Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | Next revision Both sides next revision | ||
|
linux:firewall [2010/12/30 12:54] greebo |
linux:firewall [2010/12/30 13:26] greebo |
||
|---|---|---|---|
| Line 129: | Line 129: | ||
| #FIN is set and ACK is not | #FIN is set and ACK is not | ||
| - | $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP | ||
| $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix " | $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix " | ||
| + | $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP | ||
| #PSH is set and ACK is not | #PSH is set and ACK is not | ||
| - | $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP | ||
| $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix " | $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix " | ||
| + | $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP | ||
| #URG is set and ACK is not | #URG is set and ACK is not | ||
| + | $IPTB -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix " | ||
| $IPTB -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP | $IPTB -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP | ||
| - | $IPTB -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix " | ||
| # Block portscans: | # Block portscans: | ||
| Line 156: | Line 156: | ||
| #FIN and RST are both set | #FIN and RST are both set | ||
| - | $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | ||
| $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix " | $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix " | ||
| + | $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | ||
| $IPTB -A INPUT -f -j LOG --log-prefix " | $IPTB -A INPUT -f -j LOG --log-prefix " | ||
| Line 198: | Line 198: | ||
| # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough | # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough | ||
| - | $IPTB -A INPUT -p icmp --icmp-type 0 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp0 -j | + | $IPTB -A INPUT -p icmp --icmp-type 0 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp0 -j ACCEPT |
| - | #$IPTB -A INPUT -p icmp --icmp-type | + | $IPTB -A INPUT -p icmp --icmp-type |
| - | $IPTB -A INPUT -p icmp --icmp-type 3 | + | $IPTB -A INPUT -p icmp --icmp-type 4 -m hashlimit |
| - | $IPTB -A INPUT -p icmp --icmp-type 4 -m limit --limit 30/second -j ACCEPT | + | $IPTB -A INPUT -p icmp --icmp-type 11 -m hashlimit |
| - | $IPTB -A INPUT -p icmp --icmp-type 11 -m limit --limit 30/second -j ACCEPT | + | $IPTB -A INPUT -p icmp --icmp-type 12 -m hashlimit |
| - | $IPTB -A INPUT -p icmp --icmp-type 12 -m limit --limit 30/second -j ACCEPT | + | |
| # | # | ||
| - | $IPTB -A INPUT -p icmp --icmp-type 30 -m limit --limit 30/second -j ACCEPT | + | $IPTB -A INPUT -p icmp --icmp-type 30 -m hashlimit |
| # echo-request | # echo-request | ||
| - | $IPTB -A INPUT -p icmp --icmp-type 8 -m limit --limit 3/second -j ACCEPT | + | $IPTB -A INPUT -p icmp --icmp-type 8 -m hashlimit |
| # if the default policy is not DROP then we must use this | # if the default policy is not DROP then we must use this | ||
