Differences

This shows you the differences between two versions of the page.

--- linux:firewall [2010/12/29 10:03]
greebo
+++ linux:firewall [2010/12/30 12:54]
greebo
@@ Line 2: / Line 2: @@
 [[linux:firewall_blocktor| how to block TOR network in realtime]]\\
 [[http://www.fs-security.com/|FS security]]\\
 <code bash |>
@@ Line 10: / Line 9: @@
 echo "* Running $0"
 echo "*************"
+echo "* http://tnt.aufbix.org/ linux firewall script"
 echo
@@ Line 26: / Line 26: @@
 # path to iptables and iproute2 files
 IPTB="/sbin/iptables"
 IP="/sbin/ip"
 # name of our Internet and intranet interfaces
-#
 # use INTRANET="eth1+" or INTERNET="eth0+"
 # if you have more ifaces (example: eth0:0)  towards Intranet/Internet
@@ Line 59: / Line 57: @@
 WE_HAVE_INTRANET="0"
+#
 TRUSTED_HOSTS="193.77.1.1/32 \
 .93.224.0/19 \
@@ Line 74: / Line 73: @@
 $IPTB -t nat -F
+# new chain for SSH and HTTP access
 $IPTB -N ssh-access
 $IPTB -N http-access
-  # port redirection (transparent proxy)
+# port redirection (transparent proxy)
 # redirect all outgoing traffic that is NOT for the GW to local (GW) ports
+# DNS (53/tcp and 53/udp) and SMTP (25/tcp)
 #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p tcp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
 #$IPTB -t nat -A PREROUTING -i ! $INTERNET -p udp -s $LAN -d ! $LAN --dport 53 -j REDIRECT
@@ Line 89: / Line 90: @@
 $IPTB -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+# move all SSH and HTTP traffic to apropriate chains
 $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j ssh-access
 $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport 80 -j http-access
-# ssh
+# ssh chain
 for sshhostese in $TRUSTED_HOSTS;
         do
         $IPTB -A ssh-access -s $sshhostese -j ACCEPT
         done
- # Connection limit for SSH connections (1 connection per minute) - usefull against ssh scanners if you MUST open SSH for every IP!
+ # Connection limit for SSH connections (1 connection per minute PER source IP)
- # it is wise to use sshaccess input table (TRUSTED_HOSTS)
+ # - usefull against ssh scanners if you MUST open SSH for every IP!
-$IPTB -A ssh-access -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
+$IPTB -A ssh-access -m hashlimit --hashlimit 1/minute --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT
 $IPTB -A ssh-access -j DROP
 # ssh
@@ Line 156: / Line 158: @@
 $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
 $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "fin/rts flag>"
 $IPTB -A INPUT -f -j LOG --log-prefix "FRAGMENT> "
@@ Line 177: / Line 178: @@
 $IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+# what we allow from Internet - TCP ports
-# what we allow from Internet
 for i in $TCP_PORTS
 	do
 		$IPTB -A INPUT -p tcp -m state --syn --state NEW  --dport $i -j ACCEPT
-    done
+        done
+# what we allow from Internet - UDP ports
 $IPTB -A INPUT -p udp -m multiport --dport $UDP_PORTS -j ACCEPT
@@ Line 197: / Line 198: @@
 # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough
-$IPTB -A INPUT -p icmp --icmp-type 0  -m limit --limit 30/second -j ACCEPT
+$IPTB -A INPUT -p icmp --icmp-type 0  -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp0 -j
+#$IPTB -A INPUT -p icmp --icmp-type 0  -m limit --limit 30/second -j ACCEPT
 $IPTB -A INPUT -p icmp --icmp-type 3  -m limit --limit 30/second -j ACCEPT
 $IPTB -A INPUT -p icmp --icmp-type 4  -m limit --limit 30/second -j ACCEPT