{"id":5196,"date":"2022-04-26T10:52:16","date_gmt":"2022-04-26T01:52:16","guid":{"rendered":"\/blog\/?p=5196"},"modified":"2023-09-21T09:26:25","modified_gmt":"2023-09-21T00:26:25","slug":"iptables-firewall","status":"publish","type":"post","link":"https:\/\/hasu0707.duckdns.org\/blog\/?p=5196","title":{"rendered":"iptables firewall"},"content":{"rendered":"\n
#!\/bin\/bash\n\n#\n# iptables firewall\n#\n# @version 0.6.6\n# @author falsandtru https:\/\/github.com\/falsandtru\/iptables-firewall\/\n# @copyright 2014, falsandtru\n# @license MIT\n#\n\n#----------------------------------------------------------#\n# Config                                                   #\n#----------------------------------------------------------#\n\n# \u7ba1\u7406\u7528\u30dd\u30fc\u30c8\u756a\u53f7\nLOGIN=`cat \/etc\/ssh\/sshd_config | grep '^#\\?Port ' | tail -n 1 | sed -e 's\/^[^0-9]*\\([0-9]\\+\\).*$\/\\1\/'`\n\n# \u56fd\u5225\u51e6\u7406\n# - \u8a31\u53ef \u65e5\u672c\nLOCAL_COUNTRY_CODE=\"JP\"\n# - \u62d2\u5426 \u4e2d\u56fd|\u9999\u6e2f|\u30de\u30ab\u30aa|\u97d3\u56fd|\u5317\u671d\u9bae\nBLOCK_COUNTRY_CODE=\"CN|HK|MO|KR|KP\"\n\n# \u30d5\u30a1\u30a4\u30eb\u30c7\u30fc\u30bf\u6574\u5f62\nFORMAT=\"grep ^[0-9] | cut -d' ' -f1\"\n\n# \u4e8b\u524d\u51e6\u7406\/\u4e8b\u5f8c\u51e6\u7406\nPREPROCESS=\nPOSTPROCESS=\n\n# \u30ed\u30fc\u30eb\nROLES=(GLOBAL LOCAL CONNECTION SYSTEM NETWORK AUTH PRIVATE CUSTOMER PUBLIC TEST)\nGLOBAL=(FW_BROADCAST FW_MULTICAST BLOCK_COUNTRY)\nLOCAL=(IPS ACCEPT)\nCONNECTION=(FIREWALL IPS ACCEPT)\nSYSTEM=(whitelist\/system FIREWALL IPF IPS ACCEPT)\nNETWORK=(whitelist\/network FIREWALL IPF IPS ACCEPT)\nAUTH=(whitelist\/auth LOCAL_COUNTRY FIREWALL IPF IPS ACCEPT)\nPRIVATE=(\"whitelist\/{auth,user}|DROP\" LOCAL_COUNTRY FIREWALL IPF IPS ACCEPT)\nCUSTOMER=(LOCAL_COUNTRY FIREWALL IPS ACCEPT)\nPUBLIC=(FIREWALL IPS ACCEPT)\nTEST=(\"whitelist\/{auth,user}|TRACK_PROWLER|DROP\" LOCAL_COUNTRY FIERWALL IPF \"IPS|DROP\")\n\n# \u9069\u7528\n## LOCAL\nMAP=(\"${MAP[@]}\" \"INPUT -i lo -j LOCAL\")\nMAP=(\"${MAP[@]}\" \"OUTPUT -o lo -j LOCAL\")\nMAP=(\"${MAP[@]}\" \"FORWARD -i lo -j LOCAL\")\nMAP=(\"${MAP[@]}\" \"FORWARD -o lo -j LOCAL\")\n## CONNECTION\nMAP=(\"${MAP[@]}\" \"INPUT -m state --state ESTABLISHED,RELATED -j CONNECTION\")\nMAP=(\"${MAP[@]}\" \"OUTPUT -m state --state NEW,ESTABLISHED -j CONNECTION\")\nMAP=(\"${MAP[@]}\" \"FORWARD -m state --state ESTABLISHED,RELATED -j CONNECTION\")\n## GLOBAL\nMAP=(\"${MAP[@]}\" \"INPUT -j GLOBAL\")\nMAP=(\"${MAP[@]}\" \"OUTPUT -j GLOBAL\")\nMAP=(\"${MAP[@]}\" \"FORWARD -j GLOBAL\")\n## SYSTEM\n## - ICMP\nMAP=(\"${MAP[@]}\" \"INPUT -p icmp --icmp-type destination-unreachable -j SYSTEM\")\nMAP=(\"${MAP[@]}\" \"INPUT -p icmp --icmp-type source-quench -j SYSTEM\")\nMAP=(\"${MAP[@]}\" \"INPUT -p icmp --icmp-type redirect -j SYSTEM\")\nMAP=(\"${MAP[@]}\" \"INPUT -p icmp --icmp-type time-exceeded -j SYSTEM\")\nMAP=(\"${MAP[@]}\" \"INPUT -p icmp --icmp-type parameter-problem -j SYSTEM\")\n## - DNS\nNAMESERVERS=$(echo $(grep '^nameserver' \/etc\/resolv.conf | cut -d' ' -f2) | tr ' ' ,)\nMAP=(\"${MAP[@]}\" \"INPUT -s $NAMESERVERS -p udp --dport 53 -j SYSTEM\")\nMAP=(\"${MAP[@]}\" \"OUTPUT -d $NAMESERVERS -p udp --sport 53 -j SYSTEM\")\nMAP=(\"${MAP[@]}\" \"FORWARD -s $NAMESERVERS -p udp --dport 53 -j SYSTEM\")\nMAP=(\"${MAP[@]}\" \"FORWARD -d $NAMESERVERS -p udp --sport 53 -j SYSTEM\")\n## - NTP\nNTPSERVERS=$(echo $(grep '^server' \/etc\/{ntp,chrony}.conf 2>\/dev\/null | cut -d' ' -f2) | tr ' ' ,)\nMAP=(\"${MAP[@]}\" \"INPUT -s $NTPSERVERS -p udp --dport 123 -j SYSTEM\")\nMAP=(\"${MAP[@]}\" \"OUTPUT -d $NTPSERVERS -p udp --sport 123 -j SYSTEM\")\nMAP=(\"${MAP[@]}\" \"FORWARD -s $NTPSERVERS -p udp --dport 123 -j SYSTEM\")\nMAP=(\"${MAP[@]}\" \"FORWARD -d $NTPSERVERS -p udp --sport 123 -j SYSTEM\")\n## SERVICE\n## - SSH\nMAP=(\"${MAP[@]}\" \"INPUT -p tcp -m multiport --dports $LOGIN -j AUTH\")\n## - DNS\n#MAP=(\"${MAP[@]}\" \"INPUT -p tcp --dport 53 -j NETWORK\")\n#MAP=(\"${MAP[@]}\" \"INPUT -p udp --dport 53 -j NETWORK\")\n## - SNMP\n#MAP=(\"${MAP[@]}\" \"INPUT -p udp --dport 160 -j NETWORK\")\n#MAP=(\"${MAP[@]}\" \"INPUT -p udp --dport 161 -j NETWORK\")\n## - HTTP\nMAP=(\"${MAP[@]}\" \"INPUT -p tcp --dport 80 -j PUBLIC\")\n## - HTTPS\nMAP=(\"${MAP[@]}\" \"INPUT -p tcp --dport 443 -j CUSTOMER\")\n## - FTP\n#MAP=(\"${MAP[@]}\" \"INPUT -p tcp --dport 21 -j PRIVATE\")\n## - PASV(FTP-DATA)\n#MAP=(\"${MAP[@]}\" \"INPUT -p tcp --dport 60000:60030 -j PRIVATE\")\n## - IDENT \u203bIDENT\u3092\u4f7f\u7528\u305b\u305a\u30e1\u30fc\u30eb\u30b5\u30fc\u30d0\u30fc\u3092\u516c\u958b\u3059\u308b\u5834\u5408\u306f\u30e1\u30fc\u30eb\u30b5\u30fc\u30d0\u7b49\u306e\u30ec\u30b9\u30dd\u30f3\u30b9\u4f4e\u4e0b\u9632\u6b62\u306e\u305f\u3081\u62d2\u5426\u5fdc\u7b54\n#MAP=(\"${MAP[@]}\" \"INPUT -p tcp --dport 113 -j PRIVATE\")\n#MAP=(\"${MAP[@]}\" \"INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset\")\n## - SMTP\n#MAP=(\"${MAP[@]}\" \"INPUT -p tcp --dport 25 -j PRIVATE\")\n## - SMTPS\n#MAP=(\"${MAP[@]}\" \"INPUT -p tcp --dport 465 -j AUTH\")\n## - POP3\n#MAP=(\"${MAP[@]}\" \"INPUT -p tcp --dport 110 -j PRIVATE\")\n## - POP3S\n#MAP=(\"${MAP[@]}\" \"INPUT -p tcp --dport 995 -j AUTH\")\n## - IMAP\n#MAP=(\"${MAP[@]}\" \"INPUT -p tcp --dport 143 -j PRIVATE\")\n## - IMAPS\n#MAP=(\"${MAP[@]}\" \"INPUT -p tcp --dport 993 -j AUTH\")\n## - OpenVPN\n#MAP=(\"${MAP[@]}\" \"INPUT -p udp --dport 1194 -j AUTH\")\n#[ -f \/etc\/openvpn\/openvpn-startup ] && \/etc\/openvpn\/openvpn-startup\n## - IPsec\n#MAP=(\"${MAP[@]}\" \"INPUT -p 50 -j AUTH\")\n#MAP=(\"${MAP[@]}\" \"INPUT -p 51 -j AUTH\")\n## - Submission\n#MAP=(\"${MAP[@]}\" \"INPUT -p tcp --dport 587 -j PRIVATE\")\n## TRAP\n## - PORTSCAN\nMAP=(\"${MAP[@]}\" \"INPUT -j TRAP_PORTSCAN\")\nMAP=(\"${MAP[@]}\" \"FORWARD -j