[SOVED]firewall-sinexeias
Harris Kosmidhs
hkosmidi at softnet.tuc.gr
Fri Nov 18 12:16:50 EET 2005
Telika prosarmosa to firwall os e3hs:
====================================================
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Eiserxomenh kinhsh gia dika mas ekserxomenes syndeseis.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
# Eiserxomena paketa pros Bittorent clients
iptables -A INPUT -p tcp --dport 6881:6889 -j ACCEPT
iptables -A INPUT -p udp --dport 6881:6889 -j ACCEPT
#eiserxomena ftp
iptables -A INPUT -p tcp -s 155.207.0.0/16 --dport 20:21 -j ACCEPT
iptables -A INPUT -p TCP --dport 113 -i eth0 -j REJECT --reject-with
tcp-reset
iptables -A INPUT -d 255.255.255.255 -j DROP # do not log broadcasts
iptables -A INPUT -d 224.0.0.0/8 -j DROP # do not log Microsoft multicasts
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "[FIREWALL] INPUT policy: " --log-level notice
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
================================================================
douleuei mia xara apo oso blepo...Isos to LOG INPUT na einai ligo
enoxlhtiko, alla 8a i8ela na loggaro kapoia pragmata tou styl portscan
attack ktl.
Epishs den eimai sigouros kata poso to rule sto port 113 einai
kalo....[mou to eixe pei kapoios palia, mporei kai apo th lista]
Telos na rothso mporo na kano limit sto bandwidth se sugkekrimenes ports
h services? Px na balo sto ftp na mhn kanei kapoios upload me pano apo
50kb/sec. (fantazomai to proftd 8a to uposthrizei os option, alla milao
genikotera).
Thanks se osous boh8hsan
More information about the Linux-greek-users
mailing list