[[linux:firewall]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
linux:firewall [2011/01/10 12:13]
greebo 		linux:firewall [2016/02/23 10:51]
zagi
Line 66: Line 66:
 212.18.32.0/24" 212.18.32.0/24"
  
 +# enable IP forwarding (routing!)
 echo "0" > /proc/sys/net/ipv4/ip_forward echo "0" > /proc/sys/net/ipv4/ip_forward
 +
 +# enable PMTU (mss/mtu discovery)
 +echo "1" > /proc/sys/net/ipv4/tcp_mtu_probing
  
 # first we flush the tables and policy # first we flush the tables and policy
Line 163: Line 167:
 $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
  
-$IPTB -A INPUT -f -j LOG --log-prefix "FRAGMENT> "+$IPTB -A INPUT -f -j LOG --log-prefix "Lost FRAGMENT> "
 $IPTB -A INPUT -f -j DROP $IPTB -A INPUT -f -j DROP
  
Line 199: Line 203:
 # Log and drop ICMP fragments (shouldn not happen at all, but often used for DoS) # Log and drop ICMP fragments (shouldn not happen at all, but often used for DoS)
 $IPTB -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix "Fragmented incoming ICMP> " $IPTB -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix "Fragmented incoming ICMP> "
-$IPTB -A INPUT -i $INTERNET --fragment -p icmp -j DROP+$IPTB -A INPUT -i $INTERNET --fragment -p icmp -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp-frag -j ACCEPT
  
 # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough
-$IPTB -A INPUT -p icmp --icmp-type 0 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp0 -j ACCEPT+# echo-reply 
 +#$IPTB -A INPUT -p icmp --icmp-type 0 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp0 -j ACCEPT
 $IPTB -A INPUT -p icmp --icmp-type 3 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp3 -j ACCEPT $IPTB -A INPUT -p icmp --icmp-type 3 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp3 -j ACCEPT
-$IPTB -A INPUT -p icmp --icmp-type 4 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp4 -j ACCEPT+#$IPTB -A INPUT -p icmp --icmp-type 4 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp4 -j ACCEPT
 $IPTB -A INPUT -p icmp --icmp-type 11 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp11 -j ACCEPT $IPTB -A INPUT -p icmp --icmp-type 11 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp11 -j ACCEPT
 $IPTB -A INPUT -p icmp --icmp-type 12 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp12 -j ACCEPT $IPTB -A INPUT -p icmp --icmp-type 12 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp12 -j ACCEPT
Line 231: Line 236:
 $IPTB -A FORWARD -m state --state INVALID -j DROP $IPTB -A FORWARD -m state --state INVALID -j DROP
 $IPTB -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTB -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-$IPTB -A FORWARD -m state --state NEW -i $INTERNET -j ACCEPT+$IPTB -A FORWARD -m state --state NEW -i $INTERNET -j ACCEPT
  
 $IPTB -A FORWARD -m pkttype --pkt-type broadcast -j DROP $IPTB -A FORWARD -m pkttype --pkt-type broadcast -j DROP
linux/firewall.txt · Last modified: 2019/04/15 10:18 by zagi
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready