[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

R: info iptables

io ho trovato e uso questo

	http://easyfwgen.morizot.net/

lo conoscete altri ? 

--> -----Messaggio originale-----
--> Da: int [mailto:alefor@gmx.de]
--> Inviato: mercoledi 1 giugno 2005 13.08
--> A: debian-italian@lists.debian.org
--> Oggetto: Re: info iptables
--> 
--> 
--> On Wed, Jun 01, 2005 at 12:32:49PM +0200, LoSpippolo wrote:
--> > io uso questo
--> 
--> Te lo sei fatto a manina o con l'aiuto di qualche programma/pacchetto?
--> 
--> eventualmente, complimenti per aver usato i commenti ;-)
--> 
--> > #---------------------------------------------------------------
--> > # Enabling spooginf protection
--> > #---------------------------------------------------------------
--> > echo '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
--> > #---------------------------------------------------------------
--> > # Enabling SYN-flood protection - Protection from Denial of 
--> Service (DOS) attacks
--> > #---------------------------------------------------------------
--> > echo "1" > /proc/sys/net/ipv4/tcp_syncookies
--> > #---------------------------------------------------------------
--> > # Disableing the acception of ICMP-redirect messages.
--> > #---------------------------------------------------------------
--> > echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
--> > #---------------------------------------------------------------
--> > # Disable responding to ping broadcasts
--> > #---------------------------------------------------------------
--> > echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
--> > #-------------------------------------------------------------
--> > # ICMP Dead Error Messages protection
--> > #-------------------------------------------------------------
--> > echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
--> > #---------------------------------------------------------------
--> > # Disable routing triangulation. Respond to queries out
--> > # the same interface, not another. Helps to maintain state
--> > # Also protects against IP spoofing
--> > #---------------------------------------------------------------
--> > echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
--> > #---------------------------------------------------------------
--> > # Drop Invalid packets
--> > #---------------------------------------------------------------
--> > iptables -A INPUT -m state --state INVALID -j DROP
--> > iptables -A FORWARD -m state --state INVALID -j DROP
--> > #---------------------------------------------------------------
--> > # Allow world to send ICMP packets?
--> > #---------------------------------------------------------------
--> > iptables -A INPUT -p icmp --icmp-type echo-request -m limit 
--> --limit 20/second --limit-burst 100 -j ACCEPT
--> > #---------------------------------------------------------------
--> > # Drop (NMAP) scan packets #
--> > #---------------------------------------------------------------
--> > iptables -N VALID_CHECK
--> > iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
--> > iptables -A VALID_CHECK -p tcp --tcp-flags ALL 
--> SYN,RST,ACK,FIN,URG -j DROP
--> > iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
--> > iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
--> > iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
--> > iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
--> > iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP
--> > #---------------------------------------------------------------
--> > # Drop packets with bad tcp flags
--> > #---------------------------------------------------------------
--> > iptables -A VALID_CHECK -p tcp --tcp-option 64 -j DROP
--> > iptables -A VALID_CHECK -p tcp --tcp-option 128 -j DROP
--> > iptables -A INPUT -p tcp --dport 0 -j DROP
--> > iptables -A INPUT -p udp --dport 0 -j DROP
--> > iptables -A INPUT -p tcp --sport 0 -j DROP
--> > iptables -A INPUT -p udp --sport 0 -j DROP
--> > #---------------------------------------------------------------
--> > # General stealth scan drop
--> > #---------------------------------------------------------------
--> > iptables -A INPUT  -p tcp ! --syn -j DROP
--> > #
--> 
--> 
--> -- 
--> To UNSUBSCRIBE, email to debian-italian-REQUEST@lists.debian.org
--> with a subject of "unsubscribe". Trouble? Contact 
--> listmaster@lists.debian.org
-->
Reply to: