Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
linux:firewall [2010/12/29 10:16] greebo |
linux:firewall [2010/12/30 13:26] greebo |
||
---|---|---|---|
Line 2: | Line 2: | ||
[[linux: | [[linux: | ||
[[http:// | [[http:// | ||
- | |||
<code bash |> | <code bash |> | ||
Line 27: | Line 26: | ||
# path to iptables and iproute2 files | # path to iptables and iproute2 files | ||
- | |||
IPTB="/ | IPTB="/ | ||
IP="/ | IP="/ | ||
# name of our Internet and intranet interfaces | # name of our Internet and intranet interfaces | ||
- | # | ||
# use INTRANET=" | # use INTRANET=" | ||
# if you have more ifaces (example: eth0: | # if you have more ifaces (example: eth0: | ||
Line 102: | Line 99: | ||
$IPTB -A ssh-access -s $sshhostese -j ACCEPT | $IPTB -A ssh-access -s $sshhostese -j ACCEPT | ||
done | done | ||
- | # Connection limit for SSH connections (1 connection per minute) - usefull against ssh scanners if you MUST open SSH for every IP! | + | # Connection limit for SSH connections (1 connection per minute |
- | # it is wise to use sshaccess input table (TRUSTED_HOSTS) | + | # |
- | $IPTB -A ssh-access -m limit --limit 1/minute --limit-burst 1 -j ACCEPT | + | $IPTB -A ssh-access -m hashlimit |
$IPTB -A ssh-access -j DROP | $IPTB -A ssh-access -j DROP | ||
# ssh | # ssh | ||
Line 132: | Line 129: | ||
#FIN is set and ACK is not | #FIN is set and ACK is not | ||
- | $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP | ||
$IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix " | $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix " | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP | ||
#PSH is set and ACK is not | #PSH is set and ACK is not | ||
- | $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP | ||
$IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix " | $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix " | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP | ||
#URG is set and ACK is not | #URG is set and ACK is not | ||
- | $IPTB -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP | ||
$IPTB -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix " | $IPTB -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix " | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP | ||
# Block portscans: | # Block portscans: | ||
Line 159: | Line 156: | ||
#FIN and RST are both set | #FIN and RST are both set | ||
- | $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | ||
$IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix " | $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix " | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | ||
$IPTB -A INPUT -f -j LOG --log-prefix " | $IPTB -A INPUT -f -j LOG --log-prefix " | ||
Line 201: | Line 198: | ||
# thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough | # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough | ||
- | $IPTB -A INPUT -p icmp --icmp-type 0 -m limit --limit 30/second -j ACCEPT | + | $IPTB -A INPUT -p icmp --icmp-type 0 -m hashlimit |
- | $IPTB -A INPUT -p icmp --icmp-type 3 -m limit --limit 30/second -j ACCEPT | + | $IPTB -A INPUT -p icmp --icmp-type 3 -m hashlimit |
- | $IPTB -A INPUT -p icmp --icmp-type 4 -m limit --limit 30/second -j ACCEPT | + | $IPTB -A INPUT -p icmp --icmp-type 4 -m hashlimit |
- | $IPTB -A INPUT -p icmp --icmp-type 11 -m limit --limit 30/second -j ACCEPT | + | $IPTB -A INPUT -p icmp --icmp-type 11 -m hashlimit |
- | $IPTB -A INPUT -p icmp --icmp-type 12 -m limit --limit 30/second -j ACCEPT | + | $IPTB -A INPUT -p icmp --icmp-type 12 -m hashlimit |
# | # | ||
- | $IPTB -A INPUT -p icmp --icmp-type 30 -m limit --limit 30/second -j ACCEPT | + | $IPTB -A INPUT -p icmp --icmp-type 30 -m hashlimit |
# echo-request | # echo-request | ||
- | $IPTB -A INPUT -p icmp --icmp-type 8 -m limit --limit 3/second -j ACCEPT | + | $IPTB -A INPUT -p icmp --icmp-type 8 -m hashlimit |
# if the default policy is not DROP then we must use this | # if the default policy is not DROP then we must use this |