TRAP_PORTSCAN\")\n\n# IP\u5272\u308a\u5f53\u3066\u66f4\u65b0\u9593\u9694(\u65e5)\nINTERVAL=7\n\n# IPS\u306e\u4f7f\u7528\nIDSIPS=\n\n# \u53b3\u683c\u66f4\u65b0\nSECURE=\n\n# \u30ed\u30b0\u306e\u6700\u5927\u751f\u6210\u901f\u5ea6\nLOG_LIMIT=60\/m\nLOG_LIMIT_BURST=1000\n\n# \u30b3\u30de\u30f3\u30c9\nIPTABLES=\"echo iptables\"\n\n# IP\u30ea\u30b9\u30c8\u4fdd\u5b58\u5148\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\nLIST_DIR=\/etc\/iptables\/\n\n# IP\u5272\u308a\u5f53\u3066\u4fdd\u5b58\u5148\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\nCACHE_DIR=\/var\/cache\/iptables\/\n\n\n#----------------------------------------------------------#\n# Configure                                                #\n#----------------------------------------------------------#\n\necho \"iptables firewall\"\n\n# Default\nRESULT=0\nSECURE=${SECURE:-false}\n\n# IPS\/IDS\nif [ ! $IDSIPS ]; then\n    if [ `ps alx | grep -v grep | grep \/snort | head -n 1 | cut -c1` ]; then\n        IDSIPS=Snort\n    else\n        IDSIPS=false\n    fi\nfi\n\n\n#----------------------------------------------------------#\n# Download                                                 #\n#----------------------------------------------------------#\n\nWGET=\"wget -N --retr-symlinks -P ${CACHE_DIR}\"\n\n[ ! -e $CACHE_DIR ] && mkdir -p $CACHE_DIR\nif [[ $(find ${CACHE_DIR} -name delegated-*-extended-latest -ctime -$INTERVAL 2>&1) ]]; then\n    UPDATE=0\n    echo \"UPDATE    NO\"\nelse\n    UPDATE=1\n    echo \"UPDATE    YES\"\n    $WGET ftp:\/\/ftp.arin.net\/pub\/stats\/arin\/delegated-arin-extended-latest\n    $WGET ftp:\/\/ftp.ripe.net\/pub\/stats\/ripencc\/delegated-ripencc-extended-latest\n    $WGET ftp:\/\/ftp.apnic.net\/pub\/stats\/apnic\/delegated-apnic-extended-latest\n    $WGET ftp:\/\/ftp.lacnic.net\/pub\/stats\/lacnic\/delegated-lacnic-extended-latest\n    $WGET ftp:\/\/ftp.afrinic.net\/pub\/stats\/afrinic\/delegated-afrinic-extended-latest\nfi\n\n\n#----------------------------------------------------------#\n# Initialize                                               #\n#----------------------------------------------------------#\n\nif [ $UPDATE -ne 0 ] && [[ $(find ${CACHE_DIR} -name delegated-*-extended-latest -mtime -$INTERVAL 2>&1) ]]; then\n    RESET=1\n    echo \"DELETE  All Chains\"\n    $IPTABLES -F\n    $IPTABLES -X\nelse\n    RESET=0\n    $IPTABLES -F INPUT\n    $IPTABLES -F OUTPUT\n    $IPTABLES -F FORWARD\n    for CHAIN in `$IPTABLES -S | grep ^-N | cut -d\" \" -f2`; do\n        if [ LOCAL_COUNTRY = $CHAIN ] || [ BLOCK_COUNTRY = $CHAIN ]; then continue;fi\n        $IPTABLES -F $CHAIN\n    done\n\n    for CHAIN in `$IPTABLES -S | grep ^-N | cut -d\" \" -f2`; do\n        if [ LOCAL_COUNTRY = $CHAIN ] || [ BLOCK_COUNTRY = $CHAIN ]; then continue;fi\n        $IPTABLES -X $CHAIN\n    done\nfi\n\n$IPTABLES -Z\n$IPTABLES -P INPUT DROP\n$IPTABLES -P OUTPUT DROP\n$IPTABLES -P FORWARD DROP\n\n$IPTABLES -N LOCAL_COUNTRY 2>\/dev\/null\n$IPTABLES -N BLOCK_COUNTRY 2>\/dev\/null\n\n$IPTABLES -N FIREWALL\n$IPTABLES -N FW_BASIC\n$IPTABLES -N IPS\n$IPTABLES -N IDS\n\n\n#----------------------------------------------------------#\n# Preprocess                                               #\n#----------------------------------------------------------#\n\n# PREPROCESS\necho \"PREPROCESS  $PREPROCESS\"\n`$PREPROCESS`\n\n\n#----------------------------------------------------------#\n# Firewall                                                 #\n#----------------------------------------------------------#\n\n# \u9001\u4fe1\u5143IP\u306e\u507d\u88c5\u9632\u6b62\nsed -i '\/net.ipv4.conf.*.rp_filter\/d' \/etc\/sysctl.conf\nfor dev in `ls \/proc\/sys\/net\/ipv4\/conf\/`\ndo\n    sysctl -w net.ipv4.conf.$dev.rp_filter=1 > \/dev\/null\n    echo \"net.ipv4.conf.$dev.rp_filter=1\" >> \/etc\/sysctl.conf\ndone\n\n# ICMP Redirect\u30d1\u30b1\u30c3\u30c8\u3092\u62d2\u5426\nsed -i '\/net.ipv4.conf.*.accept_redirects\/d' \/etc\/sysctl.conf\nfor dev in `ls \/proc\/sys\/net\/ipv4\/conf\/`\ndo\n    sysctl -w net.ipv4.conf.$dev.accept_redirects=0 > \/dev\/null\n    echo \"net.ipv4.conf.$dev.accept_redirects=0\" >> \/etc\/sysctl.conf\ndone\n\n# Source Routed\u30d1\u30b1\u30c3\u30c8\u3092\u62d2\u5426\nsed -i '\/net.ipv4.conf.*.accept_source_route\/d' \/etc\/sysctl.conf\nfor dev in `ls \/proc\/sys\/net\/ipv4\/conf\/`\ndo\n    sysctl -w net.ipv4.conf.$dev.accept_source_route=0 > \/dev\/null\n    echo \"net.ipv4.conf.$dev.accept_source_route=0\" >> \/etc\/sysctl.conf\ndone\n\n# \u30d6\u30ed\u30fc\u30c9\u30ad\u30e3\u30b9\u30c8\u30a2\u30c9\u30ec\u30b9\u5b9bping\u306b\u306f\u5fdc\u7b54\u3057\u306a\u3044\n# \u203bSmurf\u653b\u6483\u5bfe\u7b56\nsysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 > \/dev\/null\nsed -i '\/net.ipv4.icmp_echo_ignore_broadcasts\/d' \/etc\/sysctl.conf\necho \"net.ipv4.icmp_echo_ignore_broadcasts=1\" >> \/etc\/sysctl.conf\n\n# SYN Cookies\u3092\u6709\u52b9\u306b\u3059\u308b\n# \u203bTCP SYN Flood\u653b\u6483\u5bfe\u7b56\nsysctl -w net.ipv4.tcp_syncookies=1 > \/dev\/null\nsed -i '\/net.ipv4.tcp_syncookies\/d' \/etc\/sysctl.conf\necho \"net.ipv4.tcp_syncookies=1\" >> \/etc\/sysctl.conf\n\n# \u30b7\u30b9\u30c6\u30e0\u306e\u9023\u7d9a\u7a3c\u50cd\u6642\u9593\u3092\u901a\u77e5\u3057\u306a\u3044\n# \u203b\u30ab\u30fc\u30cd\u30eb\u30d0\u30fc\u30b8\u30e7\u30f3\u7279\u5b9a\u5bfe\u7b56\nsysctl -w net.ipv4.tcp_timestamps=1 > \/dev\/null\nsed -i '\/net.ipv4.tcp_timestamps\/d' \/etc\/sysctl.conf\necho \"net.ipv4.tcp_timestamps=1\" >> \/etc\/sysctl.conf\n\n# \u4e0d\u6b63\u306a\u30a2\u30af\u30bb\u30b9\u3092\u884c\u3063\u305fIP\u304b\u3089\u306e\u3059\u3079\u3066\u306e\u30a2\u30af\u30bb\u30b9\u3092\u30ed\u30b0\u3092\u8a18\u9332\u3057\u3066\u7834\u68c4\n# \u203b\u8abf\u67fb\u7684\u30a2\u30af\u30bb\u30b9\u304b\u3089\u516c\u958b\u30dd\u30fc\u30c8\u3092\u96a0\u853d\u3059\u308b\n# \u203b\u516c\u8868\u30b5\u30fc\u30d0\u30fc\u3067\u306f\u7121\u52b9\u306b\u3057\u3066\u3088\u3044\n$IPTABLES -N IPF 2>\/dev\/null\n$IPTABLES -N ANTI_INTRUDER\n$IPTABLES -N ANTI_INTRUDER_\n$IPTABLES -N ANTI_INTRUDER__\n$IPTABLES -A IPF -p tcp ! --dport 0:1023 -m state --state NEW,INVALID -j ANTI_INTRUDER\n$IPTABLES -A IPF -p udp -m state --state NEW,INVALID -j ANTI_INTRUDER\n$IPTABLES -A IPF -p icmp -j ANTI_INTRUDER\n$IPTABLES -A ANTI_INTRUDER -i e+ -j ANTI_INTRUDER_\n$IPTABLES -A ANTI_INTRUDER -i p+ -j ANTI_INTRUDER_\n$IPTABLES -A ANTI_INTRUDER -i w+ -j ANTI_INTRUDER_\n# \u65e2\u77e5\u306e\u30dd\u30fc\u30c8\u306f\u30d5\u30a3\u30eb\u30bf\u3057\u306a\u3044\n$IPTABLES -A ANTI_INTRUDER_ -m recent --name attacker-rapid --update --rttl -j ANTI_INTRUDER__\n$IPTABLES -A ANTI_INTRUDER_ -m recent --name attacker-fast --update --rttl -j ANTI_INTRUDER__\n$IPTABLES -A ANTI_INTRUDER_ -m recent --name attacker-medium --update --rttl -j ANTI_INTRUDER__\n$IPTABLES -A ANTI_INTRUDER_ -m recent --name attacker-slow --update --rttl -j ANTI_INTRUDER__\n$IPTABLES -A ANTI_INTRUDER_ -m recent --name prowler-rapid --update --rttl -j ANTI_INTRUDER__\n$IPTABLES -A ANTI_INTRUDER_ -m recent --name prowler-fast --update --rttl -j ANTI_INTRUDER__\n$IPTABLES -A ANTI_INTRUDER_ -m recent --name prowler-medium --update --rttl -j ANTI_INTRUDER__\n$IPTABLES -A ANTI_INTRUDER_ -m recent --name prowler-slow --update --rttl -j ANTI_INTRUDER__\n$IPTABLES -A ANTI_INTRUDER__ -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES INTRUDER] : '\n$IPTABLES -A ANTI_INTRUDER__ -j DROP\n#$IPTABLES -A FIREWALL -j IPF && echo \"FIREWALL ANTI_INTRUDER\"\n# recent\u30e2\u30b8\u30e5\u30fc\u30eb\u306f\u521d\u671f\u5024\u3067100IP\u3057\u304b\u8a18\u61b6\u3067\u304d\u306a\u3044\n# \u9001\u4fe1\u5143\u3092\u507d\u88c5\u3057\u305f\u30d1\u30b1\u30c3\u30c8\u3092\u5927\u91cf\u306b\u9001\u308a\u3064\u3051\u308b\u304b\u8abf\u67fb\u5143\u306e\u7d76\u5bfe\u6570\u304c\u5897\u3048\u308b\u3068\u5bb9\u6613\u306b\u7121\u52b9\u5316\u3055\u308c\u308b\u305f\u3081\u5bfe\u51e6\u3055\u308c\u308c\u3070\u52b9\u679c\u306f\u306a\u3044\n# \u653b\u6483\u4fa1\u5024\u306e\u4e0d\u660e\u306aIP\u306e\u5b58\u5728\u78ba\u8a8d\u3068\u30dd\u30fc\u30c8\u30b9\u30ad\u30e3\u30f3\u306b\u5fc5\u8981\u3068\u306a\u308b\u6700\u5c0f\u30b3\u30b9\u30c8\u3092\u4e0a\u3052\u308b\u9632\u5fa1\u3068\u3057\u3066\u306f\u6709\u52b9\n# \u7ba1\u7406\u6a5f\u80fd\u3092\u6301\u3064\u30b5\u30fc\u30d0\u30fc\u306f\u653b\u6483\u4fa1\u5024\u3092\u7279\u5b9a\u3055\u308c\u672c\u683c\u7684\u306a\u653b\u6483\u3092\u53d7\u3051\u306a\u3044\u3088\u3046\u975e\u516c\u8868\u30b5\u30fc\u30d0\u30fc\u306b\u5206\u96e2\u96a0\u853d\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\n# $ vi \/etc\/modprobe.d\/iptables-recent.conf\n# options ip_list_hash_size=0 xt_recent ip_list_tot=1000\n# $ reboot\n# $ cat \/sys\/module\/xt_recent\/parameters\/ip_list_tot\n# $ ls \/proc\/net\/xt_recent\/\n\n# \u4e0d\u5be9\u306a\u30a2\u30af\u30bb\u30b9\u3092\u884c\u3063\u3066\u3044\u308bIP\u3092\u4e0d\u5be9\u8005\u3068\u3057\u3066\u8a18\u9332\n# \u203b\u4e0d\u5be9\u306a\u30a2\u30af\u30bb\u30b9\u3092\u9577\u6642\u9593\u8ffd\u8de1\u3059\u308b\n# \u203b\u6b63\u898f\u306e\u901a\u4fe1\u306e\u30d5\u30a3\u30eb\u30bf\u3068\u3057\u3066\u4f7f\u7528\u4e0d\u53ef\n# \u203b\u516c\u8868\u30b5\u30fc\u30d0\u30fc\u3067\u306f\u7121\u52b9\u306b\u3057\u3066\u3088\u3044\n$IPTABLES -N TRACK_PROWLER 2>\/dev\/null\n$IPTABLES -N ANTI_PROWLER\n$IPTABLES -N ANTI_PROWLER_\n$IPTABLES -A TRACK_PROWLER -j ANTI_PROWLER\n$IPTABLES -A ANTI_PROWLER -i e+ -j ANTI_PROWLER_\n$IPTABLES -A ANTI_PROWLER -i p+ -j ANTI_PROWLER_\n$IPTABLES -A ANTI_PROWLER -i w+ -j ANTI_PROWLER_\n$IPTABLES -A ANTI_PROWLER_ -m recent --name prowler-rapid --update --rttl --seconds 10 -j RETURN\n$IPTABLES -A ANTI_PROWLER_ -m recent --name prowler-rapid --set\n$IPTABLES -A ANTI_PROWLER_ \\\n          -m hashlimit \\\n          --hashlimit-name prowler-rapid \\\n          --hashlimit-above 6\/m \\\n          --hashlimit-mode srcip \\\n          --hashlimit-htable-expire 10000 \\\n          -j RETURN\n$IPTABLES -A ANTI_PROWLER_ -m recent --name prowler-fast --update --rttl --seconds 60 -j RETURN\n$IPTABLES -A ANTI_PROWLER_ -m recent --name prowler-fast --set\n$IPTABLES -A ANTI_PROWLER_ \\\n          -m hashlimit \\\n          --hashlimit-name prowler-fast \\\n          --hashlimit-above 1\/m \\\n          --hashlimit-mode srcip \\\n          --hashlimit-htable-expire 60000 \\\n          -j RETURN\n$IPTABLES -A ANTI_PROWLER_ -m recent --name prowler-medium --update --rttl --seconds 3600 -j RETURN\n$IPTABLES -A ANTI_PROWLER_ -m recent --name prowler-medium --set\n#$IPTABLES -A ANTI_PROWLER_ -m recent --name prowler-slow --update --rttl --seconds 86400 -j RETURN\n$IPTABLES -A ANTI_PROWLER_ -m recent --name prowler-slow --set\n\n# \u653b\u6483\u3092\u884c\u3063\u3066\u3044\u308bIP\u3092\u653b\u6483\u8005\u3068\u3057\u3066\u8a18\u9332\n# \u203bTRACK_PROWLER\u306b\u540c\u3058\n$IPTABLES -N TRACK_ATTACKER 2>\/dev\/null\n$IPTABLES -N ANTI_ATTACKER\n$IPTABLES -N ANTI_ATTACKER_\n$IPTABLES -A TRACK_ATTACKER -j ANTI_ATTACKER\n$IPTABLES -A ANTI_ATTACKER -i e+ -j ANTI_ATTACKER_\n$IPTABLES -A ANTI_ATTACKER -i p+ -j ANTI_ATTACKER_\n$IPTABLES -A ANTI_ATTACKER -i w+ -j ANTI_ATTACKER_\n$IPTABLES -A ANTI_ATTACKER_ -m recent --name attacker-rapid --update --rttl --seconds 10 -j RETURN\n$IPTABLES -A ANTI_ATTACKER_ -m recent --name attacker-rapid --set\n$IPTABLES -A ANTI_ATTACKER_ \\\n          -m hashlimit \\\n          --hashlimit-name attacker-rapid \\\n          --hashlimit-above 6\/m \\\n          --hashlimit-mode srcip \\\n          --hashlimit-htable-expire 10000 \\\n          -j RETURN\n$IPTABLES -A ANTI_ATTACKER_ -m recent --name attacker-fast --update --rttl --seconds 60 -j RETURN\n$IPTABLES -A ANTI_ATTACKER_ -m recent --name attacker-fast --set\n$IPTABLES -A ANTI_ATTACKER_ \\\n          -m hashlimit \\\n          --hashlimit-name attacker-fast \\\n          --hashlimit-above 1\/m \\\n          --hashlimit-mode srcip \\\n          --hashlimit-htable-expire 60000 \\\n          -j RETURN\n$IPTABLES -A ANTI_ATTACKER_ -m recent --name attacker-medium --update --rttl --seconds 3600 -j RETURN\n$IPTABLES -A ANTI_ATTACKER_ -m recent --name attacker-medium --set\n#$IPTABLES -A ANTI_ATTACKER_ -m recent --name attacker-slow --update --rttl --seconds 86400 -j RETURN\n$IPTABLES -A ANTI_ATTACKER_ -m recent --name attacker-slow --set\n\n# \u30d6\u30ed\u30fc\u30c9\u30ad\u30e3\u30b9\u30c8\u30d1\u30b1\u30c3\u30c8\u3092\u30ed\u30b0\u3092\u8a18\u9332\u305b\u305a\u306b\u7834\u68c4\n$IPTABLES -N FW_BROADCAST 2>\/dev\/null\n$IPTABLES -N DENY_BROADCAST\n$IPTABLES -A FW_BROADCAST -i e+ -j DENY_BROADCAST\n$IPTABLES -A FW_BROADCAST -i p+ -j DENY_BROADCAST\n$IPTABLES -A FW_BROADCAST -i w+ -j DENY_BROADCAST\n$IPTABLES -A DENY_BROADCAST -m pkttype --pkt-type broadcast -j DROP\n\n# \u30de\u30eb\u30c1\u30ad\u30e3\u30b9\u30c8\u30d1\u30b1\u30c3\u30c8\u3092\u30ed\u30b0\u3092\u8a18\u9332\u305b\u305a\u306b\u7834\u68c4\n$IPTABLES -N FW_MULTICAST 2>\/dev\/null\n$IPTABLES -N DENY_MULTICAST\n$IPTABLES -A FW_MULTICAST -i e+ -j DENY_MULTICAST\n$IPTABLES -A FW_MULTICAST -i p+ -j DENY_MULTICAST\n$IPTABLES -A FW_MULTICAST -i w+ -j DENY_MULTICAST\n$IPTABLES -A DENY_MULTICAST -m pkttype --pkt-type multicast -j DROP\n\n# \u30d5\u30e9\u30b0\u30e1\u30f3\u30c8\u5316\u3055\u308c\u305f\u30d1\u30b1\u30c3\u30c8\u3092\u30ed\u30b0\u3092\u8a18\u9332\u3057\u3066\u7834\u68c4\u3057\u3066NG\n$IPTABLES -N FW_FRAGMENT 2>\/dev\/null\n$IPTABLES -N DENY_FRAGMENT\n$IPTABLES -N DENY_FRAGMENT_\n$IPTABLES -A FW_FRAGMENT -i e+ -j DENY_FRAGMENT\n$IPTABLES -A FW_FRAGMENT -i p+ -j DENY_FRAGMENT\n$IPTABLES -A FW_FRAGMENT -i w+ -j DENY_FRAGMENT\n$IPTABLES -A DENY_FRAGMENT -f -j DENY_FRAGMENT_\n$IPTABLES -A DENY_FRAGMENT_ -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES FRAGMENT] : '\n$IPTABLES -A DENY_FRAGMENT_ -j TRACK_ATTACKER\n$IPTABLES -A DENY_FRAGMENT_ -j DROP\n$IPTABLES -A FIREWALL -j FW_FRAGMENT && echo \"FIREWALL  DENY_FRAGMENT\"\n\n# \u4e0d\u6b63\u306a\u30d1\u30b1\u30c3\u30c8\u3092\u30ed\u30b0\u3092\u8a18\u9332\u3057\u3066\u7834\u68c4\u3057\u3066NG\n$IPTABLES -N FW_INVALID 2>\/dev\/null\n$IPTABLES -N DENY_INVALID\n$IPTABLES -N DENY_INVALID_\n$IPTABLES -A FW_INVALID -i e+ -j DENY_INVALID\n$IPTABLES -A FW_INVALID -i p+ -j DENY_INVALID\n$IPTABLES -A FW_INVALID -i w+ -j DENY_INVALID\n$IPTABLES -A DENY_INVALID -m state --state INVALID -j DENY_INVALID_\n$IPTABLES -A DENY_INVALID_ -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES INVALID] : '\n$IPTABLES -A DENY_INVALID_ -j DROP\n$IPTABLES -A FIREWALL -j FW_INVALID && echo \"FIREWALL DENY_INVALID\"\n\n# \u5916\u90e8\u3068\u306eNetBIOS\u95a2\u9023\u306e\u30a2\u30af\u30bb\u30b9\u306f\u30ed\u30b0\u3092\u8a18\u9332\u305b\u305a\u306b\u7834\u68c4\u3057\u3066NG\n$IPTABLES -N FW_NETBIOS 2>\/dev\/null\n$IPTABLES -N DENY_NETBIOS\n$IPTABLES -N DENY_NETBIOS_\n$IPTABLES -A FW_NETBIOS -i e+ -j DENY_NETBIOS\n$IPTABLES -A FW_NETBIOS -i p+ -j DENY_NETBIOS\n$IPTABLES -A FW_NETBIOS -i w+ -j DENY_NETBIOS\n$IPTABLES -A DENY_NETBIOS -p tcp -m multiport --dports 135,137,138,139,445 -j DENY_NETBIOS_\n$IPTABLES -A DENY_NETBIOS -p udp -m multiport --dports 135,137,138,139,445 -j DENY_NETBIOS_\n$IPTABLES -A DENY_NETBIOS_ -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES NETBIOS] : '\n$IPTABLES -A DENY_NETBIOS_ -j TRACK_ATTACKER\n$IPTABLES -A DENY_NETBIOS_ -j DROP\n$IPTABLES -A FIREWALL -j FW_NETBIOS && echo \"FIREWALL DENY_NETBIOS\"\n$IPTABLES -A FW_BASIC -j FW_NETBIOS\n\n# \u30d5\u30e9\u30b0\u306e\u4e0d\u9069\u5207\u306a\u30d1\u30b1\u30c3\u30c8\u3092\u30ed\u30b0\u3092\u8a18\u9332\u3057\u3066\u7834\u68c4\n# \u203b\u30b9\u30c6\u30eb\u30b9\u30b9\u30ad\u30e3\u30f3\u5bfe\u7b56\n# \u203b\u65e2\u77e5\u306e\u30dd\u30fc\u30c8\u306f\u3082\u3068\u3082\u3068\u96a0\u5bc6\u6027\u304c\u306a\u3044\u305f\u3081\u4fdd\u8b77\u305b\u305a\u8aa4\u4f5c\u52d5\u306e\u56de\u907f\u3092\u512a\u5148\n# \u203bSSH\u306e\u7d42\u4e86\u51e6\u7406\u3092\u3057\u306a\u3044\u3067\u5207\u65ad\u3055\u308c\u308b\u3068\u7c21\u5358\u306b\u81ea\u7206\u3059\u308b\u306e\u3067\u6ce8\u610f\n# \u203bTRAP_PORTSCAN\u3068IPF\u304c\u6a5f\u80fd\u3057\u3066\u3044\u308b\u3046\u3061\u306f\u6709\u52b9\u306b\u3059\u308b\u5fc5\u8981\u6027\u306f\u4f4e\u3044\n# \u203b\u30d5\u30e9\u30b0\u30d1\u30bf\u30fc\u30f3\u306e\u59a5\u5f53\u6027\u672a\u691c\u8a3c\n# \u203b\u516c\u8868\u30b5\u30fc\u30d0\u30fc\u3067\u306f\u7121\u52b9\u306b\u3057\u3066\u3088\u3044\n$IPTABLES -N FW_STEALTHSCAN 2>\/dev\/null\n$IPTABLES -N ANTI_STEALTHSCAN\n$IPTABLES -N ANTI_STEALTHSCAN_\n$IPTABLES -N ANTI_STEALTHSCAN__\n$IPTABLES -A FW_STEALTHSCAN -j ANTI_STEALTHSCAN\n$IPTABLES -A ANTI_STEALTHSCAN -i e+ -p tcp -m state --state NEW -j ANTI_STEALTHSCAN_\n$IPTABLES -A ANTI_STEALTHSCAN -i p+ -p tcp -m state --state NEW -j ANTI_STEALTHSCAN_\n$IPTABLES -A ANTI_STEALTHSCAN -i w+ -p tcp -m state --state NEW -j ANTI_STEALTHSCAN_\n$IPTABLES -A ANTI_STEALTHSCAN_ -p tcp --dport 0:1023 -j RETURN\n# SYN + ACK when NEW\n$IPTABLES -A ANTI_STEALTHSCAN_ -p tcp -m state --state NEW --tcp-flags SYN,ACK SYN,ACK -j ANTI_STEALTHSCAN__\n# FIN\/PSH\/URG without ACK\n$IPTABLES -A ANTI_STEALTHSCAN_ -p tcp --tcp-flags ACK,FIN FIN -j ANTI_STEALTHSCAN__\n$IPTABLES -A ANTI_STEALTHSCAN_ -p tcp --tcp-flags ACK,PSH PSH -j ANTI_STEALTHSCAN__\n$IPTABLES -A ANTI_STEALTHSCAN_ -p tcp --tcp-flags ACK,URG URG -j ANTI_STEALTHSCAN__\n# SYN + FIN\n$IPTABLES -A ANTI_STEALTHSCAN_ -p tcp --tcp-flags SYN,FIN SYN,FIN -j ANTI_STEALTHSCAN__\n# SYN + RST\n$IPTABLES -A ANTI_STEALTHSCAN_ -p tcp --tcp-flags SYN,RST SYN,RST -j ANTI_STEALTHSCAN__\n# FIN + RST\n$IPTABLES -A ANTI_STEALTHSCAN_ -p tcp --tcp-flags FIN,RST FIN,RST -j ANTI_STEALTHSCAN__\n# ALL\n$IPTABLES -A ANTI_STEALTHSCAN_ -p tcp --tcp-flags ALL ALL -j ANTI_STEALTHSCAN__\n# nmap Null scans \/ no flags\n$IPTABLES -A ANTI_STEALTHSCAN_ -p tcp --tcp-flags ALL NONE -j ANTI_STEALTHSCAN__\n# nmap FIN stealth scan\n$IPTABLES -A ANTI_STEALTHSCAN_ -p tcp --tcp-flags ALL FIN -j ANTI_STEALTHSCAN__\n# FIN + URG + PSH\n$IPTABLES -A ANTI_STEALTHSCAN_ -p tcp --tcp-flags ALL FIN,PSH,URG -j ANTI_STEALTHSCAN__\n# XMAS\n$IPTABLES -A ANTI_STEALTHSCAN_ -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j ANTI_STEALTHSCAN__\n$IPTABLES -A ANTI_STEALTHSCAN_ -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG,PSH -j ANTI_STEALTHSCAN__\n$IPTABLES -A ANTI_STEALTHSCAN__ -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES STEALTHSCAN] : '\n$IPTABLES -A ANTI_STEALTHSCAN__ -j TRACK_ATTACKER\n$IPTABLES -A ANTI_STEALTHSCAN__ -j DROP\n#$IPTABLES -A FIREWALL -j FW_STEALTHSCAN && echo \"FIREWALL  ANTI_STEALTHSCAN\"\n\n# WAN\u304b\u3089\u306e\u9001\u4fe1\u5143\u304c\u30d7\u30e9\u30a4\u30d9\u30fc\u30c8IP\u30a2\u30c9\u30ec\u30b9\u306e\u30d1\u30b1\u30c3\u30c8\u3092\u30ed\u30b0\u3092\u8a18\u9332\u3057\u3066\u7834\u68c4\u3057\u3066NG\n# \u203bIP spoofing\u653b\u6483\u5bfe\u7b56\n$IPTABLES -N FW_SPOOFING 2>\/dev\/null\n$IPTABLES -N ANTI_SPOOFING\n$IPTABLES -N ANTI_SPOOFING_\n$IPTABLES -N ANTI_SPOOFING__\n$IPTABLES -A FW_SPOOFING -j ANTI_SPOOFING\n$IPTABLES -A ANTI_SPOOFING -i e+ -j ANTI_SPOOFING_\n$IPTABLES -A ANTI_SPOOFING -i p+ -j ANTI_SPOOFING_\n$IPTABLES -A ANTI_SPOOFING -i w+ -j ANTI_SPOOFING_\n$IPTABLES -A ANTI_SPOOFING_ -s 127.0.0.0\/8    -j ANTI_SPOOFING__\n$IPTABLES -A ANTI_SPOOFING_ -s 10.0.0.0\/8     -j ANTI_SPOOFING__\n$IPTABLES -A ANTI_SPOOFING_ -s 172.16.0.0\/12  -j ANTI_SPOOFING__\n$IPTABLES -A ANTI_SPOOFING_ -s 192.168.0.0\/16 -j ANTI_SPOOFING__\n$IPTABLES -A ANTI_SPOOFING__ -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES SPOOFING] : '\n$IPTABLES -A ANTI_SPOOFING__ -j TRACK_ATTACKER\n$IPTABLES -A ANTI_SPOOFING__ -j DROP\n$IPTABLES -A FIREWALL -j FW_SPOOFING && echo \"FIREWALL  ANTI_SPOOFING\"\n$IPTABLES -A FW_BASIC -j FW_SPOOFING\n\n# \u7ba1\u7406\u7528\u30dd\u30fc\u30c8\u3078\u306e3\u5206\u9593\u306b10\u56de\u3092\u8d85\u3048\u308b\u63a5\u7d9a\u8a66\u884c\u3092\u30ed\u30b0\u3092\u8a18\u9332\u3057\u3066\u7834\u68c4\u3057\u3066NG\n# \u203bBrute Force\u653b\u6483\u5bfe\u7b56\n$IPTABLES -N FW_BRUTEFORCE 2>\/dev\/null\n$IPTABLES -N ANTI_BRUTEFORCE\n$IPTABLES -N ANTI_BRUTEFORCE_\n$IPTABLES -A FW_BRUTEFORCE -p tcp -m multiport --dports $LOGIN -j ANTI_BRUTEFORCE\n$IPTABLES -A ANTI_BRUTEFORCE -i e+ -p tcp -m state --state NEW -j ANTI_BRUTEFORCE_\n$IPTABLES -A ANTI_BRUTEFORCE -i p+ -p tcp -m state --state NEW -j ANTI_BRUTEFORCE_\n$IPTABLES -A ANTI_BRUTEFORCE -i w+ -p tcp -m state --state NEW -j ANTI_BRUTEFORCE_\n$IPTABLES -A ANTI_BRUTEFORCE_ \\\n          -m hashlimit \\\n          --hashlimit-name bruteforce \\\n          --hashlimit 1\/m \\\n          --hashlimit-burst 7 \\\n          --hashlimit-mode srcip \\\n          --hashlimit-htable-expire 180000 \\\n          -j RETURN\n$IPTABLES -A ANTI_BRUTEFORCE_ -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES BRUTEFORCE] : '\n$IPTABLES -A ANTI_BRUTEFORCE_ -j TRACK_ATTACKER\n$IPTABLES -A ANTI_BRUTEFORCE_ -j DROP\n$IPTABLES -A FIREWALL -j FW_BRUTEFORCE && echo \"FIREWALL  ANTI_BRUTEFORCE\"\n$IPTABLES -A FW_BASIC -j FW_BRUTEFORCE\n\n# ping\u306f1\u79d2\u9593\u306b4\u56de\u3092\u8d85\u3048\u305f\u3089\u30ed\u30b0\u3092\u8a18\u9332\u3057\u3066\u7834\u68c4\u3057\u3066NG\n# \u203bPing of Death\u653b\u6483\u5bfe\u7b56\n$IPTABLES -N FW_PINGDEATH 2>\/dev\/null\n$IPTABLES -N ANTI_PINGDEATH\n$IPTABLES -N ANTI_PINGDEATH_\n$IPTABLES -A FW_PINGDEATH -i e+ -p icmp --icmp-type echo-request -j ANTI_PINGDEATH\n$IPTABLES -A FW_PINGDEATH -i p+ -p icmp --icmp-type echo-request -j ANTI_PINGDEATH\n$IPTABLES -A FW_PINGDEATH -i w+ -p icmp --icmp-type echo-request -j ANTI_PINGDEATH\n$IPTABLES -A ANTI_PINGDEATH -j ANTI_PINGDEATH_\n$IPTABLES -A ANTI_PINGDEATH_ \\\n          -m hashlimit \\\n          --hashlimit-name ping \\\n          --hashlimit 1\/s \\\n          --hashlimit-burst 4 \\\n          --hashlimit-mode srcip \\\n          --hashlimit-htable-expire 1000 \\\n          -j RETURN\n$IPTABLES -A ANTI_PINGDEATH_ -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES PINGDEATH] : '\n$IPTABLES -A ANTI_PINGDEATH_ -j TRACK_ATTACKER\n$IPTABLES -A ANTI_PINGDEATH_ -j DROP\n$IPTABLES -A FIREWALL -j FW_PINGDEATH && echo \"FIREWALL ANTI_PINGDEATH\"\n\n# \u904e\u5927\u306a\u30a2\u30af\u30bb\u30b9\u3092IP\u5358\u4f4d\u3067\u5236\u9650\n# \u203bSYN Flood\u653b\u6483\u5bfe\u7b56(\u6570\u5024\u306f\u9069\u5b9c\u8abf\u6574)\n#\n# -m hashlimit                 \uff1ahashlimit\u30e2\u30b8\u30e5\u30fc\u30eb\u3092\u5229\u7528\n# --hashlimit-name name        \uff1a\u30cf\u30c3\u30b7\u30e5\u30c6\u30fc\u30d6\u30eb\u540d\n# --hashlimit n                \uff1a\u30d1\u30b1\u30c3\u30c8\u56de\u5fa9\u91cf\n# --hashlimit-burst n          \uff1a\u30d1\u30b1\u30c3\u30c8\u5bb9\u91cf\n# --hashlimit-mode hash        \uff1a\u540c\u4e00\u30a2\u30af\u30bb\u30b9\u3068\u3057\u3066\u30ab\u30a6\u30f3\u30c8\u3059\u308b\u8b58\u5225\u57fa\u6e96\n# --hashlimit-htable-expire ms \uff1a\u30cf\u30c3\u30b7\u30e5\u30c6\u30fc\u30d6\u30eb\u5185\u306e\u30ec\u30b3\u30fc\u30c9\u306e\u6709\u52b9\u671f\u9593(\u5358\u4f4d\uff1a\u30df\u30ea\u79d2)\n#\n# HTTP\u30dd\u30fc\u30c8\u3078\u306e\u904e\u5927\u306a\u30a2\u30af\u30bb\u30b9\u3092\u30ed\u30b0\u3092\u8a18\u9332\u3057\u3066\u7834\u68c4\n$IPTABLES -N FW_SYNFLOOD 2>\/dev\/null\n$IPTABLES -N ANTI_SYNFLOOD\n$IPTABLES -N ANTI_SYNFLOOD_\n$IPTABLES -A FW_SYNFLOOD -p tcp --dport 80 -j ANTI_SYNFLOOD\n$IPTABLES -A ANTI_SYNFLOOD -i e+ -p tcp -m state --state NEW -j ANTI_SYNFLOOD_\n$IPTABLES -A ANTI_SYNFLOOD -i p+ -p tcp -m state --state NEW -j ANTI_SYNFLOOD_\n$IPTABLES -A ANTI_SYNFLOOD -i w+ -p tcp -m state --state NEW -j ANTI_SYNFLOOD_\n$IPTABLES -A ANTI_SYNFLOOD_ \\\n          -m hashlimit \\\n          --hashlimit-name http \\\n          --hashlimit 10\/m \\\n          --hashlimit-burst 60 \\\n          --hashlimit-mode srcip \\\n          --hashlimit-htable-expire 60000 \\\n          -j RETURN\n$IPTABLES -A ANTI_SYNFLOOD_ -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES SYNFLOOD] : '\n$IPTABLES -A ANTI_SYNFLOOD_ -j DROP\n$IPTABLES -A FIREWALL -j FW_SYNFLOOD && echo \"FIREWALL  ANTI_SYNFLOOD\"\n#\n# HTTPS\u30dd\u30fc\u30c8\u3078\u306e\u904e\u5927\u306a\u30a2\u30af\u30bb\u30b9\u3092\u30ed\u30b0\u3092\u8a18\u9332\u3057\u3066\u7834\u68c4\n$IPTABLES -N FW_SYNFLOOD_SSL 2>\/dev\/null\n$IPTABLES -N ANTI_SYNFLOOD_SSL\n$IPTABLES -N ANTI_SYNFLOOD_SSL_\n$IPTABLES -A FW_SYNFLOOD_SSL -p tcp --dport 443 -j ANTI_SYNFLOOD_SSL\n$IPTABLES -A ANTI_SYNFLOOD_SSL -i e+ -p tcp -m state --state NEW -j ANTI_SYNFLOOD_SSL_\n$IPTABLES -A ANTI_SYNFLOOD_SSL -i p+ -p tcp -m state --state NEW -j ANTI_SYNFLOOD_SSL_\n$IPTABLES -A ANTI_SYNFLOOD_SSL -i w+ -p tcp -m state --state NEW -j ANTI_SYNFLOOD_SSL_\n$IPTABLES -A ANTI_SYNFLOOD_SSL_ \\\n          -m hashlimit \\\n          --hashlimit-name https \\\n          --hashlimit 30\/m \\\n          --hashlimit-burst 60 \\\n          --hashlimit-mode srcip \\\n          --hashlimit-htable-expire 60000 \\\n          -j RETURN\n$IPTABLES -A ANTI_SYNFLOOD_SSL_ -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES SYNFLOOD(SSL)] : '\n$IPTABLES -A ANTI_SYNFLOOD_SSL_ -j DROP\n$IPTABLES -A FIREWALL -j FW_SYNFLOOD_SSL && echo \"FIREWALL  ANTI_SYNFLOOD_SSL\"\n#\n# UDP\u306b\u3088\u308b\u904e\u5927\u306a\u30a2\u30af\u30bb\u30b9\u3092\u30ed\u30b0\u3092\u8a18\u9332\u3057\u3066\u7834\u68c4\n$IPTABLES -N FW_UDPFLOOD 2>\/dev\/null\n$IPTABLES -N ANTI_UDPFLOOD\n$IPTABLES -N ANTI_UDPFLOOD_\n$IPTABLES -A FW_UDPFLOOD -j ANTI_UDPFLOOD\n$IPTABLES -A ANTI_UDPFLOOD -i e+ -p udp -m state --state NEW -j ANTI_UDPFLOOD_\n$IPTABLES -A ANTI_UDPFLOOD -i p+ -p udp -m state --state NEW -j ANTI_UDPFLOOD_\n$IPTABLES -A ANTI_UDPFLOOD -i w+ -p udp -m state --state NEW -j ANTI_UDPFLOOD_\n$IPTABLES -A ANTI_UDPFLOOD_ \\\n          -m hashlimit \\\n          --hashlimit-name udp \\\n          --hashlimit 30\/m \\\n          --hashlimit-burst 60 \\\n          --hashlimit-mode srcip \\\n          --hashlimit-htable-expire 60000 \\\n          -j RETURN\n$IPTABLES -A ANTI_UDPFLOOD_ -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES UDPFLOOD] : '\n$IPTABLES -A ANTI_UDPFLOOD_ -j DROP\n$IPTABLES -A FIREWALL -j FW_UDPFLOOD && echo \"FIREWALL  ANTI_UDPFLOOD\"\n#\n# ICMP\u306b\u3088\u308b\u904e\u5927\u306a\u30a2\u30af\u30bb\u30b9\u3092\u30ed\u30b0\u3092\u8a18\u9332\u3057\u3066\u7834\u68c4\n$IPTABLES -N FW_ICMPFLOOD 2>\/dev\/null\n$IPTABLES -N ANTI_ICMPFLOOD\n$IPTABLES -N ANTI_ICMPFLOOD_\n$IPTABLES -A FW_ICMPFLOOD -j ANTI_ICMPFLOOD\n$IPTABLES -A ANTI_ICMPFLOOD -i e+ -p icmp -j ANTI_ICMPFLOOD_\n$IPTABLES -A ANTI_ICMPFLOOD -i p+ -p icmp -j ANTI_ICMPFLOOD_\n$IPTABLES -A ANTI_ICMPFLOOD -i w+ -p icmp -j ANTI_ICMPFLOOD_\n$IPTABLES -A ANTI_ICMPFLOOD_ \\\n          -m hashlimit \\\n          --hashlimit-name icmp \\\n          --hashlimit 30\/m \\\n          --hashlimit-burst 60 \\\n          --hashlimit-mode srcip \\\n          --hashlimit-htable-expire 60000 \\\n          -j RETURN\n$IPTABLES -A ANTI_ICMPFLOOD_ -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES ICMPFLOOD] : '\n$IPTABLES -A ANTI_ICMPFLOOD_ -j DROP\n$IPTABLES -A FIREWALL -j FW_ICMPFLOOD && echo \"FIREWALL ANTI_ICMPFLOOD\"\n\n# \u516c\u958b\u3057\u3066\u3044\u306a\u3044\u30dd\u30fc\u30c8\u3078\u306e\u30d1\u30b1\u30c3\u30c8\u3092\u30ed\u30b0\u3092\u8a18\u9332\u3057\u3066\u7834\u68c4\u3057\u3066NG\n# \u203b\u30dd\u30fc\u30c8\u30b9\u30ad\u30e3\u30f3\u5bfe\u7b56\n# \u203b\u958b\u3051\u3066\u3044\u306a\u3044\u30dd\u30fc\u30c8\u306b1\u5ea6\u3067\u3082\u89e6\u3063\u305f\u3089\u30a2\u30a6\u30c8\n# \u203b\u516c\u8868\u30b5\u30fc\u30d0\u30fc\u3067\u306f\u7121\u52b9\u306b\u3057\u3066\u3088\u3044\n$IPTABLES -N TRAP_PORTSCAN\n$IPTABLES -N ANTI_PORTSCAN\n$IPTABLES -N ANTI_PORTSCAN_\n$IPTABLES -A TRAP_PORTSCAN -j ANTI_PORTSCAN\n$IPTABLES -A ANTI_PORTSCAN -i e+ -j ANTI_PORTSCAN_\n$IPTABLES -A ANTI_PORTSCAN -i p+ -j ANTI_PORTSCAN_\n$IPTABLES -A ANTI_PORTSCAN -i w+ -j ANTI_PORTSCAN_\n$IPTABLES -A ANTI_PORTSCAN_ -j FW_BROADCAST\n$IPTABLES -A ANTI_PORTSCAN_ -j FW_MULTICAST\n$IPTABLES -A ANTI_PORTSCAN_ -m limit --limit $LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level debug --log-prefix '[IPTABLES PORTSCAN] : '\n$IPTABLES -A ANTI_PORTSCAN_ -j TRACK_PROWLER\n\n\n#----------------------------------------------------------#\n# IDS\/IPS                                                  #\n#----------------------------------------------------------#\n\n$IPTABLES -F IPS\n$IPTABLES -F IDS\nif [ $IDSIPS = Snort ]; then\n\n    # ICMP\u901a\u4fe1\u3092\u3059\u3079\u3066\u89e3\u6790\n    $IPTABLES -A IPS -p icmp -j NFQUEUE --queue-num 2\n\n    # UDP\u901a\u4fe1\u3092\u3059\u3079\u3066\u89e3\u6790\n    $IPTABLES -A IPS -p udp -j NFQUEUE --queue-num 2\n\n    # TCP\u901a\u4fe1\u3092\u89e3\u6790\n    #$IPTABLES -A IPS -o eth+ -p tcp -j ACCEPT\n    #$IPTABLES -A IPS -o en+ -p tcp -j ACCEPT\n    $IPTABLES -A IPS -p tcp -j NFQUEUE --queue-num 2\n\n    # \u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u30b5\u30fc\u30d0\u30fc\u3068\u306e\u5185\u90e8\u901a\u4fe1\u3092\u89e3\u6790\n    #$IPTABLES -A IPS -i lo -p tcp --dport 9000 -j NFQUEUE --queue-num 2\n    #$IPTABLES -A IPS -o lo -p tcp --dport 9000 -j NFQUEUE --queue-num 2\n\n    echo \"IDS\/IPS   Snort\"\n\nelse\n    echo \"IDS\/IPS   DISABLE\"\nfi\n\n\n#----------------------------------------------------------#\n# Role                                                     #\n#----------------------------------------------------------#\n\nFILE_TO_CHAIN(){\n    local FILE=$1\n    local NAME=$2\n    if [ \"`$IPTABLES -S | grep \"^-N $NAME$\"`\" ]; then\n        return 0\n    elif [ ! -r $FILE ]; then\n        return 1\n    fi\n    $IPTABLES -N $NAME\n    $IPTABLES -F $NAME\n    local ifs=$IFS\n    IFS=$'\\n'\n    local LINE\n    for LINE in `eval \"cat $FILE | $FORMAT\"`\n    do\n        $IPTABLES -A $NAME -s $LINE -j RETURN\n    done\n    IFS=$ifs\n    return 0\n}\nBUILD_RULE(){\n    local RULE=$1\n    if [ `echo $RULE | grep -E \"^(ACCEPT|DROP|RETURN|(REJECT|LOG|NFQUEUE)( .