsize: 1024 probes: 8 resize: 50
Members:

Name: fail2ban-pam-generic
Type: iphash
References: 1
Header: hashsize: 1024 probes: 8 resize: 50
Members:

Name: fail2ban-ipt_drop
Type: iphash
References: 1
Header: hashsize: 1024 probes: 8 resize: 50
Members:
95.37.206.161
23.19.171.73
93.79.167.167
93.79.167.27
93.85.30.1
93.79.167.242
93.79.167.120
93.79.167.212
212.19.6.125
93.79.167.63
93.79.167.17
93.79.167.76
93.79.167.92

Name: fail2ban-ssh-ddos
Type: iphash
References: 1
Header: hashsize: 1024 probes: 8 resize: 50
Members:

Name: fail2ban-apache-multiport
Type: iphash
References: 1
Header: hashsize: 1024 probes: 8 resize: 50
Members:

Name: fail2ban-apache-overflows
Type: iphash
References: 1
Header: hashsize: 1024 probes: 8 resize: 50
Members:

Name: fail2ban-ssh
Type: iphash
References: 1
Header: hashsize: 1024 probes: 8 resize: 50
Members:

Name: fail2ban-apache
Type: iphash
References: 1
Header: hashsize: 1024 probes: 8 resize: 50
Members:

Name: fail2ban-proftpd
Type: iphash
References: 1
Header: hashsize: 1024 probes: 8 resize: 50
Members:

Name: permanent_ban_h
Type: iphash
References: 0
Header: hashsize: 1024 probes: 8 resize: 50
Members:
31.40.115.16
95.153.107.248
80.90.229.201
176.8.182.67
109.120.139.183

Name: permanent_ban_n
Type: nethash
References: 0
Header: hashsize: 1024 probes: 4 resize: 50
Members:

Encore · Сообщение **Encore** » 23.11.2012 12:06

У вас основная ошибка -
Set searchbot doesn't exist.
отсутствует IP set с названием searchbot
и указывается в какой строке:
Error occurred at line: 71
в этой строке мы видим правило
-A fail2ban -m set --match-set searchbot src -j RETURN
в котором присутствует set searchbot, а по факту, ввашем выводе

Код: Выделить всё

ipset --list

такого сета нет. Т.е. можно или убрать правило, если оно вам не нужно, или создать такой IP set.

unixforum.org

iptables и ipset (нужна помощь по iptables и ipset)

iptables и ipset

Re: iptables и ipset

Re: iptables и ipset

Re: iptables и ipset

Re: iptables и ipset

Re: iptables и ipset

Re: iptables и ipset

Re: iptables и ipset