Готовим Ubuntu server

И так есть необходимость сделать предварительную настройку Ubuntu сервера

Так или иначе есть ряд дефолтных настроек которые выполняются на каждом сервере , так вот ниже будет шаблон настроек , установленных программ и тд которые должны быть на каждом сервере :

Создаем пользователя :

#adduser XXX

#passwd XXX

Добавляем этого пользователя в sudo что б он мог повысить себе привелегии до root

# vi /etc/group

adm:x:4:syslog,cloud-user,XXX

#vi /etc/sudoers

%adm ALL=(ALL) ALL

# service sudo restart

 

Обновляем порты :

#apt-get update  

# apt-get install ethtool  - утилита для диагностики сетевых карт

# apt-get install fping

# apt-get install mtr

#apt-get install zabbix-agent - это опционально для мониторинга

#apt-get install tcptrack - мониторинг сетевых сессий интерфейсов

Ставим порт для работы с Iptables как со службой (достаточно удобно)
При установке система спросит откуда и куда сохранять правила (конфиги) я оставляю по умолчанию в /etc/iptables/rules.v4
#apt-get install iptables-persistent

По умолчанию правила (конфиг) будут такие :

# cat /etc/iptables/rules.v4
# Generated by iptables-save v1.4.21 on Wed Oct 11 16:44:29 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Oct 11 16:44:29 2017



# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

У сервера будет 6ть интерфейсов , 4 интерфейса это локальные сети (и фильтрация между локальными сетями) а 2 других это интернет  — 2 внешних интерфейса для того что б через один пускать всех в интернет а через другой ходить самому

root@ipsec-gw-new:~# ifconfig
eth0 Link encap:Ethernet HWaddr fa:16:3e:e3:b8:04
 inet addr:23.111.X.X Bcast:23.111.X.X Mask:255.255.X.X
 inet6 addr: fe80::f816:3eff:fee3:b804/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:4681 errors:0 dropped:0 overruns:0 frame:0
 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:283834 (283.8 KB) TX bytes:648 (648.0 B)

eth1 Link encap:Ethernet HWaddr fa:16:3e:73:4c:c0
 inet addr:23.111.X.X Bcast:23.111.X.X5 Mask:255.255.X.X
 inet6 addr: fe80::f816:3eff:fe73:4cc0/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:9462 errors:0 dropped:0 overruns:0 frame:0
 TX packets:5642 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:932719 (932.7 KB) TX bytes:789295 (789.2 KB)

eth2 Link encap:Ethernet HWaddr fa:16:3e:d5:46:67
 inet addr:172.16.48.254 Bcast:172.16.48.255 Mask:255.255.255.0
 inet6 addr: fe80::f816:3eff:fed5:4667/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:54 errors:0 dropped:0 overruns:0 frame:0
 TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:4096 (4.0 KB) TX bytes:1026 (1.0 KB)

eth3 Link encap:Ethernet HWaddr fa:16:3e:58:79:bb
 inet addr:172.16.51.254 Bcast:172.16.51.255 Mask:255.255.255.0
 inet6 addr: fe80::f816:3eff:fe58:79bb/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:0 (0.0 B) TX bytes:578 (578.0 B)

eth4 Link encap:Ethernet HWaddr fa:16:3e:dd:40:96
 inet addr:172.16.50.254 Bcast:172.16.50.255 Mask:255.255.255.0
 inet6 addr: fe80::f816:3eff:fedd:4096/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:0 (0.0 B) TX bytes:578 (578.0 B)

eth5 Link encap:Ethernet HWaddr fa:16:3e:29:88:76
 inet addr:172.16.49.254 Bcast:172.16.49.255 Mask:255.255.255.0
 inet6 addr: fe80::f816:3eff:fe29:8876/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:14 errors:0 dropped:0 overruns:0 frame:0
 TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:1134 (1.1 KB) TX bytes:1110 (1.1 KB)

lo Link encap:Local Loopback
 inet addr:127.0.0.1 Mask:255.0.0.0
 inet6 addr: ::1/128 Scope:Host
 UP LOOPBACK RUNNING MTU:65536 Metric:1
 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)




А так как у нас будет много интерфейсов и между ними необходимо форвардить пакеты , необходимо это разрешить :
#echo "1" > /proc/sys/net/ipv4/ip_forward

Далее следует настройка IPSET and IPTABLES

Создаю конфиг для использования прототипов и загрузки правил при старке системы  /etc/iptables/ipsetrules.v4

-N OG_BOGONS nethash
-A OG_BOGONS 10.0.0.0/8
-A OG_BOGONS 172.16.0.0/12
-A OG_BOGONS 192.168.0.0/16
-A OG_BOGONS 224.0.0.0/4
-A OG_BOGONS 240.0.0.0/5
-A OG_BOGONS 169.254.0.0/16
-A OG_BOGONS 0.0.0.0/8
-A OG_BOGONS 240.0.0.0/4
-A OG_BOGONS 255.255.255.255/32
-A OG_BOGONS 168.254.0.0/16
-A OG_BOGONS 248.0.0.0/5

###

 

Внести и управлять правилами  можно из CLI

ipset -N OG_BOGONS nethash
ipset -A OG_BOGONS 10.0.0.0/8
ipset -A OG_BOGONS 172.16.0.0/12
ipset -A OG_BOGONS 192.168.0.0/16
ipset -A OG_BOGONS 224.0.0.0/4
ipset -A OG_BOGONS 240.0.0.0/5
ipset -A OG_BOGONS 169.254.0.0/16
ipset -A OG_BOGONS 0.0.0.0/8
ipset -A OG_BOGONS 240.0.0.0/4
ipset -A OG_BOGONS 255.255.255.255/32
ipset -A OG_BOGONS 168.254.0.0/16
ipset -A OG_BOGONS 248.0.0.0/5

 

 

Далее подтягиваю эти прототипы в IPTABLES

/etc/iptables/rules.v4

Загрузка и проверка правил  производиться так :

iptables-restore < /etc/iptables/rules.v4

# Generated by iptables-save v1.4.21 on Wed Oct 11 16:44:29 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#:LOGDROP - [0:0]
COMMIT
# Completed on Wed Oct 11 16:44:29 2017
*nat
#:PREROUTING ACCEPT [214:11160]
#:INPUT ACCEPT [8:916]
#:OUTPUT ACCEPT [3:200]
#:POSTROUTING ACCEPT [6:380]
#-A POSTROUTING -s 172.16.16.0/23 -d 172.16.0.0/16 -j ACCEPT
-N NAT
-A POSTROUTING -s 172.16.48.0/21 ! -d 172.16.48.0/21 -j NAT
-A NAT -d 10.0.0.0/8 -j RETURN
-A NAT -d 172.16.0.0/12 -j RETURN
-A NAT -d 192.168.0.0/16 -j RETURN
-A NAT -o eth1 -s 172.16.48.0/21 -j SNAT --to-source 23.111.X.X
-A NAT -o eth0 -s 172.16.48.0/21 -j SNAT --to-source 23.111.Z.Z
#-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT

# Completed on Thu Jun 8 12:18:50 2017
# Generated by iptables-save v1.4.21 on Thu Jun 8 12:18:50 2017
*filter
#:INPUT ACCEPT [79368:66359594]
#:FORWARD ACCEPT [112502:65311151]
#:OUTPUT ACCEPT [52746:6960713]
#:LOGDROP - [52746:6960713]

