Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux:firewall [2011/01/10 12:13] greebo |
linux:firewall [2019/04/15 10:18] (current) zagi |
||
---|---|---|---|
Line 66: | Line 66: | ||
212.18.32.0/ | 212.18.32.0/ | ||
+ | # enable IP forwarding (routing!) | ||
echo " | echo " | ||
+ | |||
+ | # enable PMTU (mss/mtu discovery) | ||
+ | echo " | ||
# first we flush the tables and policy | # first we flush the tables and policy | ||
Line 163: | Line 167: | ||
$IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | ||
- | $IPTB -A INPUT -f -j LOG --log-prefix " | + | $IPTB -A INPUT -f -j LOG --log-prefix "Lost FRAGMENT> |
$IPTB -A INPUT -f -j DROP | $IPTB -A INPUT -f -j DROP | ||
Line 199: | Line 203: | ||
# Log and drop ICMP fragments (shouldn not happen at all, but often used for DoS) | # Log and drop ICMP fragments (shouldn not happen at all, but often used for DoS) | ||
$IPTB -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix " | $IPTB -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix " | ||
- | $IPTB -A INPUT -i $INTERNET --fragment -p icmp -j DROP | + | $IPTB -A INPUT -i $INTERNET --fragment -p icmp -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp-frag |
# thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough | # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough | ||
- | $IPTB -A INPUT -p icmp --icmp-type 0 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp0 -j ACCEPT | + | # echo-reply |
+ | #$IPTB -A INPUT -p icmp --icmp-type 0 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp0 -j ACCEPT | ||
+ | # unreachables | ||
$IPTB -A INPUT -p icmp --icmp-type 3 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp3 -j ACCEPT | $IPTB -A INPUT -p icmp --icmp-type 3 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp3 -j ACCEPT | ||
- | $IPTB -A INPUT -p icmp --icmp-type 4 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp4 -j ACCEPT | + | # source-quench (depreciated) |
+ | #$IPTB -A INPUT -p icmp --icmp-type 4 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp4 -j ACCEPT | ||
+ | # timeout (forward loop prevention) | ||
$IPTB -A INPUT -p icmp --icmp-type 11 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp11 -j ACCEPT | $IPTB -A INPUT -p icmp --icmp-type 11 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp11 -j ACCEPT | ||
+ | # parameter problem | ||
$IPTB -A INPUT -p icmp --icmp-type 12 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp12 -j ACCEPT | $IPTB -A INPUT -p icmp --icmp-type 12 -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp12 -j ACCEPT | ||
# | # | ||
Line 231: | Line 240: | ||
$IPTB -A FORWARD -m state --state INVALID -j DROP | $IPTB -A FORWARD -m state --state INVALID -j DROP | ||
$IPTB -A FORWARD -m state --state ESTABLISHED, | $IPTB -A FORWARD -m state --state ESTABLISHED, | ||
- | $IPTB -A FORWARD -m state --state NEW -i ! $INTERNET -j ACCEPT | + | $IPTB -A FORWARD -m state --state NEW ! -i $INTERNET -j ACCEPT |
$IPTB -A FORWARD -m pkttype --pkt-type broadcast -j DROP | $IPTB -A FORWARD -m pkttype --pkt-type broadcast -j DROP |