Ciao On Fri, 19 Dec 2014 14:07:57 +0100 MaX <maxlinux2000@gmail.com> wrote: > che ne pensate? è sufficiente? Per i server in DMZ io di solito aggiungo (all'inizio) # Drop malformed packets, invalid fragments, Xmas, NULL packets and check SYN -A INPUT -i eth0 -m conntrack --ctstate INVALID -j DROP -A INPUT -i eth0 -f -j DROP -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP # IMCP -A INPUT -i eth0 -p icmp -m length --length 128:65535 -j DROP -A INPUT -i eth0 -p icmp --icmp-type 3 -j ACCEPT -A INPUT -i eth0 -p icmp --icmp-type 8 -j ACCEPT -A INPUT -i eth0 -p icmp --icmp-type 11 -j ACCEPT ...e in fondo # Default behavior -A INPUT -i eth0 -p tcp -j REJECT --reject-with tcp-reset -A INPUT -i eth0 -p udp -j REJECT --reject-with icmp-port-unreachable -A INPUT -i eth0 -j REJECT --reject-with icmp-proto-unreachable -A INPUT -m limit --limit 5/min -j LOG --log-prefix "[iptables] INPUT Drop: " --log-level 7 -- Gabriele Ficarelli - Jon GPG: A5D862D7
Attachment:
pgpzFSXsju6Es.pgp
Description: OpenPGP digital signature