:RH-Firewall-eth0-INPUT - [0:0]
:RH-Firewall-eth1-INPUT - [0:0]
:RH-Firewall-eth2-INPUT - [0:0]
:RH-Firewall-eth3-INPUT - [0:0]
:RH-Firewall-eth4-INPUT - [0:0]
:RH-Firewall-eth5-INPUT - [0:0]
:RH-Firewall-eth0-FORWARD - [0:0]
:RH-Firewall-eth1-FORWARD - [0:0]
:RH-Firewall-eth2-FORWARD - [0:0]
:RH-Firewall-eth3-FORWARD - [0:0]
:RH-Firewall-eth4-FORWARD - [0:0]
:RH-Firewall-eth5-FORWARD - [0:0]
:RH-Firewall-eth0-OUTPUT - [0:0]
:RH-Firewall-eth1-OUTPUT - [0:0]
:RH-Firewall-eth2-OUTPUT - [0:0]
:RH-Firewall-eth3-OUTPUT - [0:0]
:RH-Firewall-eth4-OUTPUT - [0:0]
:RH-Firewall-eth5-OUTPUT - [0:0]
-A INPUT -j RH-Firewall-eth0-INPUT
-A INPUT -i eth0 -p icmp -j LOG --log-level 7
#-A INPUT -i eth0 -p tcp -j LOGDROP
#-A INPUT -i eth0 -p udp -j LOGDROP
-A INPUT -j RH-Firewall-eth1-INPUT
-A INPUT -i eth1 -p icmp -j LOG --log-level 7
#-A INPUT -i eth1 -p tcp -j LOGDROP
#-A INPUT -i eth1 -p udp -j LOGDROP
-A INPUT -j RH-Firewall-eth2-INPUT
-A INPUT -i eth2 -p icmp -j LOG --log-level 7
#-A INPUT -i eth2 -p tcp -j LOGDROP
#-A INPUT -i eth2 -p udp -j LOGDROP
-A INPUT -j RH-Firewall-eth3-INPUT
-A INPUT -i eth3 -p icmp -j LOG --log-level 7
#-A INPUT -i eth3 -p tcp -j LOGDROP
#-A INPUT -i eth3 -p udp -j LOGDROP
-A INPUT -j RH-Firewall-eth4-INPUT
-A INPUT -i eth4 -p icmp -j LOG --log-level 7
#-A INPUT -i eth4 -p tcp -j LOGDROP
#-A INPUT -i eth4 -p udp -j LOGDROP
-A INPUT -j RH-Firewall-eth5-INPUT
-A INPUT -i eth5 -p icmp -j LOG --log-level 7
#-A INPUT -i eth5 -p tcp -j LOGDROP
#-A INPUT -i eth5 -p udp -j LOGDROP
-A FORWARD -j RH-Firewall-eth0-FORWARD
-A FORWARD -j RH-Firewall-eth1-FORWARD
-A FORWARD -j RH-Firewall-eth2-FORWARD
-A FORWARD -j RH-Firewall-eth3-FORWARD
-A FORWARD -j RH-Firewall-eth4-FORWARD
-A FORWARD -j RH-Firewall-eth5-FORWARD
###
-A RH-Firewall-eth0-INPUT -i lo -j ACCEPT
-A RH-Firewall-eth1-INPUT -i lo -j ACCEPT
-A RH-Firewall-eth2-INPUT -i lo -j ACCEPT
-A RH-Firewall-eth3-INPUT -i lo -j ACCEPT
-A RH-Firewall-eth4-INPUT -i lo -j ACCEPT
-A RH-Firewall-eth5-INPUT -i lo -j ACCEPT
-A RH-Firewall-eth0-INPUT -i eth0 -m set --match-set OG_BOGONS src -j LOG --log-prefix " [ DROP BOGONS INPUT ETH0 ] "
-A RH-Firewall-eth0-INPUT -i eth0 -m set --match-set OG_BOGONS src -j DROP
#-A RH-Firewall-eth1-INPUT -i eth1 -m set --match-set OG_BOGONS src -m set --match-set OG_LOOPBACK dst -j ACCEPT
#-A RH-Firewall-eth1-INPUT -i eth1 -m set --match-set OG_BOGONS src -j ACCEPT
#-A RH-Firewall-eth1-INPUT -i eth1 -m set --match-set OG_BOGONS src -j LOG --log-prefix " [ DROP BOGONS INPUT ETH1 ] "
#-A RH-Firewall-eth1-INPUT -i eth1 -m set --match-set OG_BOGONS src -j DROP
