Posts: 4.881
Threads: 35
Joined: Mar 2022
Reputation:
1.389
04-04-2026, 09:48 AM
(This post was last modified: 04-04-2026, 09:58 AM by savan.)
Juce mi stigao ZTE ruter i omogucen internet dok ne stigne 5g oprema, Orion lozinka i password za adsl u promenjeni jer Orion vise nije Orion nego je sad u sklopu forme Tlekom, ko je Telekom ni radici ne znaju, kazu to je sad sve pod Mts, mislim strasno, platio sam javnu staticku ip adresu medjutim dodeljena mi je dinamicka adresa i pod cgnat sam a placam staticku javnu ip adresu, katastrofa, zalim se i cekam odgovor. U medjuvremenu hteo da prikljucim moju opremu jer mi se ne svidja ZTE ruter i ne mogu da pronadjem koji je username i password za adsl jer ocigledno da nije vise orionov jer vidim u log fajlu da parametri nemaju pristup, sta da radim, krenem da trazim koja j default lozinka za ssh u ruteru i naidjem na ovo https://github.com/threat9/routersploit/issues/654 , na moje iznenadjenje ta lozinka i password su i na mom zte ruteru : ) Udjem i iscupam lozinku i password za adsl i proradi mi to na mjoj opremi. Neverovatne stvari, ja mislim da smo najgori od sve dece u okruzenju, takav opsti haos ja to nisam video za mojih koliko godina imam! Postavlja se pitanje koliko je sigurna ta oprema koju daje Mts?? Ako Mts ima pristup modemu onda verovatno i neko drugi ima pristup, i preko ovih kredentials moze da radi sta hoce a da ni ne znas? Nisam gledao dali su otvoreni portovi za world pristup, nije mi se svideo router pa nisam ni gledao, ali ko ima ovakav ruter obavezno da proveri -> https://www.yougetsignal.com/tools/open-ports/ !
Posts: 4.881
Threads: 35
Joined: Mar 2022
Reputation:
1.389
5 hours ago
(This post was last modified: 5 hours ago by savan.)
Uspeo sam da prevarim cgnat uspesno, tako sto sam uzeo probni period vps-a na Mts, 30 dana je besplatno, instalirao WireGuard, na dreamboxy wireguard go, podesio sve lepo, povezao , malo muke jer prvi put to radim ali sam skontao i radi kao sat! Odlican je taj Mts-ov vps, 100din je na dan kad istekne probni period -> https://www.oblaci.rs/productlist tako da razmislicu jos sta cu da uradim, mozda ostavim adsl sa fiksnom ip adreson ali uzmem najsporiji paket pa u kucnoj varijanti napravim svoj vpn a kad stigne oprema za 5g zakupim na mesecnom nivou protoko koliko mi je potrebno, mada raspitacu se dali postoji mogucnost staticke ip adrese na 5g da se ne zezam sa ovim : )
Code: interface: wg0
public key: OXXXXXXXsvdoWU67QxwKzij3muaXXXXXXo=
private key: (hidden)
listening port: XXXXX1
peer: XXXXXXXXXXXXXXXph2MqU4XofMzvqCXXXXXX=
endpoint: 93.xx.xx.xx:XXX0
allowed ips: 10.8.0.1/32
latest handshake: 35 seconds ago
transfer: 3.38 MiB received, 2.85 MiB sent
persistent keepalive: every 25 seconds
Posts: 4.881
Threads: 35
Joined: Mar 2022
Reputation:
1.389
4 hours ago
(This post was last modified: 4 hours ago by savan.)
Evo i iptables skripta koju sam napravio ako nekad nekom zatreba. Pristup ssh portu je moguc samo sa uredjaja koji je kao wg klijent ili sa definisane ip adrese, sve sto je vidljivo od portovan a vps jeste samo udp port wg i portovi koji su otvoreni ka mojoj kucnoj mrezi, sve ostalo je drop i reject. U jednom momentu sam sam sebe zakljucao kad sam restartovao ruter i promenila mi se ip adresa, a nisam obezbedio ovu liniju "#allow wireguard" da bi mogao preko dremaboxa da pristupim, sva sreca pa ne koristim ufw pa mi nije aktiviran pa se iptables resetovale na allow nakon restarta vps-a inace bi sve morao ponovo da instaliram. Ovako podeseno ni konzola sa Mts Oblaci nema pristup pa ne moze nista da se uradi ako se zakljuca ulaz, u tom slucaju mora da se ponovo reinstalira os na vm. Znaci samo je jedan siguran backdor aktivan a to je ulaz preko uredjaja koji je klijent wg ili ako ste predhodno upisali pravu ip adresu sa pocetka skripte to je kao varijanta dva koja nije sigurna jer ako se promeni dinamicka ip adresa ne moze na ta vrata da se udje u sistem.
Code: #!/bin/bash
export PATH=/sbin:/usr/sbin:/bin:/usr/bin
IPTABLES_BIN=`which iptables`
DESTINACIJA=10.8.0.2
MOJAIP=90.90.90.134
WGINT=wg0
WGPORT=55520
ETHINT=ens224
DEBUG=0
IPTABLES() {
[[ "$DEBUG" == 1 ]] && echo "Izvrsavam: $IPTABLES_BIN $@"
$IPTABLES_BIN "$@"
}
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "15" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "1" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_slow_start_after_idle
#get ip of these dns and store into variable
BLOCK_DNS="
109.101.33.238
"
BLOCK_DNS=""
# first actions - delete all rules - do not touch
IPTABLES -F
IPTABLES -X
IPTABLES -t nat -F
IPTABLES -t nat -X
IPTABLES -t mangle -F
IPTABLES -t mangle -X
# allow all from localhost - do not touch
IPTABLES -A INPUT -i lo -j ACCEPT
IPTABLES -A OUTPUT -o lo -j ACCEPT
# change policy to drop all - do not touch
IPTABLES --policy INPUT DROP
IPTABLES --policy OUTPUT DROP
IPTABLES --policy FORWARD DROP
#######################
# 1: Drop invalid packets
IPTABLES -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
# 2: Drop TCP packets that are new and are not SYN
IPTABLES -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
# 3: Drop SYN packets with suspicious MSS value
IPTABLES -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
# 4: Block packets with bogus TCP flags
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# 5: Block spoofed packets
IPTABLES -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
IPTABLES -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
IPTABLES -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
IPTABLES -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
IPTABLES -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
#IPTABLES -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
IPTABLES -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
IPTABLES -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
#IPTABLES -t mangle -A PREROUTING -s 10.0.0.0/24 ! -i eth0 -j DROP
# 6: Drop ICMP (you usually don't need this protocol)
#IPTABLES -t mangle -A PREROUTING -p icmp -j DROP
# 7: Drop fragments in all chains
IPTABLES -t mangle -A PREROUTING -f -j DROP
########################
# blocking input start here
# 8: Limit connections per source IP
IPTABLES -A INPUT -p tcp -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
# reject empty packets?
IPTABLES -A INPUT -p tcp --dport 80 -m length --length 20 -j REJECT --reject-with tcp-reset
#IPTABLES -A INPUT -m iprange --src-range 212.200.156.0-212.200.157.255 -j DROP
#block gametracker and game monitor sites
#IPTABLES -A INPUT -m iprange --src-range 208.167.241.176-208.167.241.191 -j DROP
#IPTABLES -A INPUT -m iprange --src-range 108.61.78.0-108.61.78.255 -j DROP
#IPTABLES -A INPUT -m iprange --src-range 208.43.52.0-208.43.52.255 -j DROP
#IPTABLES -A INPUT -p udp -s $ACTIVISION -j REJECT
# amerikano range : )
IPTABLES -A INPUT -p tcp -s 192.35.168.0/24 -j REJECT --reject-with tcp-reset
for TT in $BLOCK_DNS; do
if [ ! -z "$TT" ]; then
IPTABLES -A INPUT -s $TT -j DROP
fi
done
#IPTABLES -A INPUT -m iprange --src-range 91.19.0.0-91.19.255.255 -j REJECT --reject-with icmp-port-unreachable
#####################################
# block by string match (1024 bytes)
IPTABLES -A INPUT -p tcp --dport 80 -m string --string 'HTTP/1.0' --algo bm --to 1024 -j REJECT --reject-with icmp-port-unreachable
IPTABLES -A INPUT -p tcp --dport 80 -m string --string 'CONNECT' --algo bm --to 1024 -j REJECT --reject-with icmp-port-unreachable
IPTABLES -A INPUT -p tcp --dport 80 -m string --string 'censys' --algo bm --to 1024 -j REJECT --reject-with icmp-port-unreachable
IPTABLES -A INPUT -p tcp --dport 80 -m string --string 'paloaltonetworks' --algo bm --to 1024 -j REJECT --reject-with icmp-port-unreachable
##################################
# do not touch
IPTABLES -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
IPTABLES -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
IPTABLES -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
# do not touch
IPTABLES -A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
IPTABLES -A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
IPTABLES -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
#################################
# allow rules
#allow wireguard
IPTABLES -A INPUT -p udp --dport $WGPORT -m state --state NEW -j ACCEPT
# allow ssh kroz tunel
IPTABLES -A INPUT -s $DESTINACIJA -p tcp --dport 22 -m state --state NEW -j ACCEPT
IPTABLES -A INPUT -s $MOJAIP -p tcp --dport 22 -m state --state NEW -j ACCEPT
OPEN_PORTS="
80:tcp
4545:tcp
"
for ITEM in $OPEN_PORTS; do
# Preskoci ako stavka pocinje sa #
[[ "$ITEM" =~ ^# ]] && continue
# Razdvajanje porta i protokola
IFS=":" read -r PORT PROT <<< "$ITEM"
# DNAT preusmeravanje
IPTABLES -t nat -A PREROUTING -p "$PROT" --dport "$PORT" -j DNAT --to-destination $DESTINACIJA:"$PORT"
# Dozvola u FORWARD lancu
IPTABLES -A FORWARD -i $ETHINT -p "$PROT" -d $DESTINACIJA --dport "$PORT" -j ACCEPT
done
# 4. Maskiranje (da $DESTINACIJA zna da odgovori VPS-u, a ne direktno klijentu)
IPTABLES -t nat -A POSTROUTING -o $WGINT -j MASQUERADE
# bez ovoga nece da radi
IPTABLES -A FORWARD -i $WGINT -j ACCEPT
#################################
# block all other with force fragments packets check
IPTABLES -A INPUT -f -j DROP
exit 0
|