*)?)$\"` ]; then\n        RULE=$RULE\n    elif [ \"`$IPTABLES -S | grep \"^\\(-N $RULE$\\|-P $RULE \\)\"`\" ]; then\n        RULE=$RULE\n    elif [ `echo $RULE | grep -E ^[A-Z_]\\+$` ]; then\n        $IPTABLES -N $RULE\n        [ $? -ne 0 ] && RULE=\n    else\n        local FILE=`echo $LIST_DIR$RULE | sed 's|.*\/\/|\/|'`\n        if [ -r $FILE ]; then\n            RULE=${RULE##*\/}\n            RULE=`echo WL_$RULE | cut -d. -f1 | tr '[a-z]' '[A-Z]'`\n            FILE_TO_CHAIN $FILE $RULE\n        else\n            RULE=\n            [ $SECURE = false ]\n        fi\n        [ $? -ne 0 ] && RULE=\n    fi\n    echo $RULE\n}\nBUILD_ROLE(){\n    local ROLE\n    local RULES\n    local RULE\n    for ROLE in ${ROLES[@]}; do\n        $IPTABLES -N $ROLE\n        eval RULES=\"\\${${ROLE}[@]}\"\n        local LINE=\n        for RULE in ${RULES[@]}; do\n            local AS_WHITELIST=\n            local ERROR=\n            if [ ! \"`echo $RULE | grep [,\\|]`\" ]; then\n                ERROR=$RULE\n                RULE=`BUILD_RULE $RULE`\n                [ ! $RULE ] && [ $SECURE != false ] && RESULT=1\n                if [ ! $RULE ]; then [ $SECURE != false ] && echo \"ERROR    $ROLE[$ERROR]\" >&2; continue; fi\n                AS_WHITELIST=`echo $RULE | grep ^WL_`\n                LINE=\"${LINE:+$LINE }$RULE\"\n            else\n                local C_RULES=(`eval echo ${RULE\/\/|\/ }`)\n                local C_RULE\n                RULE=`echo ${ROLE}_${C_RULES[0]##*\/} | cut -d. -f1 | tr '[a-z]' '[A-Z]'`\n                $IPTABLES -N $RULE\n                LINE=\"${LINE:+$LINE }$RULE(\"\n                for C_RULE in ${C_RULES[@]}; do\n                    AS_WHITELIST=\n                    ERROR=$C_RULE\n                    C_RULE=`BUILD_RULE $C_RULE`\n                    [ ! $C_RULE ] && [ $SECURE != false ] && RESULT=1\n                    if [ ! $C_RULE ]; then [ $SECURE != false ] && echo \"ERROR    $ROLE[$ERROR]\" >&2; continue; fi\n                    LINE=\"$LINE$C_RULE,\"\n                    local ifs=$IFS\n                    IFS=$'\\n'\n                    if [ `echo $C_RULE | grep -E \"^(ACCEPT|DROP|RETURN|(REJECT|LOG|NFQUEUE)( .*)?)$\"` ]; then\n                        AS_WHITELIST=${AS_WHITELIST:+}\n                        eval \"$IPTABLES -A $RULE -j $C_RULE\"\n                    elif [ `echo $C_RULE | grep ^WL_` ]; then\n                        AS_WHITELIST=${AS_WHITELIST:-1}\n                        for C_RULE in `$IPTABLES -S ${C_RULE} | grep ' -j RETURN' | sed -e 's\/^-A[^-]*\/\/'`; do\n                            eval \"$IPTABLES -A $RULE $C_RULE\"\n                        done\n                    else\n                        AS_WHITELIST=${AS_WHITELIST:+}\n                        for C_RULE in `$IPTABLES -S ${C_RULE} | grep '^-[AI] ' | sed -e 's\/^-A[^-]*\/\/'`; do\n                            eval \"$IPTABLES -A $RULE $C_RULE\"\n                        done\n                    fi\n                    IFS=$ifs\n                done\n                LINE=\"${LINE%,})\"\n            fi\n            eval \"$IPTABLES -A $ROLE -j $RULE\"\n            if [ $AS_WHITELIST ]; then\n                $IPTABLES -A $RULE -j TRACK_PROWLER\n                $IPTABLES -A $RULE -j DROP\n            fi\n        done\n        eval RULES=\"\\${${ROLE}[@]}\"\n        echo \"ROLE_CONF $ROLE[$(echo \"${RULES[@]}\")]\"\n        echo \"ROLE_APPL $ROLE[$LINE]\"\n    done\n}\nBUILD_ROLE\n\n\n#----------------------------------------------------------#\n# Map                                                      #\n#----------------------------------------------------------#\n\nMAPPING(){\n    local PARAM\n    local ifs=$IFS\n    IFS=$'\\n'\n    for PARAM in ${MAP[@]}; do\n        eval \"$IPTABLES -A $PARAM\"\n        echo \"MAP   $PARAM\"\n    done\n    IFS=$ifs\n}\nMAPPING\n\n\n#----------------------------------------------------------#\n# COUNTRY                                                  #\n#----------------------------------------------------------#\n\nCIDR_COUNT_LIST=()\ndeclare -A CIDR_TABLE\nfor ((CIDR=32;0<CIDR;CIDR--))\ndo\n    CIDR_COUNT=$((2**(32-$CIDR)))\n    CIDR_COUNT_LIST=($CIDR_COUNT \"${CIDR_COUNT_LIST[@]}\")\n    CIDR_TABLE[$CIDR_COUNT]=$CIDR\ndone\n\nCOUNT_TO_CIDR(){\n    local COUNT=$1\n    local CIDR_COUNT\n    for CIDR_COUNT in ${CIDR_COUNT_LIST[@]}\n    do\n        if [ $CIDR_COUNT -gt $COUNT ]; then continue;fi\n        local CIDR=${CIDR_TABLE[$CIDR_COUNT]}\n        break\n    done\n    echo $CIDR\n}\nCIDR_TO_COUNT(){\n    local CIDR=$1\n    local COUNT=$((2**(32-$CIDR)))\n    echo $COUNT\n}\nSHIFT_ADDR(){\n    local ADDR=$1\n    local COUNT=$2\n    local D1=$(($COUNT\/(256**3)))\n    [ $D1 -ne 0 ] && COUNT=0\n    local D2=$(($COUNT\/(256**2)))\n    [ $D2 -ne 0 ] && COUNT=0\n    local D3=$(($COUNT\/(256**1)))\n    [ $D3 -ne 0 ] && COUNT=0\n    local D4=$(($COUNT\/(256**0)))\n    ADDR=`echo $ADDR | awk -v D1=$D1 -v D2=$D2 -v D3=$D3 -v D4=$D4 -F\".\" '{ print $1+D1 \".\" $2+D2 \".