[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: R: info iptables

> intendi una cosa del genere ?
> 
> 	iptables -P INPUT DROP
> 	iptables -P OUTPUT DROP
> 	iptables -P FORWARD DROP
> 
> ma queste regole mi proteggono da vari pingofdeath/portscanner/synflood ???
> 
> cioè se imposto quelle regole, aggiungere questa è inutile ??
> iptables -A INPUT -p tcp -i $INTERNET --syn -m limit --limit 1/s -j ACCEPT
> 


io uso questo


#---------------------------------------------------------------
# Enabling spooginf protection
#---------------------------------------------------------------
echo '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#---------------------------------------------------------------
# Enabling SYN-flood protection - Protection from Denial of Service (DOS) attacks
#---------------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
#---------------------------------------------------------------
# Disableing the acception of ICMP-redirect messages.
#---------------------------------------------------------------
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
#---------------------------------------------------------------
# Disable responding to ping broadcasts
#---------------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#-------------------------------------------------------------
# ICMP Dead Error Messages protection
#-------------------------------------------------------------
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#---------------------------------------------------------------
# Disable routing triangulation. Respond to queries out
# the same interface, not another. Helps to maintain state
# Also protects against IP spoofing
#---------------------------------------------------------------
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
#---------------------------------------------------------------
# Drop Invalid packets
#---------------------------------------------------------------
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
#---------------------------------------------------------------
# Allow world to send ICMP packets?
#---------------------------------------------------------------
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT
#---------------------------------------------------------------
# Drop (NMAP) scan packets #
#---------------------------------------------------------------
iptables -N VALID_CHECK
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP
#---------------------------------------------------------------
# Drop packets with bad tcp flags
#---------------------------------------------------------------
iptables -A VALID_CHECK -p tcp --tcp-option 64 -j DROP
iptables -A VALID_CHECK -p tcp --tcp-option 128 -j DROP
iptables -A INPUT -p tcp --dport 0 -j DROP
iptables -A INPUT -p udp --dport 0 -j DROP
iptables -A INPUT -p tcp --sport 0 -j DROP
iptables -A INPUT -p udp --sport 0 -j DROP
#---------------------------------------------------------------
# General stealth scan drop
#---------------------------------------------------------------
iptables -A INPUT  -p tcp ! --syn -j DROP
#


LoSpippolo

LATITANTI: Poligoni con moltissime facce.
Reply to: