Anydesk iptable setting

学长发布于 2023-10-2 12:22 阅读：2282 Linux

Offical firewall setting is bullshit not working at all

https://support.anydesk.com/knowledge/firewall

old linux rm sbin incase shell be hacked

export PATH=$PATH:/sbin

firewall-cmd --direct --add-rich-rule='rule' filter IN_public_allow 0 -m tcp -p tcp --dport 443 -j DROP

--permanent

--reload

sudo firewall-cmd --add-port 50001-50003/tcp --permanent

sudo firewall-cmd --add-port 7070/tcp --permanent

sudo firewall-cmd --reload

firewall-cmd --direct --add-rich-rule='rule' filter IN_public_allow 0 -m tcp -p tcp --dport 0-7069 -j DROP

firewall-cmd --add-port= --permanent

firewall-cmd --permanent --add-rich-rule='rule family=ipv4 port port="443" protocol="tcp" reject'

65535

systemctl status firewalld.service

systemctl stop firewalld

systemctl disable firewalld

my RHEL 7.9 change repo casue firewalld got something werid

setting in fiewalld not working...

change to iptables

yum install iptables-services

systemctl enable iptables

systemctl start iptables

iptables -L -n --line-numbers

iptables -D INPUT 10

iptables -I

iptables -A INPUT -j DROP

iptables -A OUTPUT -j DROP

iptables -A FORWARD -j DROP

iptables -A FORWARD -p udp --dport 53 -m string --hex-string "|07|anydesk|" --algo bm -j ACCEPT

iptables -A INPUT -p udp --dport 53 -m string --hex-string "|07|anydesk|" --algo bm -j ACCEPT

iptables -A INPUT -p udp --sport 53 -j DROP

iptables -A INPUT -p tcp --sport 53 -j DROP

iptables -A INPUT -p udp --sport 53 -m string --hex-string "|07|anydesk|" --algo bm -j ACCEPT

iptables -A INPUT -p tcp --sport 53 -m string --hex-string "|07|anydesk|" --algo bm -j ACCEPT

-j DROP pass

ACCEPT not working? !!!put DROP at back!!!

use wireshark check any miss

service iptables save

netstat -ltnap

netstat -lunap

netstat -tnap

anydesk --get-status

anydesk --get-id

service safedog status

sdui

yum install wireshark-gnome

sudo wireshark

iptables -A OUTPUT -p udp -m string --hex-string "|07|anydesk|" --algo bm --dport 53 -j ACCEPT

iptables -A OUTPUT -p udp -m multiport --dport 50001:50003 -j ACCEPT

iptables -A OUTPUT -m multiport -p tcp --sport 443,7070 -j ACCEPT

iptables -A OUTPUT -m multiport -p tcp --dport 443,7070 -j ACCEPT

iptables -A OUTPUT -j DROP

iptables -A INPUT -i ens33 -p udp -m string --hex-string "|07|anydesk|" --algo bm --sport 53 -j ACCEPT

iptables -A INPUT -i ens33 -p udp -m multiport --sport 50001:50003 -j ACCEPT

iptables -A INPUT -i ens33 -m multiport -p tcp --sport 443,7070 -j ACCEPT

iptables -A INPUT -i ens33 -m multiport -p tcp --dport 443,7070 -j ACCEPT

iptables -A INPUT -i ens33 -j DROP

iptables -A FORWARD -i ens33 -j DROP

service iptables save

tcp sport 443

udp 50001:50003

tcp 7070

结论只需要保留INPUT上的增加lo上接口的接受不然影响本地其他程序运营，另外设备名一定要加到hosts里面不然

因为去公网找不到设备名也会导致使用本地端口的程序卡很久

iptables -F

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i ens33 -p udp -m string --hex-string "|07|anydesk|" --algo bm --sport 53 -j ACCEPT
iptables -A INPUT -i ens33 -p udp -m multiport --sport 50001:50003 -j ACCEPT
iptables -A INPUT -i ens33 -m multiport -p tcp --sport 443,7070 -j ACCEPT
iptables -A INPUT -i ens33 -m multiport -p tcp --dport 443,7070 -j ACCEPT
iptables -A INPUT -i ens33 -j DROP
service iptables save

推荐阅读

扫描二维码，在手机上阅读