First, we need to run: sudo bash -c 'iptables-save > /etc/network/iptables' You will get something like this: gateway 192.168.1.1Ģ. We will now set up iptables rules to allow external visitors to see our website without the ability to log into our Pi. To make a basic configuration of your iptables to allow yourself ssh access without the risk of being hacked you should:ġ. Check your router's IP address, as we will be blocking any access from there apart from http and https ports (80 and 443 respectively): sudo grep gateway /etc/network/interfaces I've covered the iptables in general here, but I've abandoned sshblack and made use of a better and more flexible tool - fail2ban. If, for any reason, you're unable to access your Pi through ssh or your website stopped working, connect your Pi to a monitor/TV or open your SD Card on a computer running Linux and re-edit the iptables rules in /etc/network/iptables.NOTE: Be extremely careful when configuring iptables, as you might block yourself from accessing your Pi!.The first command will install iptables, the second will enable them on your system. To install them, type: sudo apt-get update & apt-get install iptables``sudo /etc/init.d/iptables start If any of the commands I've provided here work, iptables might not be installed on your system. But once you've grasped the basics of commands, you can write your own script instead of using ready ones, which not always may be correct for your needs.
In short, I am banging my head in the wall and I’m starting to think to put my old Linksys router as a DialUp modem.The firewall configuration, especially if you're a beginner in Linux, may seem tricky and difficult to understand. Thankfully the LAN interface does not disconnect the ssh session, and I’m able to revert.
And at last, whenever I load an ipset, even with just a single IP the RPi losts connection - no ping in or out, no forward. That would be a problem if I try to do something remotely. Soon I realized that everytime I -reload the rules, I get an error “Error: Argument 1 does not allow None as a value”, the connection drops and no interfaces seems to be assigned to any zone until reboot. Yes, now I know the MTU was the root of it and I have to clamp the MSS with:įirewall-cmd -permanent -direct -add-passthrough ipv4 -t mangle -I FORWARD -p tcp -syn -j TCPMSS -clamp-mss-to-pmtu. At first it took me and their tech support two days to figure out why some sites load and some not. Everyone was happy and the sun was shining.Īnd then, in their divine and endless wisdom, they decided to migrate their clients to PPPoE. Until recently our ISP leased all their IP’s based on client MAC.
0 kommentar(er)
