[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: info iptables

On Wed, Jun 01, 2005 at 12:32:49PM +0200, LoSpippolo wrote:
> io uso questo

Te lo sei fatto a manina o con l'aiuto di qualche programma/pacchetto?

eventualmente, complimenti per aver usato i commenti ;-)

> #---------------------------------------------------------------
> # Enabling spooginf protection
> #---------------------------------------------------------------
> echo '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
> #---------------------------------------------------------------
> # Enabling SYN-flood protection - Protection from Denial of Service (DOS) attacks
> #---------------------------------------------------------------
> echo "1" > /proc/sys/net/ipv4/tcp_syncookies
> #---------------------------------------------------------------
> # Disableing the acception of ICMP-redirect messages.
> #---------------------------------------------------------------
> echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
> #---------------------------------------------------------------
> # Disable responding to ping broadcasts
> #---------------------------------------------------------------
> echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> #-------------------------------------------------------------
> # ICMP Dead Error Messages protection
> #-------------------------------------------------------------
> echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
> #---------------------------------------------------------------
> # Disable routing triangulation. Respond to queries out
> # the same interface, not another. Helps to maintain state
> # Also protects against IP spoofing
> #---------------------------------------------------------------
> echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
> #---------------------------------------------------------------
> # Drop Invalid packets
> #---------------------------------------------------------------
> iptables -A INPUT -m state --state INVALID -j DROP
> iptables -A FORWARD -m state --state INVALID -j DROP
> #---------------------------------------------------------------
> # Allow world to send ICMP packets?
> #---------------------------------------------------------------
> iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT
> #---------------------------------------------------------------
> # Drop (NMAP) scan packets #
> #---------------------------------------------------------------
> iptables -N VALID_CHECK
> iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
> iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
> iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
> iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
> iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
> iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
> iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP
> #---------------------------------------------------------------
> # Drop packets with bad tcp flags
> #---------------------------------------------------------------
> iptables -A VALID_CHECK -p tcp --tcp-option 64 -j DROP
> iptables -A VALID_CHECK -p tcp --tcp-option 128 -j DROP
> iptables -A INPUT -p tcp --dport 0 -j DROP
> iptables -A INPUT -p udp --dport 0 -j DROP
> iptables -A INPUT -p tcp --sport 0 -j DROP
> iptables -A INPUT -p udp --sport 0 -j DROP
> #---------------------------------------------------------------
> # General stealth scan drop
> #---------------------------------------------------------------
> iptables -A INPUT  -p tcp ! --syn -j DROP
> #
Reply to: