具体的には下の写真の格好です
問題1:ISC-DHCPの複数の脆弱性 でなんかコワーイ、今は解決したんかいな?
問題2: dnsmasq はある時はこの設定で動いても次は動かなかったりと実に不安定
<<<<<<<<<<<<<<<<<寄り道
托鉢してます
| あくまで個人的想像ですが |
|---|
| お釈迦様は高齢になっても弟子とともに 托鉢にいったのではないか。 衣も 糞尿衣といって死者のきていた衣を川であらったもの(死者が長年きてたので黄ばんだ)をきてたのではないか。 |
| 参照はhttps://www.youtube.com/watch?v=Z9LAcuSScCw |
元に戻ります<<<<<<<<<<<<<<
まずは 手始めに単純なのをこなします
公式リポジトリの dhcp パッケージをインストール
# ifconfig
enp16s0: ーーー>IN
wlan0: ーーーー>OUT(internet)
です。
crontab
は
crontab -l | ./comment-out.bat -
@reboot shutdown -h +250 ; /home/think/ufw-nat.bat
で
# # ./comment-out.bat ufw-nat.bat
は
ufw disable
ufw enable
ufw default deny
ufw allow Deluge
ufw limit ssh/tcp
ufw status
ipset destroy ; ipset create myset hash:net ; iptables -I INPUT -m set --match-set myset src -j DROP
INN=`ifconfig | grep enp0s |cut -d : -f 1`
echo $INN
sleep 1
ifconfig $INN 139.96.30.100
sleep 1
systemctl start dhcpd4
です
なお
# ./comment-out.bat /etc/dhcpd.conf
は
option domain-name-servers 8.8.8.8, 8.8.4.4;
option subnet-mask 255.255.255.0;
option routers 139.96.30.100;
subnet 139.96.30.0 netmask 255.255.255.0 {
range 139.96.30.150 139.96.30.155;
}
です。
https://ubuntu-nikki.hatenadiary.org/entry/20100921/1285077768 に助けてもらいました。
# diff /etc/default/ufw /etc/default/ufw-ori
19c19
< DEFAULT_FORWARD_POLICY="ACCEPT"
---
> DEFAULT_FORWARD_POLICY="DROP"
# diff /etc/ufw/sysctl.conf /etc/ufw/sysctl.conf-ori
8c8
< net/ipv4/ip_forward=1
---
> #net/ipv4/ip_forward=1
# head -30 /etc/ufw/before.rules | ./comment-out.bat -
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 139.96.30.0/24 -o wlan0 -j MASQUERADE
COMMIT
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
以下略
以下一応記述
# ./comment-out.bat /etc/default/ufw
IPV6=yes
DEFAULT_INPUT_POLICY="DROP"
DEFAULT_OUTPUT_POLICY="ACCEPT"
DEFAULT_FORWARD_POLICY="ACCEPT"
DEFAULT_APPLICATION_POLICY="SKIP"
MANAGE_BUILTINS=no
IPT_SYSCTL=/etc/ufw/sysctl.conf
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
# ./comment-out.bat /etc/ufw/sysctl.conf
net/ipv4/ip_forward=1
net/ipv4/conf/default/rp_filter=1
net/ipv4/conf/all/rp_filter=1
net/ipv4/conf/default/accept_source_route=0
net/ipv4/conf/all/accept_source_route=0
net/ipv6/conf/default/accept_source_route=0
net/ipv6/conf/all/accept_source_route=0
net/ipv4/conf/default/accept_redirects=0
net/ipv4/conf/all/accept_redirects=0
net/ipv6/conf/default/accept_redirects=0
net/ipv6/conf/all/accept_redirects=0
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/icmp_ignore_bogus_error_responses=1
net/ipv4/icmp_echo_ignore_all=0
net/ipv4/conf/default/log_martians=0
net/ipv4/conf/all/log_martians=0
net/ipv4/tcp_sack=1
mysetの作り方は後で述べます
これにて
# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
★ここにあり DROP all -- anywhere anywhere match-set myset src
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:ssdp
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere multiport dports 6881:6891 /* 'dapp_Deluge' */
tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
ufw-user-limit tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW recent: UPDATE seconds: 30 hit_count: 6 name: DEFAULT side: source mask: 255.255.255.255
ufw-user-limit-accept tcp -- anywhere anywhere tcp dpt:ssh
Chain ufw-user-limit (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
となってます
以上
これからが本番
## 今は実際は以下です、セキュリティのためちょっと複雑です
PC----LAN HUB---**endevourLINUX**---usb---wifiMINI---internet
ifconfig が以下です
enp0s25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 139.96.30.100 netmask 255.255.0.0 broadcast 139.96.255.255
enp0s29f7u2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.42.37 netmask 255.255.255.0 broadcast 192.168.42.255
## このenp0s29f7u2がUSBテザリングのです。 したがって natのwlan0をenp0s29f7u2におきかえるだけでいいです。
wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 6a:16:a6:0e:07:99 txqueuelen 1000 (Ethernet)
RX packets 499367 bytes 626265031 (597.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 202466 bytes 25823640 (24.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
## wlan0 は何も仕事をしてませんね
ipset 危ない国からのアクセスを落とす
https://wiki.archlinux.jp/index.php/Ipset みて
pacman -S ipset
curl -O http://nami.jp/ipv4bycc/cidr.txt.gz && gunzip -f cidr.txt.gz
sed -n 's/^\(CC\|HH\|RR\|KK\|LL\|II\)\t//p' cidr.txt > ccc
sort ccc > ccc-s
cp ccc-s BLACKLIST
sed "s/^/ipset add myset /g" BLACKLIST > BLACKLIST-1
BLACKLIST-1の最初の行を確認してから
sh BLACKLIST-1
-----
crontab -l
@reboot systemctl hibernate +250 ; /home/think/nat.bat ; ipset create myset hash:net ; iptables -I INPUT -m set --match-set myset src -j DROP
これで以下です
# ipset list
Name: myset
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 448
References: 1
Number of entries: 0
Members:
# iptables -L | grep myset
DROP all -- anywhere anywhere match-set myset src
上のufwを使わない簡略版は以下です
nat.bat-start
OUTT='enp16s0'
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o $OUTT -j MASQUERADE
ipset destroy
ipset create myset hash:net
ipset flush myset
iptables -A INPUT -m set --match-set myset src -j DROP
iptables-save
iptables -L
# ----
INN=`ifconfig | grep enp0s |cut -d : -f 1`
sleep 1
ifconfig $INN 139.96.30.100
sleep 1
systemctl start dhcpd4
簡略版なので
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere match-set ruwa src
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ちょっとたよりないほどですねー
速度は USB テザリングで
