Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
linux:firewall [2010/12/30 12:54] greebo |
linux:firewall [2012/02/21 14:39] greebo |
||
---|---|---|---|
Line 32: | Line 32: | ||
# use INTRANET=" | # use INTRANET=" | ||
# if you have more ifaces (example: eth0: | # if you have more ifaces (example: eth0: | ||
- | INTRANET=" | + | # |
+ | # WAN Interface | ||
INTERNET=" | INTERNET=" | ||
# ADSL - INTERNET=" | # ADSL - INTERNET=" | ||
+ | # | ||
+ | # LAN Interface | ||
+ | INTRANET=" | ||
| | ||
# what IPs are used in intranet | # what IPs are used in intranet | ||
Line 62: | Line 66: | ||
212.18.32.0/ | 212.18.32.0/ | ||
+ | # enable IP forwarding (routing!) | ||
echo " | echo " | ||
+ | |||
+ | # enable PMTU (mss/mtu discovery) | ||
+ | echo " | ||
# first we flush the tables and policy | # first we flush the tables and policy | ||
Line 118: | Line 126: | ||
# we allow all traffic from $INTRANET and localhost interfaces | # we allow all traffic from $INTRANET and localhost interfaces | ||
- | $IPTB -A INPUT -i $INTRANET -j ACCEPT | + | $IPTB -A INPUT -i $INTRANET |
- | $IPTB -A INPUT -i lo -j ACCEPT | + | $IPTB -A INPUT -i lo -m state --state NEW, |
- | #$IPTB -A INPUT -m state --state INVALID -m limit --limit 1/minute -j LOG --log-prefix "INVALID | + | $IPTB -A INPUT -m state --state INVALID -m limit --limit 1/minute -j LOG --log-prefix " |
- | #$IPTB -A INPUT -m state --state INVALID -j DROP | + | $IPTB -A INPUT -m state --state INVALID -j DROP |
# | # | ||
Line 129: | Line 137: | ||
#FIN is set and ACK is not | #FIN is set and ACK is not | ||
- | $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP | ||
$IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix " | $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix " | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP | ||
#PSH is set and ACK is not | #PSH is set and ACK is not | ||
- | $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP | ||
$IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix " | $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix " | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP | ||
#URG is set and ACK is not | #URG is set and ACK is not | ||
- | $IPTB -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP | ||
$IPTB -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix " | $IPTB -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix " | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP | ||
# Block portscans: | # Block portscans: | ||
Line 156: | Line 164: | ||
#FIN and RST are both set | #FIN and RST are both set | ||
- | $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | ||
$IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix " | $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix " | ||
+ | $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | ||
- | $IPTB -A INPUT -f -j LOG --log-prefix " | + | $IPTB -A INPUT -f -j LOG --log-prefix "Lost FRAGMENT> |
$IPTB -A INPUT -f -j DROP | $IPTB -A INPUT -f -j DROP | ||
Line 181: | Line 189: | ||
for i in $TCP_PORTS | for i in $TCP_PORTS | ||
do | do | ||
- | $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport $i -j ACCEPT | + | $IPTB -A INPUT -p tcp -m state --syn --state NEW --dport $i -j ACCEPT |
done | done | ||
Line 190: | Line 198: | ||
$IPTB -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset | $IPTB -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset | ||
- | # traceroute | + | # traceroute |
$IPTB -A INPUT -p udp -m limit --limit 3/ | $IPTB -A INPUT -p udp -m limit --limit 3/ | ||
# Log and drop ICMP fragments (shouldn not happen at all, but often used for DoS) | # Log and drop ICMP fragments (shouldn not happen at all, but often used for DoS) | ||
$IPTB -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix " | $IPTB -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix " | ||
- | $IPTB -A INPUT -i $INTERNET --fragment -p icmp -j DROP | + | $IPTB -A INPUT -i $INTERNET --fragment -p icmp -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp-frag |
# thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough | # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough | ||
- | $IPTB -A INPUT -p icmp --icmp-type 0 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp0 -j | + | # echo-reply |
- | #$IPTB -A INPUT -p icmp --icmp-type | + | #$IPTB -A INPUT -p icmp --icmp-type 0 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp0 -j ACCEPT |
- | $IPTB -A INPUT -p icmp --icmp-type 3 | + | $IPTB -A INPUT -p icmp --icmp-type |
- | $IPTB -A INPUT -p icmp --icmp-type 4 -m limit --limit 30/second -j ACCEPT | + | $IPTB -A INPUT -p icmp --icmp-type 4 -m hashlimit |
- | $IPTB -A INPUT -p icmp --icmp-type 11 -m limit --limit 30/second -j ACCEPT | + | $IPTB -A INPUT -p icmp --icmp-type 11 -m hashlimit |
- | $IPTB -A INPUT -p icmp --icmp-type 12 -m limit --limit 30/second -j ACCEPT | + | $IPTB -A INPUT -p icmp --icmp-type 12 -m hashlimit |
# | # | ||
- | $IPTB -A INPUT -p icmp --icmp-type 30 -m limit --limit 30/second -j ACCEPT | + | $IPTB -A INPUT -p icmp --icmp-type 30 -m hashlimit |
# echo-request | # echo-request | ||
- | $IPTB -A INPUT -p icmp --icmp-type 8 -m limit --limit 3/second -j ACCEPT | + | $IPTB -A INPUT -p icmp --icmp-type 8 -m hashlimit |
# if the default policy is not DROP then we must use this | # if the default policy is not DROP then we must use this | ||
Line 241: | Line 248: | ||
# ADSL (PPPoE connections) | # ADSL (PPPoE connections) | ||
- | #$IPTB -I FORWARD --protocol | + | #$IPTB -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
$IPTB -I FORWARD -o $INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu | $IPTB -I FORWARD -o $INTERNET -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu | ||
Line 255: | Line 262: | ||
| | ||
# list the rules | # list the rules | ||
- | $IPTB -L -v -n | + | $IPTB -L -v -n --line |
+ | $IPTB -t nat -L -v -n --line | ||
| | ||
echo $WE_HAVE_INTRANET > / | echo $WE_HAVE_INTRANET > / | ||
</ | </ |