Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Next revision Both sides next revision | ||
linux:firewall [2010/01/28 20:54] greebo |
linux:firewall [2010/12/29 10:03] greebo |
||
---|---|---|---|
Line 2: | Line 2: | ||
[[linux: | [[linux: | ||
[[http:// | [[http:// | ||
- | |||
Line 51: | Line 50: | ||
# what UDP ports/ | # what UDP ports/ | ||
# use "," | # use "," | ||
- | UDP_PORTS=" | + | UDP_PORTS=" |
# which ports we forward into our intranet | # which ports we forward into our intranet | ||
Line 78: | Line 77: | ||
$IPTB -N http-access | $IPTB -N http-access | ||
- | | + | # port redirection (transparent proxy) |
- | # port redirection (transparent proxy) | + | |
# redirect all outgoing traffic that is NOT for the GW to local (GW) ports | # redirect all outgoing traffic that is NOT for the GW to local (GW) ports | ||
#$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT | #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT | ||
Line 90: | Line 88: | ||
# statefull firewall makes most hits | # statefull firewall makes most hits | ||
$IPTB -A INPUT -m state --state ESTABLISHED, | $IPTB -A INPUT -m state --state ESTABLISHED, | ||
- | |||
- | # Connection limit for SSH connections (3 connection per minute) - usefull agains ssh scanners if you MUST open SSH for every IP! | ||
- | # it is wise to use sshaccess input table (TRUSTED_HOSTS) | ||
- | #$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT | ||
- | #$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP | ||
$IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access | $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access | ||
Line 104: | Line 97: | ||
$IPTB -A ssh-access -s $sshhostese -j ACCEPT | $IPTB -A ssh-access -s $sshhostese -j ACCEPT | ||
done | done | ||
+ | # Connection limit for SSH connections (1 connection per minute) - usefull against ssh scanners if you MUST open SSH for every IP! | ||
+ | # it is wise to use sshaccess input table (TRUSTED_HOSTS) | ||
+ | $IPTB -A ssh-access -m limit --limit 1/minute --limit-burst 1 -j ACCEPT | ||
+ | $IPTB -A ssh-access -j DROP | ||
# ssh | # ssh | ||
Line 112: | Line 109: | ||
done | done | ||
# http | # http | ||
- | |||
# IPSEC | # IPSEC | ||
Line 242: | Line 238: | ||
$IPTB -t nat -A POSTROUTING -o $INTERNET -s $LAN -j SNAT --to-source $GW_IP | $IPTB -t nat -A POSTROUTING -o $INTERNET -s $LAN -j SNAT --to-source $GW_IP | ||
- | # adsl | + | # ADSL (PPPoE connections) |
#$IPTB -I FORWARD --protocol tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | #$IPTB -I FORWARD --protocol tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | ||
$IPTB -I FORWARD -o $INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu | $IPTB -I FORWARD -o $INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu | ||
Line 249: | Line 245: | ||
# in " | # in " | ||
#for mac in `cat valid-macs`; | #for mac in `cat valid-macs`; | ||
+ | |||
+ | # OUTPUT | ||
+ | $IPTB -P OUTPUT DROP | ||
+ | |||
+ | # only allow NEW and related connections out | ||
+ | $IPTB -A OUTPUT -m state --state NEW, | ||
| | ||
# list the rules | # list the rules |