Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
linux:iptables [2013/08/09 08:26] 5.39.219.26 bvemeuye |
linux:iptables [2013/10/25 15:14] a |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | iknrkuou, http://viagrareviewed.com/ Mail order viagra without prescription, fnZjRyR. | + | ====== Linux filtering / firewalling (netfilter/ |
+ | |||
+ | |||
+ | |||
+ | ==== P2P blocking/ | ||
+ | == Links == | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[linux: | ||
+ | * [[http:// | ||
+ | * [[http://dev.inversepath.com/trac/ | ||
+ | |||
+ | ==== Netfilter concept / network flow ==== | ||
+ | Click on picture below to see more .. | ||
+ | {{ linux: | ||
+ | |||
+ | ==== Logging and limiting SSH bruteforce attacks ==== | ||
+ | |||
+ | Logging is easy, just add the same rule but with a '' | ||
+ | |||
+ | | ||
+ | 1/min –hashlimit-mode srcip –hashlimit-name ssh -m state \ | ||
+ | | ||
+ | |||
+ | |||
+ | As for permantely adding hosts, why? Poluting a firewall ruleset with a rule that isn’t going to be hit frequently is a waste. Which is why the hashlimit rule is perfect for this situation. | ||
+ | |||
+ | See also [[http:// | ||
+ | |||
+ | ==== A solution for blocking ssh probers/ | ||
+ | |||
+ | ### Catch SSH probes | ||
+ | iptables -A FORWARD -p tcp --dport 22 -d <local net> -o eth0 -s 0/0 -i ppp0 | ||
+ | -m state --state NEW | ||
+ | -m recent --rcheck --hitcount 3 --seconds 60 --name SSH_PROBERS | ||
+ | -j LOG --log-prefix " | ||
+ | |||
+ | iptables -A FORWARD -p tcp --dport 22 -d <local net> -o eth0 -s 0/0 -i ppp0 | ||
+ | -m state --state NEW | ||
+ | -m recent --update --hitcount 3 --seconds 60 --name SSH_PROBERS | ||
+ | -j DROP | ||
+ | |||
+ | iptables -A FORWARD -p tcp --dport 22 -d <local net> -o eth0 -s 0/0 -i ppp0 | ||
+ | -m state --state NEW | ||
+ | -m recent --set --name SSH_PROBERS | ||
+ | -j ACCEPT | ||
+ | |||
+ | So, in the INPUT chain, you wouldn' | ||
+ | |||
+ | What it does, is uses the '' | ||
+ | |||
+ | |||
+ | =====Strategy for penalising IPs with too many simultaneous sessions | ||
+ | |||
+ | Something like this (eth0 is the user's network): | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | 1024:65535 -m set --set p2p src -j MARK --set-mark 60 | ||
+ | |||
+ | // | ||
+ | |||
+ | |||
+ | ===== Conntrack table full ===== | ||
+ | > Feb 23 14:26:19 gestor1 kernel: printk: 38 messages suppressed. | ||
+ | > Feb 23 14:26:19 gestor1 kernel: ip_conntrack: | ||
+ | |||
+ | Not necessarily the answer you were looking for, but this is what connlimit was written for. Connlimit will limit the number of parallel | ||
+ | TCP connections per host. Do something like: | ||
+ | |||
+ | iptables -t mangle -A PREROUTING -p tcp -i eth0 --dport 1024: \ | ||
+ | -m connlimit --connlimit-above 30 -j DROP | ||
+ | |||
+ | connlimit is not in the vanilla kernel at the minute; you need to patch with pom. You can download pom from | ||
+ | http:// | ||
+ | |||
+ | ===== Preventing webserver hackers from connecting to IRC servers ===== | ||
+ | |||
+ | Sometimes when a user runs some picture-gallery or forum software, your server gets more or less hacked: a hacker will start under the user with which your webserver runs (' | ||
+ | |||
+ | | ||
+ | |||
+ | //This will not work if the hacker runs his/her irc-server on a different portnumber then the ones blocked.// | ||
+ | |||
+ | ==== Firewall example (the good old TNT firewall) ==== | ||
+ | Download {{linux: |