Re: opzioni kernel firewall
Nic wrote:
z3ro ha scritto:
Nic wrote:
Ciao a tutti.Un po di tempo fa in lista si era parlato di
sicurezza.In particolare si consigliava a chi aveva il firewall sul
router di lasciare comunque iptables anche sulla Debian.Mi potreste
indicare quali opzioni nel kernel dal 2.6.18 in su bisogna
selezionare per avere iptables funzionante,per proteggere il proprio
pc?Oppure indicarmi guide o how-to che lo spieghino in italiano?
Grazie a tutti
un firewall molto elementare potrebbe essere questo:
iptables -F
iptables -t mangle -F
iptables -t nat -F
iptables -X
iptables -t mangle -X
iptables -t nat -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -f -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -f -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 4662 -j ACCEPT
iptables -A INPUT -p udp --dport 4665 -j ACCEPT
iptables -A INPUT -p udp --dport 4672 -j ACCEPT
Grazie Z3ro!La mia richiesta però è il settaggio nel kernel!
Ciao
ciao potresti mettere queste per il kernel :
#Disabling IP Spoofing attacks.
#Comment this line out when using IPSEC
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Enable forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward
#Block source routing
echo 0 >/proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps. These have been the subject of a recent bugtraq
thread
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Kill redirects
echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Allow dynamic ip addresses
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#Log martians (packets with impossible addresses)
#RiVaL said that certain NICs don't like this. Comment out if
necessary.
echo 1 >/proc/sys/net/ipv4/conf/all/log_martians
#Set out local port range
echo "32768 61000" >/proc/sys/net/ipv4/ip_local_port_range
#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
ciao :)
Reply to: