{"id":3230,"date":"2026-04-28T11:10:42","date_gmt":"2026-04-28T11:10:42","guid":{"rendered":"https:\/\/maram.iq\/blogs\/?p=3230"},"modified":"2026-04-28T15:54:51","modified_gmt":"2026-04-28T12:54:51","slug":"%d8%a5%d8%b9%d8%af%d8%a7%d8%af-iptables","status":"publish","type":"post","link":"https:\/\/maram.iq\/blogs\/%d8%a5%d8%b9%d8%af%d8%a7%d8%af-iptables\/","title":{"rendered":"\u0625\u0639\u062f\u0627\u062f iptables \u0639\u0644\u0649 Linux 2026: \u062f\u0644\u064a\u0644 \u0627\u0644\u062c\u062f\u0627\u0631 \u0627\u0644\u0646\u0627\u0631\u064a \u0627\u0644\u0643\u0627\u0645\u0644"},"content":{"rendered":"\n<div style=\"background:linear-gradient(135deg,#0f172a,#581c87);color:#fff;padding:2.5rem;border-radius:16px;margin-bottom:2rem;text-align:center\">\n<p style=\"font-size:3rem;margin:0 0 .5rem\">\ud83d\udee1\ufe0f<\/p>\n<h2 style=\"color:#fff!important;font-size:1.5rem;margin:0 0 .5rem\" id=\"section-1\">\u0625\u0639\u062f\u0627\u062f iptables \u0639\u0644\u0649 Linux 2026: \u062f\u0644\u064a\u0644 \u0627\u0644\u062c\u062f\u0627\u0631 \u0627\u0644\u0646\u0627\u0631\u064a \u0627\u0644\u0634\u0627\u0645\u0644 \u0645\u0646 \u0627\u0644\u0635\u0641\u0631<\/h2>\n<p style=\"margin:0\">\u0645\u0646 \u0642\u0648\u0627\u0639\u062f \u0628\u0633\u064a\u0637\u0629 \u0625\u0644\u0649 \u0627\u0633\u062a\u0631\u0627\u062a\u064a\u062c\u064a\u0627\u062a \u062d\u0645\u0627\u064a\u0629 \u0645\u062a\u0642\u062f\u0645\u0629\u060c \u0627\u062d\u0645\u0650 \u0633\u064a\u0631\u0641\u0631\u0643 \u0645\u0646 \u0643\u0644 \u0627\u062a\u062c\u0627\u0647<\/p>\n<\/div>\n\n\n\n<p>\u0627\u0644\u062c\u062f\u0627\u0631 \u0627\u0644\u0646\u0627\u0631\u064a \u0647\u0648 \u062e\u0637 \u0627\u0644\u062f\u0641\u0627\u0639 \u0627\u0644\u0623\u0648\u0644 \u0639\u0646 \u0623\u064a \u0633\u064a\u0631\u0641\u0631 \u0645\u062a\u0635\u0644 \u0628\u0627\u0644\u0625\u0646\u062a\u0631\u0646\u062a. \u0639\u0644\u0649 Linux\u060c \u0627\u0644\u0623\u062f\u0627\u0629 \u0627\u0644\u0623\u0642\u0648\u0649 \u0648\u0627\u0644\u0623\u0643\u062b\u0631 \u0627\u0633\u062a\u062e\u062f\u0627\u0645\u064b\u0627 \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u0645\u062c\u0627\u0644 \u0647\u064a iptables. \u0631\u063a\u0645 \u0638\u0647\u0648\u0631 \u0628\u062f\u0627\u0626\u0644 \u0623\u062d\u062f\u062b \u0645\u062b\u0644 nftables \u0648 firewalld\u060c \u064a\u0628\u0642\u0649 iptables \u0627\u0644\u0645\u0639\u064a\u0627\u0631 \u0627\u0644\u0630\u0647\u0628\u064a \u0627\u0644\u0630\u064a \u064a\u0639\u0631\u0641\u0647 \u0643\u0644 \u0645\u0647\u0646\u062f\u0633 Linux \u0645\u062d\u062a\u0631\u0641. \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u062f\u0644\u064a\u0644 \u0627\u0644\u0634\u0627\u0645\u0644\u060c \u0633\u0646\u063a\u0637\u064a \u0643\u0644 \u0645\u0627 \u064a\u062d\u062a\u0627\u062c\u0647 \u0645\u062f\u064a\u0631 \u0627\u0644\u0633\u064a\u0631\u0641\u0631 \u0639\u0646 <strong>\u0625\u0639\u062f\u0627\u062f iptables<\/strong> \u0645\u0646 \u0627\u0644\u0635\u0641\u0631\u060c \u0628\u0623\u0645\u062b\u0644\u0629 \u0639\u0645\u0644\u064a\u0629\u060c \u0633\u0643\u0631\u0628\u062a\u0627\u062a \u062d\u0642\u064a\u0642\u064a\u0629\u060c \u0648\u0627\u0633\u062a\u0631\u0627\u062a\u064a\u062c\u064a\u0627\u062a \u062d\u0645\u0627\u064a\u0629 \u0645\u062a\u0642\u062f\u0645\u0629 \u0644\u0639\u0627\u0645 2026.<\/p>\n\n\n\n<div class=\"table-of-contents\" style=\"background:#f8fafc;border:1px solid #e2e8f0;border-radius:12px;padding:1.5rem;margin:1.5rem 0;\"><p style=\"font-weight:700;font-size:1.05rem;margin-bottom:.75rem;\">\u0645\u062d\u062a\u0648\u064a\u0627\u062a \u0627\u0644\u0645\u0642\u0627\u0644<\/p><ul style=\"list-style:none;padding:0;margin:0;\"><li><a href=\"#section-2\">\u0645\u0627 \u0647\u0648 iptables \u0648\u0644\u0645\u0627\u0630\u0627 \u062a\u062d\u062a\u0627\u062c\u0647\u061f<\/a><\/li><li><a href=\"#section-3\">\u0627\u0644\u0641\u0631\u0642 \u0628\u064a\u0646 iptables \u0648 nftables \u0648 firewalld<\/a><\/li><li><a href=\"#section-4\">\u0627\u0644\u0633\u0644\u0627\u0633\u0644 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629 \u0641\u064a \u0625\u0639\u062f\u0627\u062f iptables<\/a><\/li><li><a href=\"#section-5\">\u0627\u0644\u062c\u062f\u0627\u0648\u0644 \u0641\u064a \u0625\u0639\u062f\u0627\u062f iptables<\/a><\/li><li><a href=\"#section-6\">\u0625\u0639\u062f\u0627\u062f iptables: \u0627\u0644\u0623\u0648\u0627\u0645\u0631 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629<\/a><\/li><li><a href=\"#section-7\">\u0643\u064a\u0641 \u062a\u0633\u0645\u062d \u0648\u062a\u0645\u0646\u0639 IP \u0641\u064a \u0625\u0639\u062f\u0627\u062f iptables<\/a><\/li><li><a href=\"#section-8\">\u0625\u0639\u062f\u0627\u062f \u0642\u0648\u0627\u0639\u062f \u0644\u0644\u0645\u0646\u0627\u0641\u0630 \u0627\u0644\u0634\u0627\u0626\u0639\u0629<\/a><\/li><li><a href=\"#section-9\">\u062d\u0645\u0627\u064a\u0629 \u0645\u0646 \u0647\u062c\u0645\u0627\u062a DDoS \u0639\u0628\u0631 \u0625\u0639\u062f\u0627\u062f iptables<\/a><\/li><li><a href=\"#section-10\">\u0625\u0639\u062f\u0627\u062f iptables \u0644\u0640 Port Forwarding<\/a><\/li><li><a href=\"#section-11\">\u062d\u0641\u0638 \u0642\u0648\u0627\u0639\u062f \u0625\u0639\u062f\u0627\u062f iptables \u0628\u0634\u0643\u0644 \u062f\u0627\u0626\u0645<\/a><\/li><li><a href=\"#section-12\">\u0643\u062a\u0627\u0628\u0629 \u0633\u0643\u0631\u0628\u062a \u0644\u0640 \u0625\u0639\u062f\u0627\u062f iptables \u0627\u062d\u062a\u0631\u0627\u0641\u064a<\/a><\/li><li><a href=\"#section-13\">\u0633\u062c\u0644\u0627\u062a \u0625\u0639\u062f\u0627\u062f iptables \u0648\u0643\u064a\u0641 \u062a\u062d\u0644\u0644\u0647\u0627<\/a><\/li><li><a href=\"#section-14\">\u0623\u062e\u0637\u0627\u0621 \u0634\u0627\u0626\u0639\u0629 \u0641\u064a \u0625\u0639\u062f\u0627\u062f iptables<\/a><\/li><li><a href=\"#section-15\">\u0625\u0639\u062f\u0627\u062f iptables vs UFW: \u0645\u062a\u0649 \u062a\u0633\u062a\u062e\u062f\u0645 \u0643\u0644 \u0645\u0646\u0647\u0645\u0627<\/a><\/li><li><a href=\"#section-16\">\u0627\u0644\u062e\u0644\u0627\u0635\u0629<\/a><\/li><\/ul><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"section-2\">\u0645\u0627 \u0647\u0648 iptables \u0648\u0644\u0645\u0627\u0630\u0627 \u062a\u062d\u062a\u0627\u062c\u0647\u061f<\/h2>\n\n\n\n<p>iptables \u0647\u0648 \u0648\u0627\u062c\u0647\u0629 \u0644\u0625\u062f\u0627\u0631\u0629 \u0642\u0648\u0627\u0639\u062f \u0627\u0644\u062c\u062f\u0627\u0631 \u0627\u0644\u0646\u0627\u0631\u064a \u0641\u064a kernel Linux. \u0639\u0646\u062f\u0645\u0627 \u062a\u0635\u0644 \u0623\u064a \u062d\u0632\u0645\u0629 (packet) \u0625\u0644\u0649 \u0633\u064a\u0631\u0641\u0631\u0643\u060c \u064a\u0642\u0648\u0645 Netfilter (\u0627\u0644\u0645\u0648\u062c\u0648\u062f \u062f\u0627\u062e\u0644 kernel) \u0628\u0641\u062d\u0635\u0647\u0627 \u0648\u0641\u0642\u064b\u0627 \u0644\u0644\u0642\u0648\u0627\u0639\u062f \u0627\u0644\u0645\u062d\u062f\u062f\u0629 \u0641\u064a iptables \u0648\u064a\u0642\u0631\u0631: \u062a\u0645\u0631\u064a\u0631\u060c \u0631\u0641\u0636\u060c \u062a\u0639\u062f\u064a\u0644\u060c \u0623\u0648 \u0625\u0639\u0627\u062f\u0629 \u062a\u0648\u062c\u064a\u0647. \u0643\u0644 \u0647\u0630\u0627 \u064a\u062d\u062f\u062b \u0641\u064a \u0632\u0645\u0646 \u0646\u0627\u0646\u0648\u062b\u0648\u0627\u0646\u064d \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 kernel\u060c \u0645\u0645\u0627 \u064a\u062c\u0639\u0644 iptables \u0645\u0646 \u0623\u0633\u0631\u0639 \u0627\u0644\u062c\u062f\u0631\u0627\u0646 \u0627\u0644\u0646\u0627\u0631\u064a\u0629 \u0641\u064a \u0627\u0644\u0639\u0627\u0644\u0645.<\/p>\n\n\n\n<p>\u0628\u062f\u0648\u0646 <strong>\u0625\u0639\u062f\u0627\u062f iptables<\/strong> \u0635\u062d\u064a\u062d\u060c \u064a\u0643\u0648\u0646 \u0633\u064a\u0631\u0641\u0631\u0643 \u0645\u0643\u0634\u0648\u0641\u064b\u0627 \u0623\u0645\u0627\u0645 \u0643\u0644 \u0623\u0646\u0648\u0627\u0639 \u0627\u0644\u0647\u062c\u0645\u0627\u062a: \u0645\u062d\u0627\u0648\u0644\u0627\u062a \u0627\u0644\u0627\u062e\u062a\u0631\u0627\u0642 \u0639\u0644\u0649 SSH\u060c \u0641\u062d\u0648\u0635\u0627\u062a \u0627\u0644\u0645\u0646\u0627\u0641\u0630 (port scanning)\u060c \u0647\u062c\u0645\u0627\u062a \u0627\u0644\u0640 DDoS\u060c \u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u062b\u063a\u0631\u0627\u062a \u0645\u0639\u064a\u0646\u0629\u060c \u062a\u062e\u0645\u064a\u0646 \u0643\u0644\u0645\u0627\u062a \u0627\u0644\u0645\u0631\u0648\u0631 brute force. \u0623\u064a \u0633\u064a\u0631\u0641\u0631 \u064a\u0639\u0631\u0636 \u0639\u0644\u0649 \u0627\u0644\u0625\u0646\u062a\u0631\u0646\u062a \u0628\u062f\u0648\u0646 \u062c\u062f\u0627\u0631 \u0646\u0627\u0631\u064a \u0633\u064a\u062a\u0639\u0631\u0636 \u0644\u0645\u062d\u0627\u0648\u0644\u0627\u062a \u0627\u062e\u062a\u0631\u0627\u0642 \u062e\u0644\u0627\u0644 \u062f\u0642\u0627\u0626\u0642 \u0645\u0646 \u062a\u0634\u063a\u064a\u0644\u0647.<\/p>\n\n\n\n<p>\u0644\u0627\u062d\u0638 \u0623\u0646 iptables \u064a\u0639\u0645\u0644 \u0639\u0644\u0649 \u0627\u0644\u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u0640 network\/transport (\u0627\u0644\u0637\u0628\u0642\u0627\u062a 3 \u0648 4)\u060c \u0623\u064a \u064a\u0641\u062d\u0635 IPs \u0648\u0627\u0644\u0645\u0646\u0627\u0641\u0630 \u0648\u0627\u0644\u0628\u0631\u0648\u062a\u0648\u0643\u0648\u0644\u0627\u062a. \u0647\u0630\u0627 \u0645\u062e\u062a\u0644\u0641 \u0639\u0646 WAF (\u0645\u062b\u0644 ModSecurity) \u0627\u0644\u0630\u064a \u064a\u0639\u0645\u0644 \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u062a\u0637\u0628\u064a\u0642. \u0627\u0644\u0625\u0639\u062f\u0627\u062f \u0627\u0644\u0645\u062b\u0627\u0644\u064a \u064a\u062c\u0645\u0639 \u0628\u064a\u0646 iptables \u0644\u0644\u062d\u0645\u0627\u064a\u0629 \u0627\u0644\u0634\u0628\u0643\u064a\u0629 \u0648 WAF \u0644\u062d\u0645\u0627\u064a\u0629 \u0627\u0644\u062a\u0637\u0628\u064a\u0642.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>\u0645\u0646\u0639 \u0627\u0644\u0627\u062a\u0635\u0627\u0644 \u063a\u064a\u0631 \u0627\u0644\u0645\u0635\u0631\u062d \u0628\u0647 \u0639\u0644\u0649 \u0627\u0644\u0645\u0646\u0627\u0641\u0630 \u0627\u0644\u062d\u0633\u0627\u0633\u0629.<\/li><li>\u0627\u0644\u062a\u0635\u062f\u064a \u0644\u0647\u062c\u0645\u0627\u062a \u0627\u0644\u0640 DDoS \u0627\u0644\u0635\u063a\u064a\u0631\u0629 \u0648\u0627\u0644\u0645\u062a\u0648\u0633\u0637\u0629.<\/li><li>\u062a\u0646\u0641\u064a\u0630 \u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u0640 NAT \u0648 Port Forwarding.<\/li><li>\u062a\u0633\u062c\u064a\u0644 \u0648\u0645\u0631\u0627\u0642\u0628\u0629 \u0645\u062d\u0627\u0648\u0644\u0627\u062a \u0627\u0644\u0627\u062a\u0635\u0627\u0644 \u0627\u0644\u0645\u0634\u0628\u0648\u0647\u0629.<\/li><li>\u0639\u0632\u0644 \u0627\u0644\u062e\u062f\u0645\u0627\u062a \u0627\u0644\u062f\u0627\u062e\u0644\u064a\u0629 \u0639\u0646 \u0627\u0644\u0625\u0646\u062a\u0631\u0646\u062a \u0627\u0644\u0639\u0627\u0645.<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"section-3\">\u0627\u0644\u0641\u0631\u0642 \u0628\u064a\u0646 iptables \u0648 nftables \u0648 firewalld<\/h2>\n\n\n\n<p>\u0642\u0628\u0644 \u0627\u0644\u063a\u0648\u0635 \u0641\u064a <strong>\u0625\u0639\u062f\u0627\u062f iptables<\/strong>\u060c \u0645\u0646 \u0627\u0644\u0636\u0631\u0648\u0631\u064a \u0641\u0647\u0645 \u0627\u0644\u0628\u062f\u0627\u0626\u0644 \u0648\u0639\u0644\u0627\u0642\u062a\u0647\u0627 \u0628\u0647. nftables \u0647\u0648 \u0627\u0644\u062e\u0644\u0641 \u0627\u0644\u0631\u0633\u0645\u064a \u0644\u0640 iptables\u060c \u062a\u0645 \u062a\u0635\u0645\u064a\u0645\u0647 \u0644\u064a\u062d\u0644\u0651 \u0645\u062d\u0644\u0647 \u062a\u062f\u0631\u064a\u062c\u064a\u064b\u0627. \u064a\u0642\u062f\u0645 \u0628\u0646\u0627\u0621 \u062c\u0645\u0644\u0629 \u0623\u0646\u0638\u0641\u060c \u0623\u062f\u0627\u0621 \u0623\u0641\u0636\u0644 \u0641\u064a \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0627\u0644\u0643\u0628\u064a\u0631\u0629\u060c \u0648\u062a\u0648\u062d\u064a\u062f \u0644\u0643\u0644 \u0628\u0631\u0648\u062a\u0648\u0643\u0648\u0644\u0627\u062a IPv4 \u0648 IPv6 \u0648 ARP \u0641\u064a \u0625\u0637\u0627\u0631 \u0648\u0627\u062d\u062f. \u0639\u0644\u0649 Debian 12 \u0648 Ubuntu 22.04+ \u0648 RHEL 9\u060c nftables \u0647\u0648 \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a\u060c \u0644\u0643\u0646 \u0623\u0648\u0627\u0645\u0631 iptables \u0645\u0627 \u0632\u0627\u0644\u062a \u062a\u0639\u0645\u0644 \u0639\u0628\u0631 \u0637\u0628\u0642\u0629 \u062a\u0648\u0627\u0641\u0642.<\/p>\n\n\n\n<p>firewalld \u0647\u0648 \u062e\u062f\u0645\u0629 \u0639\u0627\u0644\u064a\u0629 \u0627\u0644\u0645\u0633\u062a\u0648\u0649 \u062a\u0639\u062a\u0645\u062f \u0639\u0644\u0649 nftables (\u0623\u0648 iptables) \u0641\u064a \u0627\u0644\u062e\u0644\u0641\u064a\u0629. \u064a\u0642\u062f\u0645 \u0645\u0641\u0647\u0648\u0645 &#8220;\u0627\u0644\u0640 Zones&#8221; \u062d\u064a\u062b \u062a\u064f\u062c\u0645\u0639 \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0628\u062d\u0633\u0628 \u0627\u0644\u062b\u0642\u0629 (public, internal, dmz, etc.). firewalld \u0645\u0641\u064a\u062f \u0644\u0644\u0623\u0646\u0638\u0645\u0629 \u0627\u0644\u062f\u064a\u0646\u0627\u0645\u064a\u0643\u064a\u0629 \u062d\u064a\u062b \u062a\u062a\u063a\u064a\u0631 \u0627\u0644\u0648\u0627\u062c\u0647\u0627\u062a \u0648\u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0628\u0627\u0646\u062a\u0638\u0627\u0645. \u0644\u0643\u0646\u0647 \u064a\u0636\u064a\u0641 \u0637\u0628\u0642\u0629 \u0645\u0646 \u0627\u0644\u062a\u062c\u0631\u064a\u062f \u0642\u062f \u0644\u0627 \u062a\u062d\u062a\u0627\u062c\u0647\u0627.<\/p>\n\n\n\n<p>iptables \u064a\u0628\u0642\u0649 \u0627\u0644\u0623\u0642\u0648\u0649 \u0644\u0644\u062a\u0639\u0644\u0645\u060c \u0644\u0623\u0646 \u0641\u0647\u0645\u0647 \u064a\u0641\u062a\u062d \u0627\u0644\u0628\u0627\u0628 \u0644\u0641\u0647\u0645 \u0643\u0644 \u0627\u0644\u062a\u0642\u0646\u064a\u0627\u062a \u0627\u0644\u0623\u062e\u0631\u0649. \u0643\u0644 \u0642\u0648\u0627\u0639\u062f nftables \u064a\u0645\u0643\u0646 \u062a\u062d\u0648\u064a\u0644\u0647\u0627 \u0625\u0644\u0649 iptables \u0648\u0627\u0644\u0639\u0643\u0633. \u0627\u0644\u0645\u0641\u0627\u0647\u064a\u0645 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629 \u0648\u0627\u062d\u062f\u0629: \u0627\u0644\u0633\u0644\u0627\u0633\u0644\u060c \u0627\u0644\u062c\u062f\u0627\u0648\u0644\u060c \u0627\u0644\u0645\u0637\u0627\u0628\u0642\u0629\u060c \u0627\u0644\u0625\u062c\u0631\u0627\u0621\u0627\u062a. \u0644\u0630\u0627 \u0627\u0644\u062a\u0639\u0644\u0645 \u0639\u0644\u0649 iptables \u0627\u0633\u062a\u062b\u0645\u0627\u0631 \u0622\u0645\u0646 \u0641\u064a \u0643\u0644 \u0627\u0644\u062d\u0627\u0644\u0627\u062a.