おそらく、このメモは本格的な記事に基づいているわけではありませんが、OpenVZコンテナーとProxmoxハイパーバイザーを使用して作業したときに出会ったすべての非標準的な瞬間をここに集めようとしました。 テキストは少なく、多くの例があり
- 時間を節約するための要約
- 1.さまざまな機能とデバイスをハイパーバイザーからOpenVZコンテナーに転送する
- 1.1。 プロブロスヒューズ
- 1.2。 プロブロスNFS
- 1.3。 USBデバイス転送
- 1.4。 フォワードサウンドカード(組み込みとusbの両方)
- 1.5。 プロブロスX'ov
- 1.6。 ディスクパーティションの転送
- 1.7。 タンをオン/タップする
- 2.ファイアウォール
- 3.さまざまなささいなこと
- UPD-1:フォワードVLAN
そして、私たちは行きました:
1.さまざまな機能とデバイスをハイパーバイザーからOpenVZコンテナーに転送する
1.1フォワードヒューズ
ハイパーバイザーで次を実行します。
OpenVZコンテナーを停止する
vzctl stop [VEID]
実行する
vzctl set [VEID] --devices c:10:229:rw --save vzctl exec [VEID] mknod /dev/fuse c 10 229
コンテナを実行
vzctl start [VEID]
ここで、[VEID]はコンテナ番号です。その後、コンテナへのマウントが機能します。
1.2。 プロブロスNFS
ハイパーバイザー上:
NFSサーバーをインストールする
aptitude install nfs-kernel-server
NFS設定を編集する
nano /etc/exports
たとえば、10.1.1.2のexport / var / lib / vz
/var/lib/vz 10.1.1.2(rw,sync,fsid=root,no_root_squash,crossmnt,no_subtree_check)
NFSサーバーを再起動します
/etc/init.d/nfs-kernel-server restart
コンテナにnfsサポートを追加します
vzctl set [VEID] --features "nfs:on" --save
コンテナ内:
aptitude install nfs-common
マウント例
mount -t nfs 10.1.1.1:/var/lib/vz/ /vz
1.3。 USBデバイス転送
デバイス転送のすべてのケースで、複数のデバイスがある場合、コンテナ構成を直接編集し、vzctlを使用しない方が良いです。事実、必要なすべてのデバイスを一度に1行に配置しなかった場合、vzctlは以前のprobrosをすべて上書きし、最後のprobrosのみをインストールします。
一般的な場合:
vzctl set VEID --devices b|c:major:minor|all:[r|w|rw|none]
bはブロックデバイス、cはキャラクターデバイスです。 major:マイナーは、特定のデバイスの/ dev / bus / usbで表示する必要があります。
名前によるプロブロス
vzctl set [VEID] --devnodes ttyUSB0:rw --save
コードによるプロブロ
vzctl set [VEID] --devices c:189:all:rw --save
または、構成を編集して:
nano /etc/pve/openvz/[VEID].conf DEVNODES="ttyUSB1:rw " DEVNODES="c:189:all:rw "
実行中のコンテナにUSBデバイスを転送するには、次を行う必要があります。
ホストからコンテナにマウントする
mount -o bind /dev/<DEVNAME> $VE_ROOT/dev/<DEVNAME>
1.4。 フォワードサウンドカード(組み込みとusbの両方)
多くの点で、通常のUSBデバイスを転送するようなものですが、いくつか違いがあります。
ハイパーバイザー上:
サウンドを操作するためのカーネルモジュールを配置します
modprobe snd_dummy echo "snd_dummy" >> /etc/modules
USBが正常な場合、
modprobe snd_usb_audio echo "snd_usb_audio" >> /etc/modules
モジュールが接続されていることを確認してください
lsmod | grep snd
サウンドを操作するために接続されているすべてのモジュールのリストが表示されます
virtualkaを構成に追加します
vzctl set [VEID] --devices c:116:all:rw --devices c:4:all:rw --save
これが最初に転送されるデバイスでない場合、コマンドは前のデバイスを消去し、その後
ファイルを編集
/etc/pve/openvz/[VEID].conf
行を追加します
DEVICES="c:116:all:rw c:4:all:rw "
すべてのsndデバイスをリストする
ls -la /dev/snd