-A RH-Firewall-eth0-INPUT -i eth0 -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-eth1-INPUT -i eth1 -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-eth2-INPUT -i eth2 -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-eth3-INPUT -i eth3 -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-eth4-INPUT -i eth4 -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-eth5-INPUT -i eth5 -p icmp -m icmp --icmp-type any -j ACCEPT
###
###
-A RH-Firewall-eth0-INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-eth1-INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-eth2-INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-eth3-INPUT -i eth3 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-eth4-INPUT -i eth4 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-eth5-INPUT -i eth5 -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A RH-Firewall-eth0-INPUT -i eth0 -m set --match-set OG_MANAGEMENT src -p TCP --destination-port 22 -j ACCEPT
-A RH-Firewall-eth0-INPUT -i eth0 -s 0.0.0.0/0 -j LOG --log-prefix " [ DROP DEFAULT INPUT ETH0 ] "
-A RH-Firewall-eth0-INPUT -i eth0 -s 0.0.0.0/0 -j DROP
#-A RH-Firewall-eth0-INPUT -s 0.0.0.0/0 -j ACCEPT
-A RH-Firewall-eth1-INPUT -i eth1 -m set --match-set OG_MANAGEMENT src -p TCP --destination-port 22 -j ACCEPT
-A RH-Firewall-eth1-INPUT -i eth1 -m set --match-set OG_IPSEC src -p UDP --destination-port 500 -j ACCEPT
-A RH-Firewall-eth1-INPUT -i eth1 -m set --match-set OG_IPSEC src -p UDP --destination-port 4500 -j ACCEPT
-A RH-Firewall-eth1-INPUT -i eth1 -m set --match-set OG_ZABBIX_AGENT src -p TCP --destination-port 10050 -j ACCEPT
-A RH-Firewall-eth1-INPUT -i eth1 -s 0.0.0.0/0 -j LOG --log-prefix " [ DROP DEFAULT INPUT ETH1 ] "
-A RH-Firewall-eth1-INPUT -i eth1 -s 0.0.0.0/0 -j DROP
#-A RH-Firewall-eth2-INPUT -i eth2 -s 0.0.0.0/0 -j LOG --log-prefix " [ DROP DEFAULT INPUT ETH2 ] "
-A RH-Firewall-eth2-INPUT -i eth3 -s 0.0.0.0/0 -j DROP
-A RH-Firewall-eth3-INPUT -i eth3 -s 0.0.0.0/0 -j LOG --log-prefix " [ DROP DEFAULT INPUT ETH3 ] "
-A RH-Firewall-eth3-INPUT -i eth3 -s 0.0.0.0/0 -j DROP
-A RH-Firewall-eth4-INPUT -i eth4 -s 0.0.0.0/0 -j LOG --log-prefix " [ DROP DEFAULT INPUT ETH4 ] "
-A RH-Firewall-eth4-INPUT -i eth4 -s 0.0.0.0/0 -j DROP
-A RH-Firewall-eth5-INPUT -i eth5 -s 0.0.0.0/0 -j LOG --log-prefix " [ DROP DEFAULT INPUT ETH5 ] "
-A RH-Firewall-eth5-INPUT -i eth5 -s 0.0.0.0/0 -j DROP
#-A RH-Firewall-eth0-FORWARD -m set --set OG_MANAGEMENT src -j ACCEPT
#-A RH-Firewall-eth0-FORWARD -s 0.0.0.0/0 -j LOG
###
-A RH-Firewall-eth0-FORWARD -i eth0 -s 0.0.0.0/0 -j LOG --log-prefix " [ FORWARD ETH0 ] "
-A RH-Firewall-eth0-FORWARD -i eth0 -s 0.0.0.0/0 -j ACCEPT
#-A RH-Firewall-eth1-FORWARD -m set --set OG_ADMINS src -m set --set OG_OPENSTACK_GW2 dst -j ACCEPT
#-A RH-Firewall-eth1-FORWARD -s 0.0.0.0/0 -j LOG
-A RH-Firewall-eth1-FORWARD -i eth1 -s 0.0.0.0/0 -j ACCEPT
-A RH-Firewall-eth2-FORWARD -i eth2 -m set --match-set OG_MANAGEMENT src -j ACCEPT
-A RH-Firewall-eth2-FORWARD -i eth2 -m set --match-set OG_ZABBIX_AGENT src -j ACCEPT