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"section-4\">\u0627\u0644\u0633\u0644\u0627\u0633\u0644 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629 \u0641\u064a \u0625\u0639\u062f\u0627\u062f iptables (INPUT, OUTPUT, FORWARD)<\/h2>\n\n\n\n<p>iptables \u064a\u0646\u0638\u0651\u0645 \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0641\u064a &#8220;\u0633\u0644\u0627\u0633\u0644&#8221; (chains). \u0643\u0644 \u0633\u0644\u0633\u0644\u0629 \u062a\u0645\u062b\u0651\u0644 \u0644\u062d\u0638\u0629 \u0645\u0639\u064a\u0646\u0629 \u0641\u064a \u0631\u062d\u0644\u0629 \u0627\u0644\u062d\u0632\u0645\u0629 \u0639\u0628\u0631 \u0627\u0644\u0646\u0638\u0627\u0645. \u0627\u0644\u0633\u0644\u0627\u0633\u0644 \u0627\u0644\u062b\u0644\u0627\u062b \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629 \u0641\u064a \u062c\u062f\u0648\u0644 filter (\u0627\u0644\u0623\u0643\u062b\u0631 \u0627\u0633\u062a\u062e\u062f\u0627\u0645\u064b\u0627) \u0647\u064a: INPUT \u0644\u0644\u062d\u0632\u0645 \u0627\u0644\u0642\u0627\u062f\u0645\u0629 \u0625\u0644\u0649 \u0627\u0644\u0633\u064a\u0631\u0641\u0631\u060c OUTPUT \u0644\u0644\u062d\u0632\u0645 \u0627\u0644\u062e\u0627\u0631\u062c\u0629 \u0645\u0646\u0647\u060c FORWARD \u0644\u0644\u062d\u0632\u0645 \u0627\u0644\u062a\u064a \u062a\u0645\u0631 \u0639\u0628\u0631\u0647 (\u0641\u064a \u062d\u0627\u0644\u0629 \u0639\u0645\u0644\u0647 \u0643\u0645\u0648\u062c\u0651\u0647).<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>INPUT<\/strong>: \u0627\u0644\u062d\u0632\u0645 \u0627\u0644\u0645\u062a\u062c\u0647\u0629 \u0625\u0644\u0649 \u0639\u0645\u0644\u064a\u0627\u062a \u0639\u0644\u0649 \u0627\u0644\u0633\u064a\u0631\u0641\u0631 \u0646\u0641\u0633\u0647.<\/li><li><strong>OUTPUT<\/strong>: \u0627\u0644\u062d\u0632\u0645 \u0627\u0644\u062e\u0627\u0631\u062c\u0629 \u0645\u0646 \u0627\u0644\u0633\u064a\u0631\u0641\u0631.<\/li><li><strong>FORWARD<\/strong>: \u0627\u0644\u062d\u0632\u0645 \u0627\u0644\u062a\u064a \u064a\u0648\u062c\u0651\u0647\u0647\u0627 \u0627\u0644\u0633\u064a\u0631\u0641\u0631 \u0628\u064a\u0646 \u0634\u0628\u0643\u0627\u062a.<\/li><li><strong>PREROUTING<\/strong>: \u0642\u0628\u0644 \u0642\u0631\u0627\u0631 \u0627\u0644\u062a\u0648\u062c\u064a\u0647 (\u0641\u064a \u062c\u062f\u0648\u0644 nat).<\/li><li><strong>POSTROUTING<\/strong>: \u0628\u0639\u062f \u0642\u0631\u0627\u0631 \u0627\u0644\u062a\u0648\u062c\u064a\u0647 (\u0641\u064a \u062c\u062f\u0648\u0644 nat).<\/li><\/ul>\n\n\n\n<p>\u0643\u0644 \u0633\u0644\u0633\u0644\u0629 \u0644\u0647\u0627 \u0633\u064a\u0627\u0633\u0629 \u0627\u0641\u062a\u0631\u0627\u0636\u064a\u0629 (default policy) \u062a\u0637\u0628\u064e\u0651\u0642 \u0639\u0646\u062f \u0639\u062f\u0645 \u0645\u0637\u0627\u0628\u0642\u0629 \u0623\u064a \u0642\u0627\u0639\u062f\u0629. \u0627\u0644\u0642\u064a\u0645 \u0627\u0644\u0645\u0645\u0643\u0646\u0629: ACCEPT\u060c DROP\u060c REJECT. \u0627\u0644\u0645\u0645\u0627\u0631\u0633\u0629 \u0627\u0644\u0623\u0641\u0636\u0644 \u0641\u064a <strong>\u0625\u0639\u062f\u0627\u062f iptables<\/strong>: \u0627\u062c\u0639\u0644 \u0627\u0644\u0633\u064a\u0627\u0633\u0629 \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a\u0629 \u0644\u0640 INPUT \u0648 FORWARD \u0647\u064a DROP\u060c \u062b\u0645 \u0627\u0633\u0645\u062d \u0641\u0642\u0637 \u0628\u0627\u0644\u0627\u062a\u0635\u0627\u0644\u0627\u062a \u0627\u0644\u0636\u0631\u0648\u0631\u064a\u0629. \u0647\u0630\u0627 \u0645\u0627 \u064a\u064f\u0639\u0631\u0641 \u0628\u0640 &#8220;default deny&#8221; \u0648\u0647\u0648 \u0627\u0644\u0623\u0643\u062b\u0631 \u0623\u0645\u0627\u0646\u064b\u0627.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># \u062a\u0639\u064a\u064a\u0646 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a\u0629\niptables -P INPUT DROP\niptables -P FORWARD DROP\niptables -P OUTPUT ACCEPT\n\n# \u0639\u0631\u0636 \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u062d\u0627\u0644\u064a\u0629\niptables -L | grep policy<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"section-5\">\u0627\u0644\u062c\u062f\u0627\u0648\u0644 \u0641\u064a \u0625\u0639\u062f\u0627\u062f iptables (filter, nat, mangle, raw)<\/h2>\n\n\n\n<p>iptables \u064a\u0633\u062a\u062e\u062f\u0645 \u062e\u0645\u0633\u0629 \u062c\u062f\u0627\u0648\u0644\u060c \u0643\u0644 \u0648\u0627\u062d\u062f \u0644\u063a\u0631\u0636 \u0645\u062e\u062a\u0644\u0641. \u0627\u0644\u062c\u062f\u0648\u0644 filter \u0647\u0648 \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a\u060c \u064a\u064f\u0633\u062a\u062e\u062f\u0645 \u0644\u0627\u062a\u062e\u0627\u0630 \u0642\u0631\u0627\u0631 \u0642\u0628\u0648\u0644 \u0623\u0648 \u0631\u0641\u0636 \u0627\u0644\u062d\u0632\u0645. \u062c\u062f\u0648\u0644 nat \u0644\u0644\u062a\u0639\u062f\u064a\u0644 \u0639\u0644\u0649 \u0639\u0646\u0627\u0648\u064a\u0646 IP \u0623\u0648 \u0645\u0646\u0627\u0641\u0630 \u0627\u0644\u062d\u0632\u0645\u0629 (NAT, Port Forwarding, Masquerading). \u062c\u062f\u0648\u0644 mangle \u0644\u062a\u0639\u062f\u064a\u0644 \u062e\u0635\u0627\u0626\u0635 \u062e\u0627\u0635\u0629 \u0641\u064a \u0627\u0644\u062d\u0632\u0645 \u0645\u062b\u0644 TTL \u0623\u0648 ToS. \u062c\u062f\u0648\u0644 raw \u0644\u0644\u062a\u062d\u0643\u0645 \u0641\u064a \u0648\u062d\u062f\u0629 connection tracking. \u0648\u0623\u062e\u064a\u0631\u064b\u0627 \u062c\u062f\u0648\u0644 security \u0644\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u0645\u0631\u062a\u0628\u0637\u0629 \u0628\u0640 SELinux.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># \u0639\u0631\u0636 \u0642\u0648\u0627\u0639\u062f \u062c\u062f\u0648\u0644 \u0645\u0639\u064a\u0646\niptables -t filter -L -n -v   # \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a\niptables -t nat -L -n -v\niptables -t mangle -L -n -v\niptables -t raw -L -n -v\n\n# \u0639\u0631\u0636 \u0643\u0644 \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0628\u062a\u0646\u0633\u064a\u0642 \u0645\u0641\u0635\u0644\niptables-save<\/code><\/pre>\n\n\n\n<p>\u0641\u064a \u0645\u0639\u0638\u0645 \u0627\u0644\u062d\u0627\u0644\u0627\u062a \u0627\u0644\u064a\u0648\u0645\u064a\u0629\u060c \u0633\u062a\u0639\u0645\u0644 \u0641\u0642\u0637 \u0645\u0639 \u062c\u062f\u0648\u0644 filter. \u0644\u0643\u0646 \u0625\u0646 \u0643\u0646\u062a \u062a\u062d\u062a\u0627\u062c \u0625\u0644\u0649 Port Forwarding \u0623\u0648 NAT\u060c \u0641\u0633\u062a\u0633\u062a\u062e\u062f\u0645 nat. \u0627\u0644\u062c\u062f\u0627\u0648\u0644 \u0627\u0644\u0623\u062e\u0631\u0649 \u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645\u0627\u062a \u0645\u062a\u0642\u062f\u0645\u0629 \u062c\u062f\u064b\u0627 \u0641\u064a \u0628\u0646\u0649 \u0627\u0644\u0634\u0628\u0643\u0629 \u0627\u0644\u0645\u0639\u0642\u062f\u0629.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"section-6\">\u0625\u0639\u062f\u0627\u062f iptables: \u0627\u0644\u0623\u0648\u0627\u0645\u0631 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629<\/h2>\n\n\n\n<p>\u0627\u0644\u0622\u0646 \u0644\u0646\u0628\u062f\u0623 \u0628\u0627\u0644\u0623\u0648\u0627\u0645\u0631 \u0627\u0644\u0639\u0645\u0644\u064a\u0629. \u0644\u0640 <strong>\u0625\u0639\u062f\u0627\u062f iptables<\/strong> \u0628\u0634\u0643\u0644 \u0635\u062d\u064a\u062d\u060c \u064a\u062c\u0628 \u0641\u0647\u0645 \u0628\u0646\u064a\u0629 \u0627\u0644\u0623\u0645\u0631 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629. \u0643\u0644 \u0623\u0645\u0631 iptables \u064a\u0623\u062e\u0630 \u0634\u0643\u0644: iptables -[action] [chain] [match] -j [target]. \u0627\u0644\u0640 action: A \u0644\u0644\u0625\u0636\u0627\u0641\u0629\u060c I \u0644\u0644\u0625\u062f\u0631\u0627\u062c\u060c D \u0644\u0644\u062d\u0630\u0641\u060c L \u0644\u0644\u0639\u0631\u0636. \u0627\u0644\u0640 match: \u0634\u0631\u0648\u0637 \u0645\u062b\u0644 -p \u0644\u0644\u0628\u0631\u0648\u062a\u0648\u0643\u0648\u0644\u060c &#8211;dport \u0644\u0644\u0645\u0646\u0641\u0630\u060c -s \u0644\u0644\u0645\u0635\u062f\u0631\u060c -d \u0644\u0644\u0648\u062c\u0647\u0629.