crw-rw---T 1 root audio 116, 6 Jan 25 19:19 controlC0 crw-rw---T 1 root audio 116, 9 Jan 27 09:52 controlC1 crw-rw---T 1 root audio 116, 5 Jan 25 19:19 pcmC0D0c crw-rw---T 1 root audio 116, 4 Jan 25 19:20 pcmC0D0p crw-rw---T 1 root audio 116, 8 Jan 27 09:52 pcmC1D0c crw-rw---T 1 root audio 116, 7 Jan 27 09:52 pcmC1D0p crw-rw---T 1 root audio 116, 3 Jan 25 17:47 seq crw-rw---T 1 root audio 116, 2 Jan 25 17:47 timer
コンテナに入ります
vzctl enter [VEID]
雑草
rm -r /dev/snd mkdir /dev/snd mknod /dev/snd/controlC0 c 116 6 mknod /dev/snd/controlC1 c 116 9 mknod /dev/snd/pcmC0D0c c 116 5 mknod /dev/snd/pcmC0D0p c 116 4 mknod /dev/snd/pcmC1D0c c 116 8 mknod /dev/snd/pcmC1D0p c 116 7 mknod /dev/snd/seq c 116 3 mknod /dev/snd/timer c 116 2 chmod 660 /dev/snd/* chown :audio /dev/snd/*
(デバイスの番号と名前は、ハイパーバイザーのものと一致する必要があることに注意してください)
アルザを入れる
aptitude install alsa alsa-lib alsa-base alsa-util libdssialsacompat0
次に、必要なコンテナユーザーをオーディオグループに追加します
adduser skype audio
1.5。 プロブロスX'ov
vzctlを使用してコンテナーに移動します(SSHではありません)
simlinkを作る
rm /dev/tty0 ln -s /dev/tty1 /dev/tty0
nscdがインストールされている場合はアンインストールします
aptitude remove nscd
必要なパッケージを入れます
aptitude -R install xorg xserver-xorg-video-dummy xserver-xorg-input-kbd xserver-xorg-input-mouse alsa-base linux-sound-base libaudiofile0 dbus udev
/etc/X11/xorg.confをフォームに入れます
Section "InputDevice" Identifier "Dummy Input" Driver "void" EndSection Section "Device" Identifier "Dummy Video" Driver "dummy" EndSection Section "Monitor" Identifier "Configured Monitor" EndSection Section "Screen" Identifier "Default Screen" Monitor "Configured Monitor" Device "Dummy Video" EndSection Section "ServerLayout" Identifier "Default Layout" Screen "Default Screen" InputDevice "Dummy Input" EndSection
こんにちは
/usr/bin/X :<DISPLAY#>
どこで
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .
, ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , . , ( ). , X- .
, Skype ( Skypiax) UID "Skype":
su skype -c "echo secret:password | DISPLAY=:1 /usr/bin/skype --pipelogin 2>>skype_errors.log &»
1.6.
, , sda4
vzctl set [VEID] --devnodes sda4:rw --save
1.7. tun/tap
vpn , .
lsmod | grep tun
modprobe tun echo "tun" >> /etc/modules
vzctl stop [VEID] vzctl set [VEID] --devices c:10:200:rw --save vzctl set [VEID] --capability net_admin:on --save vzctl start [VEID]
, -.
, .
nano /etc/vz/vz.conf
IPTABLES
IPTABLES="ipt_owner ipt_REDIRECT ipt_recent ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ipt_state iptable_nat ip_nat_ftp"
VZ
/etc/init.d/vz restart
.
, , ( , )
nano /etc/modules
ipt_MASQUERADE ipt_helper ipt_REDIRECT ipt_state ipt_TCPMSS ipt_LOG ipt_TOS iptable_nat ipt_length ipt_tcpmss iptable_mangle ipt_limit ipt_tos iptable_filter ipt_ttl ipt_REJECT loop
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.sh
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: My firewall
# Description: Rico-X FIREWALL
### END INIT INFO
# /etc/init.d/iptables
IPT=/sbin/iptables
case "$1" in
start)
echo "Starting iptables"
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_keepalive_intvl=10
sysctl -w net.ipv4.tcp_keepalive_probes=5
sysctl -w net.ipv4.tcp_keepalive_time=60
sysctl -w net.ipv4.conf.default.rp_filter=1
#sysctl -w net.ipv4.ip_forward=0
#
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
# ,
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# lo
$IPT -A INPUT -i lo -j ACCEPT
#
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i vmbr1 -j ACCEPT
#
$IPT -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT
$IPT -A INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT
# TCP- SYN-
$IPT -I INPUT -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
#
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT ## SSH
$IPT -A INPUT -p tcp -m tcp --dport 5900:5999 -j ACCEPT ## VNC
$IPT -A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT ## Proxmox panel
# SSH ( 4 )
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# netbios
$IPT -A INPUT -p tcp --dport 137:139 -j DROP
$IPT -A INPUT -p udp --dport 137:139 -j DROP
# ICMP
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
#
$IPT -A INPUT -m state --state INVALID -j DROP
# DHCP iptables.
$IPT -A INPUT -p udp -m udp --dport 68 --sport 67 -j ACCEPT
# -
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -N SYN_FLOOD
$IPT -A INPUT -p tcp --syn -j SYN_FLOOD
$IPT -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
$IPT -A SYN_FLOOD -j DROP
;;
stop)
echo "Stopping iptables"
$IPT -F
$IPT -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop}"
exit 1
;;
esac
exit 0
3.
mv /etc/localtime /etc/localtime_org && ln -s /usr/share/zoneinfo/"Europe/Simferopol" /etc/localtime && date
web-.
/usr/share/pve-manager/ext4/pvemanagerlib.js
if (data.status !== 'Active') {
if (data.status == 'Active') {
Proxmox: 'exit code 60′ – corrupt quota file ,
.
vzquota off [VEID] vzquota : (error) Quota is not running for id [VEID] vzquota : (warning) Repairing quota: it was incorrectly marked as running for id [VEID] vzquota on [VEID]
(cluster not ready - no quorum), ,
,
pvecm e ( )
OpenVZ
[VEID]
vzctl start [VEID]
vzctl enter [VEID]
vzctl stop [VEID]
vzctl restart [VEID]
vzctl destroy [VEID]
vzlist -a
- , , .
UPD-1: vlan
2 . 151,152,666
:
/etc/network/interfaces
auto vlan151 iface vlan151 inet manual vlan_raw_device eth0 auto vlan152 iface vlan152 inet manual vlan_raw_device eth0 auto vlan666 iface vlan666 inet manual vlan_raw_device eth0 auto vmbr151 iface vmbr151 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan151 bridge_stp off bridge_fd 0 auto vmbr152 iface vmbr152 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan152 bridge_stp off bridge_fd 0 auto vmbr666 iface vmbr666 inet static address 0.0.0.0 netmask 255.255.255.255 bridge_ports vlan666 bridge_stp off bridge_fd 0
apt-get install vlan
ifup vlan151 ifup vlan152 ifup vlan666
ifconfig
, (network), ,
.
:
, , debian
/etc/network/interfaces.tail
auto eth1 iface eth1 inet static address 10.7.10.5 netmask 255.255.255.0
cat /etc/network/interfaces.tail >> /etc/network/interfaces
*.tail , web , .
, , - - , .