Re: Default Policy = DROP. Help-me
On 2007-10-27 Pascal Hambourg wrote:
> Ansgar -59cobalt- Wiechers a écrit :
>> On 2007-10-24 Yuri Rodrigues wrote:
>>> I usually browse the Internet, get ssh servers for my network and
>>> get my ssh server when I am in a remote location. But can not access
>>> servers ssh from my server firewall. Somebody help me with that
>> Ouch. *Never* flush the chains before setting the default policies.
>> Also *never* enable IP forwarding before setting the default
> I guess you mean "before setting default policies to DROP".
>> $iptables -t filter -P INPUT DROP
>> $iptables -t filter -P OUTPUT DROP
>> $iptables -t filter -P FORWARD DROP
>> $iptables -t nat -P PREROUTING ACCEPT
>> $iptables -t nat -P POSTROUTING ACCEPT
>> $iptables -t mangle -P PREROUTING ACCEPT
>> $iptables -t mangle -P POSTROUTING ACCEPT
> What about the other chains in the nat and mangle tables ?
I was being lazy here.
>> $iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> Don't you forget to accept RELATED,ESTABLISHED traffic in OUTPUT and
> FORWARD and outgoing traffic on the loopback interface ?
Yes, as I already mentioned in a later reply.
>>> #### Protecao contra ping flood ####
>>> $iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
>>> echo "Protecao contra ping flood ......................... [ Ok ]"
>> A limit rule does not protect against ping floods. "ping flood" means
>> that the attacker is sending so much echo-requrests that they consume
>> your entire bandwidth. There's exactly nothing you can do on your
>> firewall to protect you from that.
> Except when you're on a link with asymmetric up/down bandwith such as
> ADSL. If you're on a 128/512 kbit/s link, a 128 kbit/s flood ping is
> not enough to fill your dowstream but enough to fill your upstream. By
> limiting the incoming echo request (and *not any* ICMP type) rate, you
> can limit the outgoing echo reply rate and avoid consume all your
> upstream bandwidth.
A valid point, though probably somewhat theoretical. How often does a
situation where a flood doesn't consume the entire downstream bandwidth
really occur? Please note that I'm not objecting to rate-limiting
incoming ICMP packets (on the contrary). I'm merely saying that unlike
limiting incoming syn packets it won't protect from floods. At least in
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."