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># \u0645\u0633\u062d \u0643\u0644 \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0627\u0644\u0645\u0648\u062c\u0648\u062f\u0629 (\u0627\u062d\u0630\u0631\u060c \u064a\u0641\u0642\u062f \u0627\u0644\u0627\u062a\u0635\u0627\u0644!)\niptables -F\niptables -X\niptables -t nat -F\niptables -t nat -X\niptables -t mangle -F\niptables -t mangle -X\n\n# \u0627\u0644\u0633\u0645\u0627\u062d \u0628\u062d\u0631\u0643\u0629 loopback (\u062f\u0627\u062e\u0644\u064a\u0629)\niptables -A INPUT -i lo -j ACCEPT\niptables -A OUTPUT -o lo -j ACCEPT\n\n# \u0627\u0644\u0633\u0645\u0627\u062d \u0644\u0644\u0627\u062a\u0635\u0627\u0644\u0627\u062a \u0627\u0644\u0642\u0627\u0626\u0645\u0629 \u0648\u0627\u0644\u0645\u0631\u062a\u0628\u0637\u0629\niptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n\n# \u0639\u0631\u0636 \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0628\u0623\u0631\u0642\u0627\u0645 \u0627\u0644\u0633\u0637\u0648\u0631\niptables -L -n -v --line-numbers<\/code><\/pre>\n\n\n\n<p>\u0642\u0627\u0639\u062f\u0629 &#8220;\u0627\u0644\u0633\u0645\u0627\u062d \u0644\u0644\u0627\u062a\u0635\u0627\u0644\u0627\u062a \u0627\u0644\u0642\u0627\u0626\u0645\u0629 \u0648\u0627\u0644\u0645\u0631\u062a\u0628\u0637\u0629&#8221; \u0623\u0633\u0627\u0633\u064a\u0629 \u0648\u062a\u0623\u062a\u064a \u0639\u0627\u062f\u0629 \u0641\u064a \u0627\u0644\u0628\u062f\u0627\u064a\u0629. \u0628\u062f\u0648\u0646\u0647\u0627\u060c \u064a\u0642\u0637\u0639 iptables \u0623\u064a \u0627\u062a\u0635\u0627\u0644 \u062e\u0627\u0631\u062c (\u0645\u062b\u0644 \u062a\u062d\u062f\u064a\u062b\u0627\u062a \u0627\u0644\u0646\u0638\u0627\u0645 \u0623\u0648 \u0637\u0644\u0628\u0627\u062a DNS) \u0641\u0648\u0631 \u0627\u0646\u062a\u0647\u0627\u0621 \u0627\u0644\u0625\u0631\u0633\u0627\u0644. \u0645\u0639 \u062a\u062a\u0628\u0639 \u0627\u0644\u062d\u0627\u0644\u0629\u060c iptables \u064a\u0641\u0647\u0645 \u0623\u0646 \u0627\u0644\u062d\u0632\u0645 \u0627\u0644\u0642\u0627\u062f\u0645\u0629 \u0647\u064a \u0631\u062f\u0648\u062f \u0644\u062d\u0632\u0645 \u062e\u0631\u062c\u062a \u0645\u0646 \u0627\u0644\u0633\u064a\u0631\u0641\u0631 \u0641\u064a\u0645\u0631\u0631\u0647\u0627.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"section-7\">\u0643\u064a\u0641 \u062a\u0633\u0645\u062d \u0648\u062a\u0645\u0646\u0639 IP \u0641\u064a \u0625\u0639\u062f\u0627\u062f iptables<\/h2>\n\n\n\n<p>\u0623\u062d\u062f \u0627\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645\u0627\u062a \u0627\u0644\u0623\u0643\u062b\u0631 \u0634\u064a\u0648\u0639\u064b\u0627 \u0644\u0640 iptables \u0647\u0648 \u0627\u0644\u0633\u0645\u0627\u062d \u0623\u0648 \u0645\u0646\u0639 IPs \u0645\u062d\u062f\u062f\u0629. \u0627\u0644\u0635\u064a\u0627\u063a\u0629 \u0628\u0633\u064a\u0637\u0629: \u0627\u0633\u062a\u062e\u062f\u0645 <code>-s<\/code> \u0644\u062a\u062d\u062f\u064a\u062f \u0627\u0644\u0645\u0635\u062f\u0631\u060c \u0648 <code>-j<\/code> \u0644\u062a\u062d\u062f\u064a\u062f \u0627\u0644\u0625\u062c\u0631\u0627\u0621 (ACCEPT \u0623\u0648 DROP \u0623\u0648 REJECT).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># \u0645\u0646\u0639 IP \u0645\u062d\u062f\u062f \u0645\u0646 \u0627\u0644\u0648\u0635\u0648\u0644 \u0644\u0644\u0633\u064a\u0631\u0641\u0631\niptables -A INPUT -s 203.0.113.50 -j DROP\n\n# \u0645\u0646\u0639 \u0646\u0637\u0627\u0642 \u0643\u0627\u0645\u0644 \u0645\u0646 IPs\niptables -A INPUT -s 198.51.100.0\/24 -j DROP\n\n# \u0627\u0644\u0633\u0645\u0627\u062d \u0641\u0642\u0637 \u0644\u0640 IP \u0645\u062d\u062f\u062f \u0628\u0627\u0644\u0648\u0635\u0648\u0644 \u0644\u0640 SSH\niptables -A INPUT -p tcp --dport 22 -s 192.0.2.10 -j ACCEPT\niptables -A INPUT -p tcp --dport 22 -j DROP\n\n# \u0645\u0646\u0639 IP \u0645\u0646 \u0628\u0644\u062f \u0645\u0639\u064a\u0646 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 ipset\nipset create blocked_country hash:net\nipset add blocked_country 1.2.3.0\/24\nipset add blocked_country 5.6.7.0\/24\niptables -A INPUT -m set --match-set blocked_country src -j DROP<\/code><\/pre>\n\n\n\n<p>\u0627\u0644\u0641\u0631\u0642 \u0628\u064a\u0646 DROP \u0648 REJECT: \u0627\u0644\u0623\u0648\u0644 \u064a\u062a\u062c\u0627\u0647\u0644 \u0627\u0644\u062d\u0632\u0645\u0629 \u062f\u0648\u0646 \u0623\u064a \u0631\u062f\u060c \u0641\u064a\u0638\u0647\u0631 \u0627\u0644\u0640 IP \u0648\u0643\u0623\u0646\u0647 \u063a\u064a\u0631 \u0645\u0648\u062c\u0648\u062f. \u0627\u0644\u062b\u0627\u0646\u064a \u064a\u0631\u0633\u0644 \u0631\u0633\u0627\u0644\u0629 &#8220;ICMP unreachable&#8221; \u0625\u0644\u0649 \u0627\u0644\u0645\u0631\u0633\u0644. DROP \u0623\u0641\u0636\u0644 \u0623\u0645\u0646\u064a\u064b\u0627 \u0644\u0623\u0646\u0647 \u064a\u0635\u0639\u0651\u0628 \u0645\u0647\u0645\u0629 \u0627\u0644\u0645\u0633\u062d (scanning)\u060c \u0644\u0643\u0646\u0647 \u0642\u062f \u064a\u0633\u0628\u0628 \u062a\u0623\u062e\u064a\u0631\u064b\u0627 \u0641\u064a \u0628\u0639\u0636 \u0627\u0644\u0628\u0631\u0648\u062a\u0648\u0643\u0648\u0644\u0627\u062a \u0644\u0623\u0646 \u0627\u0644\u0645\u0631\u0633\u0644 \u064a\u0646\u062a\u0638\u0631 timeout.<\/p>\n\n\n\n<p>\u0644\u0644\u062a\u062d\u0643\u0645 \u0641\u064a \u0642\u0648\u0627\u0626\u0645 IP \u0627\u0644\u0643\u0628\u064a\u0631\u0629\u060c \u0627\u0633\u062a\u062e\u062f\u0645 ipset. \u0647\u0630\u0647 \u0623\u062f\u0627\u0629 \u0645\u0643\u0645\u0651\u0644\u0629 \u0644\u0640 iptables \u062a\u062a\u064a\u062d \u0644\u0643 \u0625\u062f\u0627\u0631\u0629 \u0622\u0644\u0627\u0641 IPs \u0641\u064a &#8220;set&#8221; \u0648\u0627\u062d\u062f\u060c \u062b\u0645 \u0627\u0644\u0625\u0634\u0627\u0631\u0629 \u0625\u0644\u064a\u0647 \u0645\u0646 \u0642\u0627\u0639\u062f\u0629 iptables \u0648\u0627\u062d\u062f\u0629. \u0647\u0630\u0627 \u0623\u0633\u0631\u0639 \u0628\u0643\u062b\u064a\u0631 \u0645\u0646 \u0625\u0636\u0627\u0641\u0629 \u0622\u0644\u0627\u0641 \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0627\u0644\u0645\u0646\u0641\u0635\u0644\u0629.<\/p>\n\n\n\n<div style=\"border-right:4px solid #7c3aed;background:#f5f3ff;padding:1.5rem;border-radius:0 12px 12px 0;margin:2rem 0\">\n<p style=\"margin:0 0 .5rem;font-weight:700;color:#4f46e5\">\u0633\u064a\u0631\u0641\u0631\u0627\u062a VPS \u0645\u0639 \u062c\u062f\u0627\u0631 \u0646\u0627\u0631\u064a \u0645\u062a\u0642\u062f\u0645 \u0645\u0646 \u0645\u0631\u0627\u0645 \u0647\u0648\u0633\u062a<\/p>\n<p style=\"margin:0;color:#374151\">\u0627\u062d\u0635\u0644 \u0639\u0644\u0649 VPS \u0645\u0639 iptables \u0645\u064f\u0647\u064a\u0623 \u0645\u0633\u0628\u0642\u064b\u0627 \u0648\u062d\u0645\u0627\u064a\u0629 DDoS \u0645\u062a\u0642\u062f\u0645\u0629. <a href=\"https:\/\/maram.iq\/blogs\/%d8%ae%d8%b7%d8%b7-%d9%85%d8%b1%d8%a7%d9%85-%d9%87%d9%88%d8%b3%d8%aa\/\" style=\"color:#4f46e5;font-weight:600\">\u0627\u0628\u062f\u0623 \u0645\u0646 \u0647\u0646\u0627<\/a>.<\/p>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"section-8\">\u0625\u0639\u062f\u0627\u062f \u0642\u0648\u0627\u0639\u062f \u0644\u0644\u0645\u0646\u0627\u0641\u0630 \u0627\u0644\u0634\u0627\u0626\u0639\u0629 (SSH, HTTP, HTTPS)<\/h2>\n\n\n\n<p>\u0627\u0644\u0645\u0646\u0627\u0641\u0630 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629 \u0627\u0644\u062a\u064a \u064a\u062c\u0628 \u0641\u062a\u062d\u0647\u0627 \u0641\u064a \u0645\u0639\u0638\u0645 \u0633\u064a\u0631\u0641\u0631\u0627\u062a \u0627\u0644\u0648\u064a\u0628: 22 \u0644\u0640 SSH\u060c 80 \u0644\u0640 HTTP\u060c 443 \u0644\u0640 HTTPS. \u0623\u062d\u064a\u0627\u0646\u064b\u0627 \u062a\u062d\u062a\u0627\u062c \u0641\u062a\u062d 25\u060c 465\u060c 587 \u0644\u0640 SMTP\u060c 993 \u0644\u0640 IMAPS\u060c 21 \u0644\u0640 FTP. \u0644\u0643\u0644 \u0645\u0646\u0641\u0630\u060c \u0627\u0643\u062a\u0628 \u0642\u0627\u0639\u062f\u0629 \u0645\u062d\u062f\u062f\u0629 \u0628\u062f\u0642\u0629. \u062a\u062c\u0646\u0628 \u0641\u062a\u062d &#8220;\u0643\u0644 \u0627\u0644\u0645\u0646\u0627\u0641\u0630&#8221; \u0623\u0648 \u062a\u0631\u0643 \u0627\u0644\u0633\u064a\u0627\u0633\u0629 \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a\u0629 ACCEPT.