Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
linux:iptables [2013/08/08 11:45] a old revision restored |
linux:iptables [2013/08/12 09:20] 5.39.219.26 nklazewm |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Linux firewalling (netfilter/ | + | hevjcuou, |
- | + | ||
- | + | ||
- | + | ||
- | ==== P2P blocking/ | + | |
- | == Links == | + | |
- | * [[http://ipp2p.org/]] | + | |
- | * [[http:// | + | |
- | * [[http:// | + | |
- | * [[linux: | + | |
- | * [[http:// | + | |
- | * [[http://dev.inversepath.com/trac/ | + | |
- | + | ||
- | ==== Netfilter concept / network flow ==== | + | |
- | Click on picture below to see more .. | + | |
- | {{ linux: | + | |
- | + | ||
- | ==== Logging and limiting SSH bruteforce attacks ==== | + | |
- | + | ||
- | Logging is easy, just add the same rule but with a '' | + | |
- | + | ||
- | | + | |
- | 1/min –hashlimit-mode srcip –hashlimit-name ssh -m state \ | + | |
- | | + | |
- | + | ||
- | + | ||
- | As for permantely adding hosts, why? Poluting a firewall ruleset with a rule that isn’t going to be hit frequently is a waste. Which is why the hashlimit rule is perfect for this situation. | + | |
- | + | ||
- | See also [[http://www.ducea.com/2006/ | + | |
- | + | ||
- | ==== A solution for blocking ssh probers/ | + | |
- | + | ||
- | ### Catch SSH probes | + | |
- | iptables -A FORWARD -p tcp --dport 22 -d <local net> -o eth0 -s 0/0 -i ppp0 | + | |
- | -m state --state NEW | + | |
- | -m recent --rcheck --hitcount 3 --seconds 60 --name SSH_PROBERS | + | |
- | -j LOG --log-prefix " | + | |
- | + | ||
- | iptables -A FORWARD -p tcp --dport 22 -d <local net> -o eth0 -s 0/0 -i ppp0 | + | |
- | -m state --state NEW | + | |
- | -m recent --update --hitcount 3 --seconds 60 --name SSH_PROBERS | + | |
- | -j DROP | + | |
- | + | ||
- | iptables -A FORWARD -p tcp --dport 22 -d <local net> -o eth0 -s 0/0 -i ppp0 | + | |
- | -m state --state NEW | + | |
- | -m recent --set --name SSH_PROBERS | + | |
- | -j ACCEPT | + | |
- | + | ||
- | So, in the INPUT chain, you wouldn' | + | |
- | + | ||
- | What it does, is uses the '' | + | |
- | + | ||
- | + | ||
- | =====Strategy for penalising IPs with too many simultaneous sessions | + | |
- | + | ||
- | Something like this (eth0 is the user's network): | + | |
- | + | ||
- | | + | |
- | | + | |
- | + | ||
- | | + | |
- | | + | |
- | + | ||
- | | + | |
- | 1024:65535 -m set --set p2p src -j MARK --set-mark 60 | + | |
- | + | ||
- | //You'll have to compile your kernel with **'' | + | |
- | + | ||
- | + | ||
- | ===== Conntrack table full ===== | + | |
- | > Feb 23 14:26:19 gestor1 kernel: printk: 38 messages suppressed. | + | |
- | > Feb 23 14:26:19 gestor1 kernel: ip_conntrack: | + | |
- | + | ||
- | Not necessarily the answer you were looking for, but this is what connlimit was written for. Connlimit will limit the number of parallel | + | |
- | TCP connections per host. Do something like: | + | |
- | + | ||
- | iptables -t mangle -A PREROUTING -p tcp -i eth0 --dport 1024: \ | + | |
- | -m connlimit --connlimit-above 30 -j DROP | + | |
- | + | ||
- | connlimit is not in the vanilla kernel at the minute; you need to patch with pom. You can download pom from | + | |
- | http://ipset.netfilter.org/install.html, but you may need to patch pom first! See http://lists.netfilter.org/pipermail/ | + | |
- | + | ||
- | ===== Preventing webserver hackers from connecting to IRC servers ===== | + | |
- | + | ||
- | Sometimes when a user runs some picture-gallery or forum software, your server gets more or less hacked: a hacker will start under the user with which your webserver runs (' | + | |
- | + | ||
- | | + | |
- | + | ||
- | //This will not work if the hacker runs his/her irc-server on a different portnumber then the ones blocked.// | + | |
- | + | ||
- | ==== Firewall example (the good old TNT firewall) ==== | + | |
- | Download {{linux: | + |