Differences

This shows you the differences between two versions of the page.

--- linux:firewall [2010/12/29 10:16]
greebo
+++ linux:firewall [2010/12/30 13:26]
greebo
@@ Line 2: / Line 2: @@
 [[linux:firewall_blocktor| how to block TOR network in realtime]]\\
 [[http://www.fs-security.com/|FS security]]\\
 <code bash |>
@@ Line 27: / Line 26: @@
 # path to iptables and iproute2 files
 IPTB="/sbin/iptables"
 IP="/sbin/ip"
 # name of our Internet and intranet interfaces
-#
 # use INTRANET="eth1+" or INTERNET="eth0+"
 # if you have more ifaces (example: eth0:0)  towards Intranet/Internet
@@ Line 102: / Line 99: @@
         $IPTB -A ssh-access -s $sshhostese -j ACCEPT
         done
- # Connection limit for SSH connections (1 connection per minute) - usefull against ssh scanners if you MUST open SSH for every IP!
+ # Connection limit for SSH connections (1 connection per minute PER source IP)
- # it is wise to use sshaccess input table (TRUSTED_HOSTS)
+ # - usefull against ssh scanners if you MUST open SSH for every IP!
-$IPTB -A ssh-access -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
+$IPTB -A ssh-access -m hashlimit --hashlimit 1/minute --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT
 $IPTB -A ssh-access -j DROP
 # ssh
@@ Line 132: / Line 129: @@
 #FIN is set and ACK is not
-$IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
 $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "FIN> "
+$IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
 #PSH is set and ACK is not
-$IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
 $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "PSH> "
+$IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
 #URG is set and ACK is not
-$IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
 $IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "URG> "
+$IPTB  -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
 # Block portscans:
@@ Line 159: / Line 156: @@
 #FIN and RST are both set
-$IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
 $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "fin/rts flag>"
+$IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
 $IPTB -A INPUT -f -j LOG --log-prefix "FRAGMENT> "
@@ Line 201: / Line 198: @@
 # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough
-$IPTB -A INPUT -p icmp --icmp-type 0  -m limit --limit 30/second -j ACCEPT
+$IPTB -A INPUT -p icmp --icmp-type 0 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp0 -j ACCEPT
-$IPTB -A INPUT -p icmp --icmp-type 3  -m limit --limit 30/second -j ACCEPT
+$IPTB -A INPUT -p icmp --icmp-type 3 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp3 -j ACCEPT
-$IPTB -A INPUT -p icmp --icmp-type 4  -m limit --limit 30/second -j ACCEPT
+$IPTB -A INPUT -p icmp --icmp-type 4 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp4 -j ACCEPT
-$IPTB -A INPUT -p icmp --icmp-type 11 -m limit --limit 30/second -j ACCEPT
+$IPTB -A INPUT -p icmp --icmp-type 11 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp11 -j ACCEPT
-$IPTB -A INPUT -p icmp --icmp-type 12 -m limit --limit 30/second -j ACCEPT
+$IPTB -A INPUT -p icmp --icmp-type 12 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp12 -j ACCEPT
 #icmp-traceroute
-$IPTB -A INPUT -p icmp --icmp-type 30 -m limit --limit 30/second -j ACCEPT
+$IPTB -A INPUT -p icmp --icmp-type 30 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp30 -j ACCEPT
 # echo-request
-$IPTB -A INPUT -p icmp --icmp-type 8  -m limit --limit 3/second -j ACCEPT
+$IPTB -A INPUT -p icmp --icmp-type 8 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp8 -j ACCEPT
 # if the default policy is not DROP then we must use this