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># \u0627\u0644\u0633\u0645\u0627\u062d \u0628\u0640 SSH \u0639\u0644\u0649 \u0627\u0644\u0645\u0646\u0641\u0630 22\niptables -A INPUT -p tcp --dport 22 -j ACCEPT\n\n# \u0627\u0644\u0633\u0645\u0627\u062d \u0628\u0640 HTTP \u0648 HTTPS\niptables -A INPUT -p tcp --dport 80 -j ACCEPT\niptables -A INPUT -p tcp --dport 443 -j ACCEPT\n\n# \u0627\u0644\u0633\u0645\u0627\u062d \u0628\u0640 SMTP \u0648 IMAPS\niptables -A INPUT -p tcp --dport 25 -j ACCEPT\niptables -A INPUT -p tcp --dport 465 -j ACCEPT\niptables -A INPUT -p tcp --dport 587 -j ACCEPT\niptables -A INPUT -p tcp --dport 993 -j ACCEPT\n\n# \u0627\u0644\u0633\u0645\u0627\u062d \u0628\u0640 DNS \u062f\u0627\u062e\u0644\u064a (\u0644\u0648 \u0627\u0644\u0633\u064a\u0631\u0641\u0631 \u064a\u0642\u062f\u0645 DNS)\niptables -A INPUT -p udp --dport 53 -j ACCEPT\niptables -A INPUT -p tcp --dport 53 -j ACCEPT\n\n# \u0627\u0644\u0633\u0645\u0627\u062d \u0628\u0640 ping (ICMP)\niptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT<\/code><\/pre>\n\n\n\n<p>\u0644\u062a\u0639\u0632\u064a\u0632 \u0623\u0645\u0627\u0646 SSH\u060c \u0627\u062d\u0635\u0631 \u0627\u0644\u0648\u0635\u0648\u0644 \u0628\u0640 IPs \u0645\u062d\u062f\u062f\u0629. \u0644\u0648 \u0643\u0627\u0646 \u0641\u0631\u064a\u0642\u0643 \u064a\u0639\u0645\u0644 \u0645\u0646 \u0645\u0643\u0627\u062a\u0628 \u062b\u0627\u0628\u062a\u0629\u060c \u0623\u0636\u0641 \u0641\u0642\u0637 \u0627\u0644\u0640 IPs \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0647\u0627. \u0644\u0648 \u0643\u0646\u062a \u062a\u062a\u0646\u0642\u0644\u060c \u0627\u0633\u062a\u062e\u062f\u0645 VPN \u062b\u0645 \u0627\u0633\u0645\u062d \u0641\u0642\u0637 \u0628\u0640 IP \u0627\u0644\u0640 VPN. \u0625\u0646 \u0643\u0627\u0646 \u0644\u0627 \u0628\u062f \u0645\u0646 \u0641\u062a\u062d SSH \u0644\u0644\u062c\u0645\u064a\u0639\u060c \u0627\u0646\u0642\u0644 \u0627\u0644\u0645\u0646\u0641\u0630 \u0645\u0646 22 \u0625\u0644\u0649 \u0645\u0646\u0641\u0630 \u063a\u064a\u0631 \u0642\u064a\u0627\u0633\u064a \u0645\u062b\u0644 2222 \u0623\u0648 22122\u060c \u0648\u0641\u0639\u0651\u0644 fail2ban. \u0644\u0644\u0645\u0632\u064a\u062f \u0639\u0646 \u0627\u0644\u0623\u0645\u0627\u0646\u060c \u0627\u0637\u0651\u0644\u0639 \u0639\u0644\u0649 <a href=\"https:\/\/maram.iq\/blogs\/%d8%aa%d8%a3%d9%85%d9%8a%d9%86-%d8%b3%d9%8a%d8%b1%d9%81%d8%b1-linux\/\">\u062f\u0644\u064a\u0644 \u062a\u0623\u0645\u064a\u0646 \u0633\u064a\u0631\u0641\u0631 Linux<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"section-9\">\u062d\u0645\u0627\u064a\u0629 \u0645\u0646 \u0647\u062c\u0645\u0627\u062a DDoS \u0639\u0628\u0631 \u0625\u0639\u062f\u0627\u062f iptables<\/h2>\n\n\n\n<p>iptables \u064a\u0642\u062f\u0651\u0645 \u0648\u062d\u062f\u0627\u062a \u0642\u0648\u064a\u0629 \u0644\u0644\u062a\u0635\u062f\u064a \u0644\u0647\u062c\u0645\u0627\u062a DDoS \u0627\u0644\u0628\u0633\u064a\u0637\u0629 \u0648\u0627\u0644\u0645\u062a\u0648\u0633\u0637\u0629. \u0627\u0644\u062d\u0645\u0627\u064a\u0629 \u0627\u0644\u0643\u0627\u0645\u0644\u0629 \u0645\u0646 DDoS \u0627\u0644\u0643\u0628\u064a\u0631\u0629 \u062a\u062d\u062a\u0627\u062c \u062e\u062f\u0645\u0627\u062a \u0645\u062a\u062e\u0635\u0635\u0629 (Cloudflare\u060c Imperva)\u060c \u0644\u0643\u0646 iptables \u064a\u0648\u0642\u0641 90% \u0645\u0646 \u0627\u0644\u0647\u062c\u0645\u0627\u062a \u0627\u0644\u064a\u0648\u0645\u064a\u0629 \u0627\u0644\u0635\u063a\u064a\u0631\u0629.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># \u062a\u062d\u062f\u064a\u062f \u0639\u062f\u062f \u0627\u0644\u0627\u062a\u0635\u0627\u0644\u0627\u062a \u0627\u0644\u062c\u062f\u064a\u062f\u0629 \u0645\u0646 \u0646\u0641\u0633 IP\niptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 30 -j REJECT\niptables -A INPUT -p tcp --dport 443 -m connlimit --connlimit-above 30 -j REJECT\n\n# \u062a\u062d\u062f\u064a\u062f \u0645\u0639\u062f\u0644 \u0627\u0644\u0627\u062a\u0635\u0627\u0644\u0627\u062a \u0627\u0644\u062c\u062f\u064a\u062f\u0629 (rate limiting)\niptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set\niptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP\n\n# \u0645\u0646\u0639 SYN Flood\niptables -A INPUT -p tcp --syn -m limit --limit 5\/s --limit-burst 10 -j ACCEPT\niptables -A INPUT -p tcp --syn -j DROP\n\n# \u0645\u0646\u0639 Ping Flood\niptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5\/s --limit-burst 10 -j ACCEPT\niptables -A INPUT -p icmp --icmp-type echo-request -j DROP\n\n# \u0645\u0646\u0639 Port Scanning\niptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP\niptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP\niptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP<\/code><\/pre>\n\n\n\n<p>\u0642\u0627\u0639\u062f\u0629 connlimit \u062a\u062d\u062f \u0645\u0646 \u0639\u062f\u062f \u0627\u0644\u0627\u062a\u0635\u0627\u0644\u0627\u062a \u0627\u0644\u0645\u062a\u0632\u0627\u0645\u0646\u0629 \u0645\u0646 \u0646\u0641\u0633 IP. 30 \u0627\u062a\u0635\u0627\u0644 \u0645\u062a\u0632\u0627\u0645\u0646 \u0644\u0640 HTTP\/HTTPS \u0631\u0642\u0645 \u0645\u0639\u0642\u0648\u0644 \u0644\u0645\u0639\u0638\u0645 \u0627\u0644\u0645\u062a\u0635\u0641\u062d\u0627\u062a. \u062a\u062c\u0627\u0648\u0632 \u0630\u0644\u0643 \u064a\u062f\u0644 \u0639\u0644\u0649 \u0647\u062c\u0648\u0645. \u0627\u0644\u0640 rate limiting \u0628\u0640 recent module \u0645\u0645\u062a\u0627\u0632 \u0644\u0640 SSH: \u0644\u0648 \u062d\u0627\u0648\u0644 IP \u0627\u0644\u0627\u062a\u0635\u0627\u0644 \u0623\u0643\u062b\u0631 \u0645\u0646 4 \u0645\u0631\u0627\u062a \u062e\u0644\u0627\u0644 60 \u062b\u0627\u0646\u064a\u0629\u060c \u064a\u064f\u0645\u0646\u0639 \u062a\u0644\u0642\u0627\u0626\u064a\u064b\u0627.<\/p>\n\n\n\n<p>SYN Flood \u0645\u0646 \u0623\u0634\u0647\u0631 \u0647\u062c\u0645\u0627\u062a DDoS. \u0627\u0644\u0641\u0643\u0631\u0629: \u0627\u0644\u0645\u0647\u0627\u062c\u0645 \u064a\u0631\u0633\u0644 \u0622\u0644\u0627\u0641 \u062d\u0632\u0645 SYN \u062f\u0648\u0646 \u0625\u0643\u0645\u0627\u0644 \u0627\u0644\u0640 handshake\u060c \u0641\u064a\u0633\u062a\u0647\u0644\u0643 \u0645\u0648\u0627\u0631\u062f \u0627\u0644\u0633\u064a\u0631\u0641\u0631. \u0642\u0627\u0639\u062f\u0629 limit\/s \u062a\u062d\u062f\u0651 \u0645\u0646 \u0645\u0639\u062f\u0644 \u0642\u0628\u0648\u0644 SYN\u060c \u0641\u0644\u0627 \u064a\u0633\u062a\u0637\u064a\u0639 \u0627\u0644\u0645\u0647\u0627\u062c\u0645 \u0625\u063a\u0631\u0627\u0642 \u0627\u0644\u0633\u064a\u0631\u0641\u0631.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"section-10\">\u0625\u0639\u062f\u0627\u062f iptables \u0644\u0640 Port Forwarding<\/h2>\n\n\n\n<p>Port Forwarding \u0645\u0641\u064a\u062f \u0639\u0646\u062f\u0645\u0627 \u062a\u0631\u064a\u062f \u062a\u0648\u062c\u064a\u0647 \u062d\u0631\u0643\u0629 \u0645\u0646 \u0645\u0646\u0641\u0630 \u0639\u0644\u0649 \u0627\u0644\u0633\u064a\u0631\u0641\u0631 \u0625\u0644\u0649 \u0645\u0646\u0641\u0630 \u0639\u0644\u0649 \u062c\u0647\u0627\u0632 \u0622\u062e\u0631. \u0647\u0630\u0627 \u0634\u0627\u0626\u0639 \u0641\u064a \u0625\u0639\u062f\u0627\u062f\u0627\u062a Docker\u060c \u0623\u0648 \u0639\u0646\u062f \u062a\u0634\u063a\u064a\u0644 \u062e\u062f\u0645\u0627\u062a \u062f\u0627\u062e\u0644\u064a\u0629 \u062e\u0644\u0641 \u0633\u064a\u0631\u0641\u0631 \u0628\u0648\u0627\u0628\u0629.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># \u062a\u0641\u0639\u064a\u0644 IP forwarding \u0641\u064a kernel\necho 1 &gt; \/proc\/sys\/net\/ipv4\/ip_forward\n\n# \u0644\u062c\u0639\u0644\u0647 \u062f\u0627\u0626\u0645\u064b\u0627\u060c \u0639\u062f\u0651\u0644 \/etc\/sysctl.conf\necho \"net.ipv4.ip_forward=1\" &gt;&gt; \/etc\/sysctl.conf\nsysctl -p\n\n# \u062a\u0648\u062c\u064a\u0647 \u0627\u0644\u0645\u0646\u0641\u0630 8080 \u0627\u0644\u062e\u0627\u0631\u062c\u064a \u0625\u0644\u0649 80 \u0639\u0644\u0649 \u062c\u0647\u0627\u0632 \u062f\u0627\u062e\u0644\u064a\niptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.100:80\niptables -A FORWARD -p tcp -d 192.168.1.100 --dport 80 -j ACCEPT\n\n# Masquerading \u0644\u0644\u0633\u0645\u0627\u062d \u0644\u0644\u0623\u062c\u0647\u0632\u0629 \u0627\u0644\u062f\u0627\u062e\u0644\u064a\u0629 \u0628\u0627\u0644\u0648\u0635\u0648\u0644 \u0644\u0644\u0625\u0646\u062a\u0631\u0646\u062a\niptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<\/code><\/pre>\n\n\n\n<p>DNAT (Destination NAT) \u064a\u063a\u064a\u0651\u0631 \u0639\u0646\u0648\u0627\u0646 \u0627\u0644\u0648\u062c\u0647\u0629 \u0641\u064a \u0627\u0644\u062d\u0632\u0645\u0629 \u0642\u0628\u0644 \u0627\u0644\u062a\u0648\u062c\u064a\u0647. \u0647\u0630\u0627 \u064a\u062c\u0639\u0644 \u0627\u0644\u062d\u0632\u0645\u0629 \u0627\u0644\u0645\u0648\u062c\u0647\u0629 \u0641\u064a \u0627\u0644\u0623\u0635\u0644 \u0625\u0644\u0649 \u0627\u0644\u0633\u064a\u0631\u0641\u0631 \u062a\u0635\u0644 \u0625\u0644\u0649 \u062c\u0647\u0627\u0632 \u062f\u0627\u062e\u0644\u064a. MASQUERADE \u064a\u063a\u064a\u0651\u0631 \u0639\u0646\u0648\u0627\u0646 \u0627\u0644\u0645\u0635\u062f\u0631 \u0625\u0644\u0649 \u0639\u0646\u0648\u0627\u0646 \u0627\u0644\u0633\u064a\u0631\u0641\u0631 \u0627\u0644\u0639\u0627\u0645\u060c \u0645\u0645\u0627 \u064a\u062a\u064a\u062d \u0644\u0644\u0623\u062c\u0647\u0632\u0629 \u0627\u0644\u062f\u0627\u062e\u0644\u064a\u0629 \u0627\u0644\u0648\u0635\u0648\u0644 \u0644\u0644\u0625\u0646\u062a\u0631\u0646\u062a \u0628\u0640 NAT.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"section-11\">\u062d\u0641\u0638 \u0642\u0648\u0627\u0639\u062f \u0625\u0639\u062f\u0627\u062f iptables \u0628\u0634\u0643\u0644 \u062f\u0627\u0626\u0645<\/h2>\n\n\n\n<p>\u0643\u0644 \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0627\u0644\u062a\u064a \u062a\u0636\u064a\u0641\u0647\u0627 \u0628\u0623\u0645\u0631 iptables \u062a\u0643\u0648\u0646 \u0645\u0624\u0642\u062a\u0629 \u0641\u064a \u0627\u0644\u0630\u0627\u0643\u0631\u0629. \u0639\u0646\u062f \u0625\u0639\u0627\u062f\u0629 \u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0633\u064a\u0631\u0641\u0631\u060c \u062a\u064f\u0641\u0642\u062f. \u0644\u062c\u0639\u0644 <strong>\u0625\u0639\u062f\u0627\u062f iptables<\/strong> \u062f\u0627\u0626\u0645\u064b\u0627\u060c \u064a\u062c\u0628 \u062d\u0641\u0638 \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0641\u064a \u0645\u0644\u0641 \u0648\u0625\u0639\u0627\u062f\u0629 \u062a\u062d\u0645\u064a\u0644\u0647\u0627 \u0639\u0646\u062f \u0627\u0644\u0625\u0642\u0644\u0627\u0639.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># \u0639\u0644\u0649 Debian\/Ubuntu\u060c \u062a\u062b\u0628\u064a\u062a iptables-persistent\napt install iptables-persistent\n\n# \u062d\u0641\u0638 \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0627\u0644\u062d\u0627\u0644\u064a\u0629\niptables-save &gt; \/etc\/iptables\/rules.v4\nip6tables-save &gt; \/etc\/iptables\/rules.v6\n\n# \u0639\u0644\u0649 CentOS\/RHEL\nservice iptables save\n# \u0623\u0648\niptables-save &gt; \/etc\/sysconfig\/iptables\n\n# \u0627\u0633\u062a\u0639\u0627\u062f\u0629 \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u064a\u062f\u0648\u064a\u064b\u0627 \u0645\u0646 \u0645\u0644\u0641\niptables-restore &lt; \/etc\/iptables\/rules.v4\n\n# \u0639\u0631\u0636 \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0627\u0644\u0645\u062d\u0641\u0648\u0638\u0629\ncat \/etc\/iptables\/rules.v4<\/code><\/pre>\n\n\n\n<p>iptables-persistent \u0639\u0644\u0649 Debian\/Ubuntu \u064a\u0642\u0648\u0645 \u0628\u062d\u0641\u0638 \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u062a\u0644\u0642\u0627\u0626\u064a\u064b\u0627 \u0648\u0627\u0633\u062a\u0639\u0627\u062f\u062a\u0647\u0627 \u0639\u0646\u062f \u0627\u0644\u0625\u0642\u0644\u0627\u0639. \u0639\u0644\u0649 RHEL\u060c \u0627\u0644\u062e\u062f\u0645\u0629 iptables \u0623\u0648 ip6tables \u062a\u062a\u0648\u0644\u0649 \u0627\u0644\u0645\u0647\u0645\u0629. \u062a\u0623\u0643\u062f \u0645\u0646 \u062a\u0641\u0639\u064a\u0644 \u0627\u0644\u062e\u062f\u0645\u0629 \u0628\u0640 <code>systemctl enable iptables<\/code>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"section-12\">\u0643\u062a\u0627\u0628\u0629 \u0633\u0643\u0631\u0628\u062a \u0644\u0640 \u0625\u0639\u062f\u0627\u062f iptables \u0627\u062d\u062a\u0631\u0627\u0641\u064a<\/h2>\n\n\n\n<p>\u0644\u0644\u0633\u064a\u0631\u0641\u0631\u0627\u062a \u0627\u0644\u0625\u0646\u062a\u0627\u062c\u064a\u0629\u060c \u0627\u0644\u0623\u0641\u0636\u0644 \u0623\u0646 \u062a\u0643\u062a\u0628 \u0633\u0643\u0631\u0628\u062a \u064a\u062d\u0648\u064a \u0643\u0644 \u0642\u0648\u0627\u0639\u062f iptables \u0628\u062a\u0631\u062a\u064a\u0628 \u0645\u0646\u0637\u0642\u064a. \u0647\u0630\u0627 \u064a\u062c\u0639\u0644 \u0627\u0644\u0645\u0631\u0627\u062c\u0639\u0629 \u0648\u0627\u0644\u062a\u0639\u062f\u064a\u0644 \u0633\u0647\u0644\u064a\u0646\u060c \u0648\u064a\u0648\u0641\u0631 \u0633\u062c\u0644\u064b\u0627 \u0648\u0627\u0636\u062d\u064b\u0627 \u0644\u0643\u0644 \u0627\u0644\u0642\u0631\u0627\u0631\u0627\u062a.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#!\/bin\/bash\n# \/usr\/local\/sbin\/firewall.sh\n# \u0633\u0643\u0631\u0628\u062a iptables \u0627\u062d\u062a\u0631\u0627\u0641\u064a\n\n# \u0645\u0633\u062d \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0627\u0644\u062d\u0627\u0644\u064a\u0629\niptables -F\niptables -X\niptables -t nat -F\niptables -t nat -X\niptables -t mangle -F\niptables -t mangle -X\n\n# \u0627\u0644\u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a\u0629\niptables -P INPUT DROP\niptables -P FORWARD DROP\niptables -P OUTPUT ACCEPT\n\n# \u0627\u0644\u0633\u0645\u0627\u062d \u0628\u0640 loopback\niptables -A INPUT -i lo -j ACCEPT\n\n# \u0627\u0644\u0633\u0645\u0627\u062d \u0628\u0627\u0644\u0627\u062a\u0635\u0627\u0644\u0627\u062a \u0627\u0644\u0642\u0627\u0626\u0645\u0629\niptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n\n# \u0645\u0646\u0639 \u0627\u0644\u062d\u0632\u0645 \u063a\u064a\u0631 \u0627\u0644\u0635\u0627\u0644\u062d\u0629\niptables -A INPUT -m conntrack --ctstate INVALID -j DROP\n\n# \u062d\u0645\u0627\u064a\u0629 \u0645\u0646 Port Scanning\niptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP\niptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP\niptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP\niptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP\n\n# Rate limiting \u0644\u0640 SSH\niptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name SSH --set\niptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name SSH --update --seconds 60 --hitcount 4 -j DROP\niptables -A INPUT -p tcp --dport 22 -j ACCEPT\n\n# \u0627\u0644\u0645\u0646\u0627\u0641\u0630 \u0627\u0644\u0645\u0641\u062a\u0648\u062d\u0629\niptables -A INPUT -p tcp --dport 80 -j ACCEPT\niptables -A INPUT -p tcp --dport 443 -j ACCEPT\niptables -A INPUT -p tcp --dport 25 -j ACCEPT\niptables -A INPUT -p tcp --dport 587 -j ACCEPT\n\n# ICMP \u0645\u062d\u062f\u0648\u062f\niptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5\/s -j ACCEPT\n\n# Logging \u0642\u0628\u0644 DROP\niptables -A INPUT -m limit --limit 5\/min -j LOG --log-prefix \"iptables-drop: \" --log-level 7\n\n# \u062d\u0641\u0638 \u0627\u0644\u0642\u0648\u0627\u0639\u062f\niptables-save &gt; \/etc\/iptables\/rules.v4\necho \"Firewall rules applied successfully.