#-A RH-Firewall-eth2-FORWARD -i eth2 -s 172.16.48.0/24 -j ACCEPT
-A RH-Firewall-eth2-FORWARD -i eth2 -m set --match-set OG_OPENSTACK_PROJECT_DEVEL src -m set --match-set OG_ADMINS dst -j ACCEPT
-A RH-Firewall-eth2-FORWARD -i eth2 -m set --match-set OG_OPENSTACK_PROJECT_DEVEL src -d 192.168.85.85/32 -j ACCEPT
-A RH-Firewall-eth2-FORWARD -i eth2 -m set --match-set OG_OPENSTACK_PROJECT_DEVEL src -m set --match-set OG_BOGONS dst -j DROP
#-A RH-Firewall-eth2-FORWARD -i eth2 -s 0.0.0.0/0 -j LOG --log-prefix " [ DROP DEFAULT FORWARD ETH2 ] "
#-A RH-Firewall-eth2-FORWARD -i eth2 -s 0.0.0.0/0 -j DROP
-A RH-Firewall-eth2-FORWARD -i eth2 -s 0.0.0.0/0 -j ACCEPT
-A RH-Firewall-eth3-FORWARD -i eth3 -m set --match-set OG_OPENSTACK_PROJECT_DEVEL src -m set --match-set OG_ADMINS dst -j ACCEPT
-A RH-Firewall-eth3-FORWARD -i eth3 -s 0.0.0.0/0 -j LOG --log-prefix " [ DROP DEFAULT FORWARD ETH3 ] "
-A RH-Firewall-eth3-FORWARD -i eth3 -s 0.0.0.0/0 -j DROP
-A RH-Firewall-eth4-FORWARD -i eth4 -m set --match-set OG_OPENSTACK_PROJECT_DEVEL src -m set --match-set OG_ADMINS dst -j ACCEPT
-A RH-Firewall-eth4-FORWARD -i eth4 -s 0.0.0.0/0 -j LOG --log-prefix " [ DROP DEFAULT FORWARD ETH4 ] "
-A RH-Firewall-eth4-FORWARD -i eth4 -s 0.0.0.0/0 -j DROP
#-A RH-Firewall-eth5-FORWARD -i eth5 -m set --match-set OG_ADMINS src -m set --match-set OG_OPENSTACK_PROJECT_TEST dst -j ACCEPT
#-A RH-Firewall-eth5-FORWARD -i eth5 -m set --match-set OG_OPENSTACK_PROJECT_TEST src -m set --match-set OG_ADMINS dst -j ACCEPT
-A RH-Firewall-eth5-FORWARD -i eth5 -m set --match-set OG_OPENSTACK_PROJECT_DEVEL src -m set --match-set OG_ADMINS dst -j ACCEPT
-A RH-Firewall-eth5-FORWARD -i eth5 -m set --match-set OG_OPENSTACK_PROJECT_DEVEL src -m set --match-set OG_BOGONS dst -j DROP
#-A RH-Firewall-eth5-FORWARD -i eth5 -s 0.0.0.0/0 -j LOG --log-prefix " [ DROP DEFAULT FORWARD ETH5 ] "
#-A RH-Firewall-eth5-FORWARD -i eth5 -s 0.0.0.0/0 -j DROP
-A RH-Firewall-eth5-FORWARD -i eth5 -s 0.0.0.0/0 -j ACCEPT
-A RH-Firewall-eth0-OUTPUT -i eth0 -s 0.0.0.0/0 -j ACCEPT
-A RH-Firewall-eth1-OUTPUT -i eth1 -s 0.0.0.0/0 -j ACCEPT
-A RH-Firewall-eth2-OUTPUT -i eth2 -s 0.0.0.0/0 -j ACCEPT
-A RH-Firewall-eth3-OUTPUT -i eth3 -s 0.0.0.0/0 -j ACCEPT
-A RH-Firewall-eth4-OUTPUT -i eth4 -s 0.0.0.0/0 -j ACCEPT
-A RH-Firewall-eth5-OUTPUT -i eth5 -s 0.0.0.0/0 -j ACCEPT
#-A RH-Firewall-2-INPUT -j REJECT --reject-with icmp-host-prohibited
#-A RH-Firewall-2-INPUT -j LOG --log-level 7
#-A RH-Firewall-2-INPUT -j DROP
COMMIT
# Completed on Thu Jun 8 12:18:50 2017
# Generated by iptables-save v1.4.21 on Thu Jun 8 12:18:50 2017
*mangle
:PREROUTING ACCEPT [206211:132359849]
:INPUT ACCEPT [79423:66362970]
:FORWARD ACCEPT [112502:65311151]
:OUTPUT ACCEPT [52775:6978709]
:POSTROUTING ACCEPT [165277:72289860]
COMMIT