\" $3+D3 \".\" $4+D4 }'`\n    # IP\u306e\u6570\u5024\u304c255\u3092\u8d85\u3048\u305f\u5834\u5408\u306eIP\u306e\u7e70\u308a\u4e0a\u3052\u51e6\u7406\u3068\u3053\u308c\u306b\u4ed8\u968f\u3059\u308b\u30b5\u30d6\u30cd\u30c3\u30c8\u30de\u30b9\u30af\u306e\u5206\u5272\u51e6\u7406\u3092\u5b9f\u88c5\u3057\u3066\u3044\u306a\u3044\u305f\u3081\u5f53\u8a72\u51e6\u7406\u304c\u5fc5\u8981\u306a\u5834\u5408\u306f\u5f53\u8a72\u90e8\u5206\u306b\u304a\u3044\u3066\u6b63\u5e38\u306b\u52d5\u4f5c\u3057\u306a\u3044\u3002\n    # \u30ec\u30b8\u30b9\u30c8\u30ea\u306e\u516c\u958b\u3057\u3066\u3044\u308bIP\u5272\u308a\u5f53\u3066\u30ea\u30b9\u30c8\u3067\u306f\u7e70\u308a\u4e0a\u304c\u308a\u51e6\u7406\u304c\u5fc5\u8981\u3068\u306a\u308b\u9805\u76ee\u306f\u898b\u53d7\u3051\u3089\u308c\u306a\u304b\u3063\u305f\u305f\u3081\u3053\u308c\u3089\u306e\u51e6\u7406\u3092\u7701\u7565\u3059\u308b\u3002\n    echo $ADDR\n}\n\nBUILD_COUNTRY(){\n    if [ ! -s $CACHE_DIR$1 ] || [ ! $2 -a ! $3 ];then return;fi\n    echo \"LOAD  $1\"\n    local LINE\n    for LINE in `cat $CACHE_DIR$1 | grep -E \"\\|($2|$3)\\|ipv4\\|\"`\n    do\n        local CODE=`echo $LINE | cut -d \"|\" -f 2`\n        local ADDR=`echo $LINE | cut -d \"|\" -f 4`\n        local COUNT=`echo $LINE | cut -d \"|\" -f 5`\n        local CIDR=32\n        if [ $2 ] && [ `echo $CODE | grep -E $2` ]; then\n            BUILD_COUNTRY_RULE $ADDR $COUNT BUILD_COUNTRY_RULE_ACCEPT\n            printf \"%-10s%-4s%-20s%s\\n\" ACCEPT $CODE $ADDR\/$? $LINE\n        elif [ $3 ] && [ `echo $CODE | grep -E $3` ]; then\n            BUILD_COUNTRY_RULE $ADDR $COUNT BUILD_COUNTRY_RULE_DROP\n            printf \"%-10s%-4s%-20s%s\\n\" DROP   $CODE $ADDR\/$? $LINE\n        fi\n    done\n}\nBUILD_COUNTRY_RULE(){\n    local ADDR=$1\n    local COUNT=$2\n    local CALLBACK=$3\n    local CIDR=`COUNT_TO_CIDR $COUNT`\n    eval \"$CALLBACK $ADDR $CIDR\"\n\n    local REM=$(($COUNT-`CIDR_TO_COUNT $CIDR`))\n    if [ $REM -gt 0 ]; then\n        ADDR=`SHIFT_ADDR $ADDR $(CIDR_TO_COUNT $CIDR)`\n        BUILD_COUNTRY_RULE $ADDR $REM $CALLBACK\n    fi\n    return $CIDR\n}\nBUILD_COUNTRY_RULE_ACCEPT(){\n    local ADDR=$1\n    local CIDR=$2\n    $IPTABLES -A LOCAL_COUNTRY -s $ADDR\/$CIDR -j RETURN\n}\nBUILD_COUNTRY_RULE_DROP(){\n    local ADDR=$1\n    local CIDR=$2\n    $IPTABLES -A BLOCK_COUNTRY -s $ADDR\/$CIDR -j DROP\n}\n\nif [ $RESET -ne 0 ] || [ ! -z \"$LOCAL_COUNTRY_CODE\" -a $($IPTABLES -S LOCAL_COUNTRY 2>\/dev\/null | awk 'END{print NR}') -le 2 ] || [ ! -z \"$BLOCK_COUNTRY_CODE\" -a $($IPTABLES -S BLOCK_COUNTRY 2>\/dev\/null | awk 'END{print NR}') -le 2 ]; then\n    echo \"BUILD   Chain LOCAL_COUNTRY\"\n    echo \"BUILD   Chain BLOCK_COUNTRY\"\n\n    $IPTABLES -F LOCAL_COUNTRY\n    $IPTABLES -A LOCAL_COUNTRY -i lo -j RETURN\n    $IPTABLES -A LOCAL_COUNTRY -o lo -j RETURN\n\n    $IPTABLES -F BLOCK_COUNTRY\n    $IPTABLES -A BLOCK_COUNTRY -i lo -j RETURN\n    $IPTABLES -A BLOCK_COUNTRY -o lo -j RETURN\n\n    # SECURE\n    if [ $SECURE != false ]; then\n      $IPTABLES -I LOCAL_COUNTRY -j DROP\n      $IPTABLES -I BLOCK_COUNTRY -j DROP\n    else\n      $IPTABLES -I LOCAL_COUNTRY -j RETURN\n      $IPTABLES -I BLOCK_COUNTRY -j RETURN\n    fi\n\n    BUILD_COUNTRY \"delegated-apnic-extended-latest\"   $LOCAL_COUNTRY_CODE $BLOCK_COUNTRY_CODE\n    BUILD_COUNTRY \"delegated-arin-extended-latest\"    $LOCAL_COUNTRY_CODE $BLOCK_COUNTRY_CODE\n    BUILD_COUNTRY \"delegated-ripencc-extended-latest\" $LOCAL_COUNTRY_CODE $BLOCK_COUNTRY_CODE\n    BUILD_COUNTRY \"delegated-lacnic-extended-latest\"  $LOCAL_COUNTRY_CODE $BLOCK_COUNTRY_CODE\n    BUILD_COUNTRY \"delegated-afrinic-extended-latest\" $LOCAL_COUNTRY_CODE $BLOCK_COUNTRY_CODE\n\n    $IPTABLES -A LOCAL_COUNTRY -j DROP\n\n    # \u4e00\u6642\u8a2d\u5b9a\u3092\u524a\u9664\n    $IPTABLES -D LOCAL_COUNTRY 1 2>\/dev\/null\n    $IPTABLES -D BLOCK_COUNTRY 1 2>\/dev\/null\n\nelse\n    [ $LOCAL_COUNTRY_CODE ] && echo \"REUSE    Chain LOCAL_COUNTRY\"\n    [ $BLOCK_COUNTRY_CODE ] && echo \"REUSE    Chain BLOCK_COUNTRY\"\nfi\n\n\n#----------------------------------------------------------#\n# Postprocess                                              #\n#----------------------------------------------------------#\n\n# POSTPROCESS\necho \"POSTPROCESS $POSTPROCESS\"\n`$POSTPROCESS`\n\n\n#----------------------------------------------------------#\n# Finalize                                                 #\n#----------------------------------------------------------#\n\n# \u8a2d\u5b9a\u4fdd\u5b58(\/etc\/sysconfig\/iptables\u306e\u65e2\u5b58\u306e\u8a2d\u5b9a\u306f\u524a\u9664)\n[ $RESULT -eq 0 ] && echo \"RESULT   Success\" || echo \"RESULT    Failure\"\necho \"Enter or y > save, n or timeout > revert\"\nread -t 60 input\nif [ $? -eq 0 ] && [ \"$input\" != n ]; then\n    service iptables save\n    sysctl -p 2>&1 | grep -v -E \"^error:.*(ipv6|bridge-nf-call)\"\n    service rsyslog restart\nelse\n    service iptables restart\nfi\n\necho complete\n\nexit $RESULT<\/pre>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_import_markdown_pro_load_document_selector":0,"_import_markdown_pro_submit_text_textarea":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[12],"tags":[],"class_list":["post-5196","post","type-post","status-publish","format-standard","hentry","category-computing_security"],"_links":{"self":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5196","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5196"}],"version-history":[{"count":0,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5196\/revisions"}],"wp:attachment":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5196"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5196"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5196"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}