Firewall configuration

اضغط هنا لمعاينة كودي شات( Enter Codychat )

admin

Administrator
طاقم الإدارة
Firewall configuration: restricting access to the protected server
When using proxy-based protection (default Qrator domains without any HTTPS technologies and domains with "HTTPS filtering with decryption") Qrator forwards user requests to your servers using these IP addresses as a source:
  • 66.110.32.128/30​
  • 83.234.15.112/30​
  • 87.245.197.192/30​
  • 185.94.108.0/24​
To prevent attacks to your server targeted at its IP address (instead of its domain name), you need to set up the firewall to deny direct HTTP/HTTPS access to anyone except the aforementioned list of source addresses. This list can be expanded with your own trusted addresses (i.e. office networks, developer workstations and automated tools). It will nullify the probability of false-positive bans for your company´s staff.

Linux Netfilter configuration guide (Proxy-based protection)


Caution:
Making a "one size fits all" firewall how-to is virtually impossible because there are thousands of possible ways of configuring a system´s firewall (including all iptables extensions and even other userspace Netfilter implementations) and most of the time the firewall is already configured in some way. Please remember that the scripts provided below are just examples and cannot be applied to your system "as-is" unless you´re sure that it won´t break your firewall (i.e. when its config is empty).

To prevent a possibility of DDoS attacks to the direct IP of the protected server you should drop all incoming connections to HTTP/HTTPS ports (TCP/80 and TCP/443) for all remote IPs except some trusted addresses. This list must include all Qrator Network source IPs and may be expanded with your own trusted addresses, i.e. company workstations.

Depending on your system, you can either use "plain" iptables rules, or combine them with rules for iptables that support Netfilter´s conntrack and ipset modules. We recommend using both conntrack and ipset, because it makes iptables ruleset smaller (thus making its maintenance easier) and faster (less rules means fewer requests on the incoming packet).

Plain iptables configuration example
#!/bin/sh

ADMIN_IPS="127.0.0.1" # Add your trusted IPs/subnets (staff, admins, tools and etc.) here

QRATOR_NODES="66.110.32.128/30
83.234.15.112/30
87.245.197.192/30
185.94.108.0/24
"

iptables -N qrator_ips
for IP in $ADMIN_IPS $QRATOR_NODES; do
iptables -A qrator_ips -s $IP -j RETURN
done
iptables -A qrator_ips -j DROP

iptables -A INPUT -p tcp -m multiport --dports 80,443 -j qrator_ips

Iptables with conntrack and ipset support
#!/usr/bin/env bash

ADMIN_IPS="127.0.0.1" # Add your trusted IPs/subnets (staff, admins, tools and etc.) here

QRATOR_NODES="66.110.32.128/30
83.234.15.112/30
87.245.197.192/30
185.94.108.0/24
"

# Creating the trusted IP set:
ipset -N trusted_nodes hash:net
for ip in $ADMIN_IPS $QRATOR_NODES; do
ipset -A trusted_nodes ${IP}
done

# Creating the iptables rules:
iptables -N qrator
iptables -A qrator -m set --match-set trusted_ips src -j ACCEPT
iptables -A qrator -j DROP

iptables -I INPUT --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 80,443 --state NEW -j qrator​
 
أعلى