\"<\/code><\/pre>\n\n\n\n<p>\u0627\u062c\u0639\u0644 \u0627\u0644\u0645\u0644\u0641 \u0642\u0627\u0628\u0644\u064b\u0627 \u0644\u0644\u062a\u0646\u0641\u064a\u0630 \u0628\u0623\u0645\u0631 <code>chmod +x firewall.sh<\/code>. \u0634\u063a\u0651\u0644\u0647 \u0645\u0631\u0629 \u0648\u0627\u062d\u062f\u0629 \u0644\u062a\u0637\u0628\u064a\u0642 \u0627\u0644\u0642\u0648\u0627\u0639\u062f\u060c \u0648\u0623\u0636\u0641\u0647 \u0625\u0644\u0649 systemd \u0644\u064a\u064f\u0634\u063a\u064e\u0651\u0644 \u0639\u0646\u062f \u0627\u0644\u0625\u0642\u0644\u0627\u0639. \u0644\u0644\u0645\u0632\u064a\u062f \u0639\u0646 \u0627\u0644\u0633\u0643\u0631\u0628\u062a\u0627\u062a\u060c \u0627\u0637\u0651\u0644\u0639 \u0639\u0644\u0649 <a href=\"https:\/\/maram.iq\/blogs\/bash-scripting-%d9%84%d9%84%d9%85%d8%a8%d8%aa%d8%af%d8%a6%d9%8a%d9%86\/\">\u062f\u0644\u064a\u0644 Bash Scripting<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"section-13\">\u0633\u062c\u0644\u0627\u062a \u0625\u0639\u062f\u0627\u062f iptables \u0648\u0643\u064a\u0641 \u062a\u062d\u0644\u0644\u0647\u0627<\/h2>\n\n\n\n<p>\u0627\u0644\u062a\u0633\u062c\u064a\u0644 (Logging) \u064a\u0643\u0634\u0641 \u0645\u0627 \u064a\u062d\u062f\u062b \u0639\u0644\u0649 \u0628\u0648\u0627\u0628\u0629 \u0633\u064a\u0631\u0641\u0631\u0643. iptables \u064a\u0633\u062a\u062e\u062f\u0645 target \u0627\u0633\u0645\u0647 LOG \u0644\u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062d\u0632\u0645 \u0641\u064a syslog. \u0643\u0644 \u062d\u0632\u0645\u0629 \u062a\u064f\u0637\u0627\u0628\u0642 \u0642\u0627\u0639\u062f\u0629 LOG \u062a\u0638\u0647\u0631 \u0641\u064a <code>\/var\/log\/syslog<\/code> \u0623\u0648 <code>\/var\/log\/messages<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># \u0625\u0636\u0627\u0641\u0629 \u0642\u0627\u0639\u062f\u0629 Logging \u0642\u0628\u0644 DROP\niptables -A INPUT -m limit --limit 5\/min -j LOG --log-prefix \"iptables-drop: \" --log-level 7\n\n# \u0645\u0631\u0627\u0642\u0628\u0629 \u0633\u062c\u0644\u0627\u062a \u0625\u0639\u062f\u0627\u062f iptables \u0641\u064a \u0627\u0644\u0632\u0645\u0646 \u0627\u0644\u062d\u0642\u064a\u0642\u064a\ntail -f \/var\/log\/syslog | grep iptables-drop\n\n# \u062a\u0635\u0641\u064a\u0629 \u0645\u0644\u0641 \u0633\u062c\u0644 \u0644\u0627\u0633\u062a\u062e\u0631\u0627\u062c \u0645\u062d\u0627\u0648\u0644\u0627\u062a \u0627\u0644\u0647\u062c\u0648\u0645\ngrep \"iptables-drop\" \/var\/log\/syslog | awk '{print $11}' | sort | uniq -c | sort -rn | head -20\n\n# \u062a\u0648\u062c\u064a\u0647 \u0633\u062c\u0644\u0627\u062a \u0625\u0639\u062f\u0627\u062f iptables \u0625\u0644\u0649 \u0645\u0644\u0641 \u0645\u0646\u0641\u0635\u0644\necho \":msg, contains, \\\"iptables-drop:\\\" \/var\/log\/iptables.log\" &gt; \/etc\/rsyslog.d\/10-iptables.conf\necho \"& stop\" &gt;&gt; \/etc\/rsyslog.d\/10-iptables.conf\nsystemctl restart rsyslog<\/code><\/pre>\n\n\n\n<p>\u0642\u0627\u0639\u062f\u0629 <code>--limit 5\/min<\/code> \u0645\u0647\u0645\u0629 \u062c\u062f\u064b\u0627. \u0628\u062f\u0648\u0646\u0647\u0627 \u0642\u062f \u064a\u0645\u062a\u0644\u0626 \u0627\u0644\u0633\u062c\u0644 \u0628\u0633\u0631\u0639\u0629 \u0641\u064a \u062d\u0627\u0644 \u0647\u062c\u0648\u0645 \u0636\u062e\u0645\u060c \u0641\u064a\u0633\u062a\u0647\u0644\u0643 \u0645\u0633\u0627\u062d\u0629 \u0627\u0644\u0642\u0631\u0635 \u0648\u064a\u0628\u0637\u0626 \u0627\u0644\u0646\u0638\u0627\u0645. \u0645\u0639 limit\u060c \u0646\u062d\u062a\u0641\u0638 \u0641\u0642\u0637 \u0628\u0623\u0648\u0644 5 \u0645\u062d\u0627\u0648\u0644\u0627\u062a \u0641\u064a \u0627\u0644\u062f\u0642\u064a\u0642\u0629\u060c \u0645\u0627 \u064a\u0643\u0641\u064a \u0644\u0643\u0634\u0641 \u0627\u0644\u0623\u0646\u0645\u0627\u0637.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"section-14\">\u0623\u062e\u0637\u0627\u0621 \u0634\u0627\u0626\u0639\u0629 \u0641\u064a \u0625\u0639\u062f\u0627\u062f iptables<\/h2>\n\n\n\n<p>\u0623\u0643\u062b\u0631 \u062e\u0637\u0623 \u0645\u062f\u0645\u0631: \u0645\u0633\u062d \u0643\u0644 \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u062b\u0645 \u062a\u0639\u064a\u064a\u0646 \u0627\u0644\u0633\u064a\u0627\u0633\u0629 \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a\u0629 \u0625\u0644\u0649 DROP \u0642\u0628\u0644 \u0625\u0636\u0627\u0641\u0629 \u0642\u0627\u0639\u062f\u0629 \u0644\u0640 SSH. \u0627\u0644\u0646\u062a\u064a\u062c\u0629: \u062a\u0641\u0642\u062f \u0627\u0644\u0627\u062a\u0635\u0627\u0644 \u0641\u0648\u0631\u064b\u0627 \u0648\u0644\u0627 \u062a\u0633\u062a\u0637\u064a\u0639 \u0627\u0644\u0639\u0648\u062f\u0629. \u0627\u0644\u062d\u0644: \u0642\u0628\u0644 \u0623\u064a \u0625\u0639\u062f\u0627\u062f \u062c\u0630\u0631\u064a\u060c \u0627\u0633\u062a\u062e\u062f\u0645 <code>at<\/code> \u0623\u0648 cron \u0644\u062a\u0646\u0641\u064a\u0630 <code>iptables -F<\/code> \u0628\u0639\u062f 10 \u062f\u0642\u0627\u0626\u0642\u060c \u062d\u062a\u0649 \u0644\u0648 \u0641\u0642\u062f\u062a \u0627\u0644\u0627\u062a\u0635\u0627\u0644 \u064a\u0639\u0648\u062f \u0627\u0644\u0648\u0635\u0648\u0644 \u062a\u0644\u0642\u0627\u0626\u064a\u064b\u0627.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># \u062c\u062f\u0648\u0644\u0629 \"\u0625\u0646\u0642\u0627\u0630\" \u0642\u0628\u0644 \u0627\u0644\u062a\u0639\u062f\u064a\u0644 \u0627\u0644\u062e\u0637\u0631\necho \"iptables -P INPUT ACCEPT && iptables -F\" | at now + 10 minutes\n\n# \u0625\u0646 \u0646\u062c\u062d \u0625\u0639\u062f\u0627\u062f\u0643 \u0648\u0644\u0645 \u062a\u0641\u0642\u062f \u0627\u0644\u0627\u062a\u0635\u0627\u0644\natrm $(atq | tail -1 | awk '{print $1}')<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>\u062a\u0639\u064a\u064a\u0646 \u0627\u0644\u0633\u064a\u0627\u0633\u0629 DROP \u0642\u0628\u0644 \u0627\u0644\u0633\u0645\u0627\u062d \u0628\u0640 SSH.<\/li><li>\u0639\u062f\u0645 \u0627\u0644\u0633\u0645\u0627\u062d \u0628\u0640 loopback (\u064a\u0643\u0633\u0631 \u062a\u0637\u0628\u064a\u0642\u0627\u062a \u062f\u0627\u062e\u0644\u064a\u0629).<\/li><li>\u0639\u062f\u0645 \u0627\u0644\u0633\u0645\u0627\u062d \u0628\u0640 ESTABLISHED,RELATED (\u064a\u0643\u0633\u0631 \u0627\u0644\u062a\u062d\u062f\u064a\u062b\u0627\u062a).<\/li><li>\u0639\u062f\u0645 \u062a\u0641\u0639\u064a\u0644 ip_forward \u0642\u0628\u0644 NAT rules.<\/li><li>\u0646\u0633\u064a\u0627\u0646 \u062d\u0641\u0638 \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0628\u0639\u062f \u0627\u0644\u062a\u0639\u062f\u064a\u0644.<\/li><li>\u062a\u0631\u062a\u064a\u0628 \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0627\u0644\u062e\u0637\u0623 (DROP \u0642\u0628\u0644 ACCEPT).<\/li><li>\u0639\u062f\u0645 \u062a\u0637\u0628\u064a\u0642 \u0646\u0641\u0633 \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0639\u0644\u0649 ip6tables.<\/li><\/ul>\n\n\n\n<div style=\"border-right:4px solid #7c3aed;background:#f5f3ff;padding:1.5rem;border-radius:0 12px 12px 0;margin:2rem 0\">\n<p style=\"margin:0 0 .5rem;font-weight:700;color:#4f46e5\">\u062d\u0645\u0627\u064a\u0629 \u0634\u0627\u0645\u0644\u0629 \u0644\u0633\u064a\u0631\u0641\u0631\u0643<\/p>\n<p style=\"margin:0;color:#374151\">\u0645\u0639 <a href=\"https:\/\/maram.iq\/blogs\/%d8%aa%d8%ad%d9%85%d9%8a-%d9%85%d9%88%d9%82%d8%b9-%d9%88%d9%88%d8%b1%d8%af%d8%a8%d8%b1%d9%8a%d8%b3-%d9%87%d8%ac%d9%85%d8%a7%d8%aa-%d8%b4%d8%a7%d8%a6%d8%b9%d8%a9-2026\/\">\u062d\u0645\u0627\u064a\u0629 \u0648\u0648\u0631\u062f\u0628\u0631\u064a\u0633<\/a> \u0627\u0644\u0643\u0627\u0645\u0644\u0629 \u0648 iptables \u0627\u0644\u0645\u062a\u0642\u062f\u0645 \u0639\u0644\u0649 VPS \u0645\u0631\u0627\u0645. <a href=\"https:\/\/maram.iq\" style=\"color:#4f46e5;font-weight:600\">\u0627\u0628\u062f\u0623 \u0645\u0646 \u0647\u0646\u0627<\/a>.<\/p>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"section-15\">\u0625\u0639\u062f\u0627\u062f iptables vs UFW: \u0645\u062a\u0649 \u062a\u0633\u062a\u062e\u062f\u0645 \u0643\u0644 \u0645\u0646\u0647\u0645\u0627<\/h2>\n\n\n\n<p>UFW (Uncomplicated Firewall) \u0647\u0648 \u0648\u0627\u062c\u0647\u0629 \u0628\u0633\u064a\u0637\u0629 \u062a\u0639\u0645\u0644 \u0641\u0648\u0642 iptables. \u0635\u064a\u0627\u063a\u062a\u0647 \u0623\u0628\u0633\u0637 \u0628\u0643\u062b\u064a\u0631: <code>ufw allow 22<\/code> \u0628\u062f\u0644\u064b\u0627 \u0645\u0646 \u0627\u0644\u0642\u0627\u0639\u062f\u0629 \u0627\u0644\u0643\u0627\u0645\u0644\u0629 \u0644\u0640 iptables. \u0647\u0630\u0627 \u064a\u062c\u0639\u0644\u0647 \u0645\u0646\u0627\u0633\u0628\u064b\u0627 \u0644\u0644\u0645\u0628\u062a\u062f\u0626\u064a\u0646 \u0648\u0627\u0644\u0625\u0639\u062f\u0627\u062f\u0627\u062a \u0627\u0644\u0628\u0633\u064a\u0637\u0629.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># \u0623\u0648\u0627\u0645\u0631 UFW \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629\nufw default deny incoming\nufw default allow outgoing\nufw allow 22\/tcp\nufw allow 80\/tcp\nufw allow 443\/tcp\nufw enable\nufw status verbose\n\n# \u0645\u0646\u0639 IP \u0645\u062d\u062f\u062f \u0628\u0640 UFW\nufw deny from 203.0.113.50\n\n# \u062a\u0637\u0628\u064a\u0642 rate limiting \u0628\u0640 UFW\nufw limit 22\/tcp<\/code><\/pre>\n\n\n\n<p>UFW \u0645\u0646\u0627\u0633\u0628 \u0644\u0644\u0633\u064a\u0631\u0641\u0631\u0627\u062a \u0627\u0644\u0628\u0633\u064a\u0637\u0629 (Web Server \u0628\u0633\u064a\u0637\u060c VPS \u0634\u062e\u0635\u064a). iptables \u0623\u0641\u0636\u0644 \u0644\u0644\u0633\u064a\u0631\u0641\u0631\u0627\u062a \u0627\u0644\u0645\u0639\u0642\u062f\u0629 \u0627\u0644\u062a\u064a \u062a\u062d\u062a\u0627\u062c Port Forwarding\u060c NAT \u0645\u062a\u0642\u062f\u0645\u060c rate limiting \u062f\u0642\u064a\u0642\u060c \u0623\u0648 \u062a\u0643\u0627\u0645\u0644 \u0645\u0639 ipset. \u0643\u062b\u064a\u0631 \u0645\u0646 \u0627\u0644\u0645\u062d\u062a\u0631\u0641\u064a\u0646 \u064a\u0628\u062f\u0624\u0648\u0646 \u0628\u0640 UFW \u062b\u0645 \u064a\u0646\u062a\u0642\u0644\u0648\u0646 \u0625\u0644\u0649 iptables \u0639\u0646\u062f \u0627\u0644\u062d\u0627\u062c\u0629 \u0644\u0645\u0632\u064a\u062f \u0645\u0646 \u0627\u0644\u0645\u0631\u0648\u0646\u0629.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"section-16\">\u0627\u0644\u062e\u0644\u0627\u0635\u0629<\/h2>\n\n\n\n<p>\u0625\u0639\u062f\u0627\u062f iptables \u0628\u0634\u0643\u0644 \u0627\u062d\u062a\u0631\u0627\u0641\u064a \u0645\u0647\u0627\u0631\u0629 \u0644\u0627 \u063a\u0646\u0649 \u0639\u0646\u0647\u0627 \u0644\u0643\u0644 \u0645\u062f\u064a\u0631 \u0633\u064a\u0631\u0641\u0631. \u062a\u0639\u0644\u0651\u0645\u0647 \u064a\u0641\u062a\u062d \u0627\u0644\u0628\u0627\u0628 \u0644\u0641\u0647\u0645 \u0627\u0644\u0634\u0628\u0643\u0627\u062a \u0639\u0644\u0649 Linux \u0628\u0639\u0645\u0642\u060c \u0648\u064a\u0645\u0646\u062d\u0643 \u0627\u0644\u0642\u062f\u0631\u0629 \u0639\u0644\u0649 \u0628\u0646\u0627\u0621 \u062d\u0644\u0648\u0644 \u062d\u0645\u0627\u064a\u0629 \u0645\u062e\u0635\u0635\u0629 \u0644\u0627\u062d\u062a\u064a\u0627\u062c\u0627\u062a\u0643. \u0627\u0628\u062f\u0623 \u0628\u0641\u0647\u0645 \u0627\u0644\u0633\u0644\u0627\u0633\u0644 \u0648\u0627\u0644\u062c\u062f\u0627\u0648\u0644\u060c \u062b\u0645 \u0627\u0646\u062a\u0642\u0644 \u0625\u0644\u0649 \u0627\u0644\u0623\u0648\u0627\u0645\u0631 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629\u060c \u062b\u0645 \u0627\u0644\u0642\u0648\u0627\u0639\u062f \u0627\u0644\u0645\u062a\u0642\u062f\u0645\u0629 \u0644\u0640 DDoS \u0648 NAT. \u0627\u0643\u062a\u0628 \u0633\u0643\u0631\u0628\u062a\u064b\u0627 \u0645\u0646\u0638\u0645\u064b\u0627\u060c \u0627\u062d\u0641\u0638 \u0627\u0644\u0642\u0648\u0627\u0639\u062f\u060c \u0641\u0639\u0651\u0644 \u0627\u0644\u062a\u0633\u062c\u064a\u0644\u060c \u0648\u0631\u0627\u0642\u0628\u0647 \u062f\u0648\u0631\u064a\u064b\u0627. \u0645\u0639 \u0627\u0644\u0645\u0645\u0627\u0631\u0633\u0629\u060c \u0633\u062a\u0635\u0628\u062d \u0642\u0648\u0627\u0639\u062f\u0643 \u062f\u0641\u0627\u0639\u064b\u0627 \u0642\u0648\u064a\u064b\u0627 \u0636\u062f \u0643\u0644 \u0623\u0646\u0648\u0627\u0639 \u0627\u0644\u062a\u0647\u062f\u064a\u062f\u0627\u062a \u0627\u0644\u0634\u0628\u0643\u064a\u0629. \u0648\u062a\u0630\u0643\u0631 \u062f\u0627\u0626\u0645\u064b\u0627: \u0642\u0628\u0644 \u0623\u064a \u062a\u063a\u064a\u064a\u0631 \u062c\u0630\u0631\u064a\u060c \u0627\u062d\u0645 \u0646\u0641\u0633\u0643 \u0628\u0640 at command \u062d\u062a\u0649 \u0644\u0627 \u062a\u0641\u0642\u062f \u0627\u0644\u0627\u062a\u0635\u0627\u0644 \u0628\u0633\u064a\u0631\u0641\u0631\u0643.<\/p>\n\n","protected":false},"excerpt":{"rendered":"<p>\ud83d\udee1\ufe0f \u0625\u0639\u062f\u0627\u062f iptables \u0639\u0644\u0649 Linux 2026: \u062f\u0644\u064a\u0644 \u0627\u0644\u062c\u062f\u0627\u0631 \u0627\u0644\u0646\u0627\u0631\u064a \u0627\u0644\u0634\u0627\u0645\u0644 \u0645\u0646 \u0627\u0644\u0635\u0641\u0631 \u0645\u0646 \u0642\u0648\u0627\u0639\u062f \u0628\u0633\u064a\u0637\u0629 \u0625\u0644\u0649 \u0627\u0633\u062a\u0631\u0627\u062a\u064a\u062c\u064a\u0627\u062a \u062d\u0645\u0627\u064a\u0629 \u0645\u062a\u0642\u062f\u0645\u0629\u060c \u0627\u062d\u0645\u0650 \u0633\u064a\u0631\u0641\u0631\u0643 \u0645\u0646 \u0643\u0644 \u0627\u062a\u062c\u0627\u0647 \u0627\u0644\u062c\u062f\u0627\u0631 \u0627\u0644\u0646\u0627\u0631\u064a \u0647\u0648 \u062e\u0637 \u0627\u0644\u062f\u0641\u0627\u0639 \u0627\u0644\u0623\u0648\u0644&#8230;<\/p>\n","protected":false},"author":1,"featured_media":3241,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[322,172],"tags":[262,267,269,174,402,144,400,401],"class_list":["post-3230","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux-command-line","category-172","tag-ddos","tag-firewall","tag-iptables","tag-linux","tag-linux-security","tag-vps","tag-400","tag-401"],"_links":{"self":[{"href":"https:\/\/maram.iq\/blogs\/wp-json\/wp\/v2\/posts\/3230","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/maram.iq\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/maram.iq\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/maram.iq\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/maram.iq\/blogs\/wp-json\/wp\/v2\/comments?post=3230"}],"version-history":[{"count":1,"href":"https:\/\/maram.iq\/blogs\/wp-json\/wp\/v2\/posts\/3230\/revisions"}],"predecessor-version":[{"id":3256,"href":"https:\/\/maram.iq\/blogs\/wp-json\/wp\/v2\/posts\/3230\/revisions\/3256"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/maram.iq\/blogs\/wp-json\/wp\/v2\/media\/3241"}],"wp:attachment":[{"href":"https:\/\/maram.iq\/blogs\/wp-json\/wp\/v2\/media?parent=3230"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/maram.iq\/blogs\/wp-json\/wp\/v2\/categories?post=3230"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/maram.iq\/blogs\/wp-json\/wp\/v2\/tags?post=3230"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}