Re: [SOLUCIONADO] iptables asesoramiento

To: debian-user-spanish@lists.debian.org
Subject: Re: [SOLUCIONADO] iptables asesoramiento
From: Juan Antonio <pushakk@limbo.deathwing.net>
Date: Thu, 05 Jul 2012 09:20:40 +0200
Message-id: <[🔎] 4FF54048.1030400@limbo.deathwing.net>
In-reply-to: <[🔎] CALdO7dkSq4_K8hpUxGHydNKZ0ApNCAufgLB45AP4D9WmoVAU4w@mail.gmail.com>
References: <4FEC68F5.3060506@gmail.com> <4FEC6F01.1070001@gmail.com> <CALdO7dkQdciYZvaFfF7octawJjNYNLN72Rpy2354LS99Wkc1vw@mail.gmail.com> <4FED9042.2020505@gmail.com> <4FEDE2E4.6060209@gmail.com> <[🔎] 4FF03A4F.4020709@gmail.com> <[🔎] jspklt$69j$21@dough.gmane.org> <[🔎] CAAtB=KXyUOFMDWmUgfATBq2oDyQ5FsEgh99NnVmz6fJKZ-duvg@mail.gmail.com> <[🔎] 4FF493FB.60003@gmail.com> <[🔎] CALdO7dkSq4_K8hpUxGHydNKZ0ApNCAufgLB45AP4D9WmoVAU4w@mail.gmail.com>

El 05/07/12 00:29, Alberto Benítez escribió:
> 2012/7/4 M.Vila <pradoncello@gmail.com>:
>>  Gracias por la ayuda!! Os dejo mi configuración.
>>
>> #!/bin/bash
>> iptables -F
>> iptables -t nat -F
>> iptables -Z
>> iptables -X
>>
>> #
>> iptables -P INPUT DROP
>> iptables -P OUTPUT DROP
>> iptables -P FORWARD DROP
>>
>> #
>> #/sbin/modprobe ip_conntrack_ftp
>> #
>> iptables -A OUTPUT -o lo -j ACCEPT
>> iptables -A INPUT -i lo -j ACCEPT
>> #
>> # Quitamos los pings.
>> /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
>> #
>> # No respondemos a los broadcast.
>> /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>> #
>> # Para evitar el spoofing nos aseguramos de que la dirección
>> # origen del paquete viene del sitio correcto.
>> for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
>> /bin/echo "1" > ${interface}
>> done
>> #dns
>>
>> iptables -A OUTPUT -p udp --sport 1024:65535 --dport 53 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -p udp --dport 1024:65535 --sport 53 -m state --state
>> ESTABLISHED -j ACCEPT
>> #ssh
>>
>> iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 22 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -p tcp --dport 1024:65535 --sport 22 -m state --state
>> ESTABLISHED -j ACCEPT
>> #smtp
>>
>> iptables -A OUTPUT -p tcp --dport 1024:65535 --sport 25 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -p tcp --sport 1024:65535 --dport 25 -m state --state
>> ESTABLISHED -j ACCEPT
>> #http
>>
>> iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 80 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -p tcp --dport 1024:65535 --sport 80 -m state --state
>> ESTABLISHED -j ACCEPT
>> #smtp
>>
>> iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 443 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -p tcp --dport 1024:65535 --sport 443 -m state --state
>> ESTABLISHED -j ACCEPT
>> #https
>> iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 465 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -p tcp --dport 1024:65535 --sport 465 -m state --state
>> ESTABLISHED -j ACCEPT
>> #imap4
>> iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 993 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -p tcp --dport 1024:65535 --sport 993 -m state --state
>> ESTABLISHED -j ACCEPT
>> #pop3
>> iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 995 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -p tcp --dport 1024:65535 --sport 995 -m state --state
>> ESTABLISHED -j ACCEPT
>> #irc
>> iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 6667 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -p tcp --dport 1024:65535 --sport 6667 -m state --state
>> ESTABLISHED -j ACCEPT
>> #squid
>> iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 3128 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -p tcp --dport 1024:65535 --sport 3128 -m state --state
>> ESTABLISHED -j ACCEPT
>> #
>> iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 8080 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -p tcp --dport 1024:65535 --sport 8080 -m state --state
>> ESTABLISHED -j ACCEPT
>>
>> #
>> iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -p icmp  -m state --state ESTABLISHED -j ACCEPT
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-user-spanish-REQUEST@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact
>> listmaster@lists.debian.org
>> Archive: [🔎] 4FF493FB.60003@gmail.com">http://lists.debian.org/[🔎] 4FF493FB.60003@gmail.com
>>
> Aprovecho para preguntar, ¿alguien conoce reglas para prevenir DDOS y MITM?
>
> Saludos
>
>

puedes usar recent para limitar el número de paquetes que alcancen la
capa de aplicación, pero no puedes evitar que esos paquetes lleguen a tu
conexión y se coman tu canuto.

Sobre el MitM, es un concepto muy amplio que abarca diferentes tipos de
ataques, tendrás que ser mas preciso si quieres una respuesta adecuada.

Un saludo.

Reply to:

References:
- Re: iptables asesoramiento
  - From: "M.Vila" <pradoncello@gmail.com>
- Re: iptables asesoramiento
  - From: Camaleón <noelamac@gmail.com>
- Re: iptables asesoramiento
  - From: Jose Daniel vaño <jdparra@gmail.com>
- Re:[SOLUCIONADO] iptables asesoramiento
  - From: "M.Vila" <pradoncello@gmail.com>
- Re: [SOLUCIONADO] iptables asesoramiento
  - From: Alberto Benítez <freestyle10@gmail.com>

Prev by Date: Re: [SOLUCIONADO] iptables asesoramiento
Next by Date: Re: [SOLUCIONADO] iptables asesoramiento
Previous by thread: Re: [SOLUCIONADO] iptables asesoramiento
Next by thread: Re: [SOLUCIONADO] iptables asesoramiento
Index(es):
- Date
- Thread