[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: opzioni kernel firewall

Nic wrote:

z3ro ha scritto:

Nic wrote:
Ciao a tutti.Un po di tempo fa in lista si era parlato di sicurezza.In particolare si consigliava a chi aveva il firewall sul router di lasciare comunque iptables anche sulla Debian.Mi potreste indicare quali opzioni nel kernel dal 2.6.18 in su bisogna selezionare per avere iptables funzionante,per proteggere il proprio pc?Oppure indicarmi guide o how-to che lo spieghino in italiano? 
Grazie a tutti



un firewall molto elementare potrebbe essere questo:

iptables -F
iptables -t mangle -F
iptables -t nat -F
iptables -X
iptables -t mangle -X
iptables -t nat -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -f -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -f -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 4662 -j ACCEPT
iptables -A INPUT -p udp --dport 4665 -j ACCEPT
iptables -A INPUT -p udp --dport 4672 -j ACCEPT



Grazie Z3ro!La mia richiesta però è il settaggio nel kernel!
Ciao


ciao potresti mettere queste per il kernel :
#Disabling IP Spoofing attacks.
   #Comment this line out when using IPSEC
   echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

   #Don't respond to broadcast pings
   echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

   #Enable forwarding
   echo 1 >/proc/sys/net/ipv4/ip_forward

   #Block source routing
   echo 0 >/proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps. These have been the subject of a recent bugtraq thread 
   echo 0 > /proc/sys/net/ipv4/tcp_timestamps

   #Enable SYN Cookies
   echo 1 > /proc/sys/net/ipv4/tcp_syncookies

   #Kill redirects
   echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects

   #Enable bad error message protection
   echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

   #Allow dynamic ip addresses
   echo "1" > /proc/sys/net/ipv4/ip_dynaddr

   #Log martians (packets with impossible addresses)
#RiVaL said that certain NICs don't like this. Comment out if necessary. 
   echo 1 >/proc/sys/net/ipv4/conf/all/log_martians

   #Set out local port range
   echo "32768 61000" >/proc/sys/net/ipv4/ip_local_port_range

   #Reduce DoS'ing ability by reducing timeouts
   echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
   echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
   echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
   echo 0 > /proc/sys/net/ipv4/tcp_sack
   echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog

ciao :)
Reply to: