[[linux:firewall]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
linux:firewall [2009/07/03 12:09]
greebo 		linux:firewall [2010/12/29 10:03]
greebo
Line 1: Line 1:
 [[linux:firewall6|Linux IPV6 firewall]]\\ [[linux:firewall6|Linux IPV6 firewall]]\\
 +[[linux:firewall_blocktor| how to block TOR network in realtime]]\\ 
 [[http://www.fs-security.com/|FS security]]\\ [[http://www.fs-security.com/|FS security]]\\
 +
  
 <code bash |> <code bash |>
Line 48: Line 50:
 # what UDP ports/services we allow (and FORWARD) from Internet # what UDP ports/services we allow (and FORWARD) from Internet
 # use "," as delimiter # use "," as delimiter
-UDP_PORTS="53"+UDP_PORTS="53,123"
  
 # which ports we forward into our intranet # which ports we forward into our intranet
Line 75: Line 77:
 $IPTB -N http-access $IPTB -N http-access
  
-   +  # port redirection (transparent proxy)
-# port redirection (transparent proxy)+
 # redirect all outgoing traffic that is NOT for the GW to local (GW) ports # redirect all outgoing traffic that is NOT for the GW to local (GW) ports
 #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
Line 87: Line 88:
 # statefull firewall makes most hits # statefull firewall makes most hits
 $IPTB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- 
-# Connection limit for SSH connections (3 connection per minute) - usefull agains ssh scanners if you MUST open SSH for every IP! 
-# it is wise to use sshaccess input table (TRUSTED_HOSTS) 
-#$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT 
-#$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP 
  
 $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access
Line 101: Line 97:
         $IPTB -A ssh-access -s $sshhostese -j ACCEPT         $IPTB -A ssh-access -s $sshhostese -j ACCEPT
         done         done
 + # Connection limit for SSH connections (1 connection per minute) - usefull against ssh scanners if you MUST open SSH for every IP!
 + # it is wise to use sshaccess input table (TRUSTED_HOSTS)
 +$IPTB -A ssh-access -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
 +$IPTB -A ssh-access -j DROP
 # ssh # ssh
  
Line 109: Line 109:
         done         done
 # http # http
- 
  
 # IPSEC # IPSEC
Line 239: Line 238:
 $IPTB -t nat -A POSTROUTING -o $INTERNET -s $LAN -j SNAT --to-source $GW_IP $IPTB -t nat -A POSTROUTING -o $INTERNET -s $LAN -j SNAT --to-source $GW_IP
  
-adsl+ADSL (PPPoE connections)
 #$IPTB -I FORWARD --protocol tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu #$IPTB -I FORWARD --protocol tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 $IPTB -I FORWARD -o $INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu $IPTB -I FORWARD -o $INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
Line 246: Line 245:
 # in "valid-macs" file # in "valid-macs" file
 #for mac in `cat valid-macs`; do $IPTB -I FORWARD -m mac --mac-source $mac -j fwfilter ; done #for mac in `cat valid-macs`; do $IPTB -I FORWARD -m mac --mac-source $mac -j fwfilter ; done
 +
 +# OUTPUT
 +$IPTB -P OUTPUT DROP
 +
 +# only allow NEW and related connections out
 +$IPTB -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      
 # list the rules # list the rules
linux/firewall.txt · Last modified: 2019/04/15 10:18 by zagi
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready