Установим third-party
apt install iptables-persistent mc wget net-tools tcpdump openssh-server fail2ban -y
apt update
apt upgrade -y
rebootНастройка iptables
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -L -v
ip6tables -F
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -p udp -m udp --sport 547 --dport 546 -j ACCEPT
ip6tables -A INPUT -i wg0 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT
ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT
netfilter-persistent saveПроверим что правила применились
nano /etc/iptables/rules.v4должно быть так
---------------
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:f2b-sshd - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A f2b-sshd -j RETURN
COMMIT
---------------далее проверяем v6 nano /etc/iptables/rules.v6
---------------
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s fe80::/10 -p udp -m udp --sport 547 --dport 546 -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
-A OUTPUT -p ipv6-icmp -j ACCEPT
COMMIT
---------------Ставим Xray
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install --without-geodataСгенерировать Short ID
openssl rand -hex 8
Сгенерировать ключи для XRay Reality
xray x25519
PrivateKey: WK…
Password: V5…
Сгенерировать UUID для клиента
xray uuid
b16e23a6-…
systemctl restart xrayКонфиг сервиса Xray находится по пути /usr/local/etc/xray/config.json
{
"log": {
"loglevel": "debug"
},
"inbounds": [
{
"listen": "x.x.x.x", // внешний IP выделенного сервера
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"email": "my-mobile",
"id": "...", // ID клиента
"flow": "xtls-rprx-vision"
},
{
"email": "kseniia",
"id": "...", // ID клиента
"flow": "xtls-rprx-vision"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"dest": "x.x.x.x:443", // IP адрес реальной страницы в интернете (например, своего домена в формате 192.168.1.1:443)
"xver": 0,
"minClientVer": "",
"maxClientVer": "",
"serverNames": [
"xxx.com" //Сюда вставляем адрес реальной страницы сайта
],
"privateKey": "...", //Сюда вставляем приватный ключ
"shortIds": [
"..." //Сюда вставляем короткий ID
]
}
},
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls",
"quic"
]
}
}
],
"outbounds": [
{
"protocol": "freedom",
"tag": "direct"
},
{
"protocol": "blackhole",
"tag": "block"
}
],
"routing": {
"domainStrategy": "AsIs",
"rules": [
{
"domain": [
"full:lh3.googleusercontent.com",
"domain:clients6.google.com-x"
],
"outboundTag": "direct"
},
{
"user": [
"my-home"
],
"outboundTag": "direct"
},
]
}
}
Конфиг клиента для v2RayNG
{
"remarks": "ProCloud",
"log": {
"loglevel": "warning"
},
"dns": {
"servers": [
{
"tag": "local-dns",
"address": "localhost",
"domains": [
"domain:ru"
],
"skipFallback": true
},
{
"tag": "cloudflare-dns",
"address": "223.5.5.5",
"domains": [
"full:cloudflare-dns.com"
],
"skipFallback": true
},
"https://cloudflare-dns.com/dns-query"
],
"tag": "dns-module"
},
"inbounds": [
{
"tag": "socks",
"port": 10808,
"listen": "127.0.0.1",
"protocol": "socks",
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
],
"routeOnly": false
},
"settings": {
"auth": "noauth",
"udp": true,
"userLevel": 8
}
}
],
"outbounds": [
{
"tag": "proxy",
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "x.x.x.x", // внешний ip сервера Xray
"port": 443,
"users": [
{
"id": "...", // id клиента
"encryption": "none",
"flow": "xtls-rprx-vision",
"level": 8
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"allowInsecure": false,
"serverName": "xxx.com", // доменное имя заглушки
"fingerprint": "chrome",
"show": false,
"publicKey": "...", // публичный ключ сервера
"shortId": "..." // shortId
},
"tcpSettings": {
"header": {
"type": "none"
}
}
},
"mux": {
"enabled": false,
"concurrency": -1
}
},
{
"tag": "direct",
"protocol": "freedom",
"settings": {
"domainStrategy": "UseIP"
}
},
{
"tag": "block",
"protocol": "blackhole",
"settings": {
"response": {
"type": "http"
}
}
}
],
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"inboundTag": [
"cloudflare-dns"
],
"outboundTag": "proxy",
"type": "field"
},
{
"inboundTag": [
"local-dns"
],
"outboundTag": "direct",
"type": "field"
},
{
"inboundTag": [
"dns-module"
],
"outboundTag": "proxy",
"type": "field"
},
{
"ip": [
"geoip:private"
],
"outboundTag": "direct",
"type": "field"
},
{
"domain": [
"domain:ru"
],
"outboundTag": "direct",
"type": "field"
}
]
}
}Чтобы добавить нового пользователя, на сервере выполняем команду
xray uuidи добавляем в конфиг сервиса в блок
"clients": [
{
"email": "my-mobile",
"id": "...", //ID клиента
"flow": "xtls-rprx-vision"
},
{
"email": "kseniia",
"id": "...", //ID клиента
"flow": "xtls-rprx-vision"
}
],После этого рестартуем сервис и проверяем статус
systemctl restart xray.service
systemctl status xray.service
root@blackbird:~# systemctl status xray.service
● xray.service - Xray Service
Loaded: loaded (/etc/systemd/system/xray.service; enabled; preset: enabled)
Drop-In: /etc/systemd/system/xray.service.d
└─10-donot_touch_single_conf.conf
Active: active (running) since Thu 2026-02-19 07:53:33 UTC; 4h 24min ago
Docs: https://github.com/xtls
Main PID: 32820 (xray)
Tasks: 9 (limit: 1068)
Memory: 11.8M (peak: 20.6M)
CPU: 3min 10.121s
CGroup: /system.slice/xray.service
└─32820 /usr/local/bin/xray run -config /usr/local/etc/xray/config.json
