[SOVED]firewall-sinexeias
Christos Ricudis
ricudis at komodino.itc.auth.gr
Fri Nov 18 13:32:10 EET 2005
Harris Kosmidhs wrote:
>Telika prosarmosa to firwall os e3hs:
>====================================================
>iptables -F
>iptables -P INPUT DROP
>iptables -P FORWARD DROP
>iptables -P OUTPUT ACCEPT
>
># Eiserxomenh kinhsh gia dika mas ekserxomenes syndeseis.
>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>iptables -A INPUT -i lo -j ACCEPT
>iptables -A OUTPUT -o lo -j ACCEPT
>
>
Axrhsto to teleytaio, exeis hdh default accept sto OUTPUT chain.
>iptables -A INPUT -p icmp -j ACCEPT
>
># Eiserxomena paketa pros Bittorent clients
>iptables -A INPUT -p tcp --dport 6881:6889 -j ACCEPT
>iptables -A INPUT -p udp --dport 6881:6889 -j ACCEPT
>
>#eiserxomena ftp
>iptables -A INPUT -p tcp -s 155.207.0.0/16 --dport 20:21 -j ACCEPT
>
>iptables -A INPUT -p TCP --dport 113 -i eth0 -j REJECT --reject-with
>tcp-reset
>
>iptables -A INPUT -d 255.255.255.255 -j DROP # do not log broadcasts
>iptables -A INPUT -d 224.0.0.0/8 -j DROP # do not log Microsoft multicasts
>
>
Mhn kobeis ta multicasts, otan sou xreiastoun 8a psaxnesai.
>iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
> --log-prefix "[FIREWALL] INPUT policy: " --log-level notice
>
>echo "1" > /proc/sys/net/ipv4/tcp_syncookies
>echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
>
>
Ayto einai default, den xreiazetai
>echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
>================================================================
>
>douleuei mia xara apo oso blepo...Isos to LOG INPUT na einai ligo
>enoxlhtiko, alla 8a i8ela na loggaro kapoia pragmata tou styl portscan
>attack ktl.
>
>
de 8es na ta loggareis, ektos an exeis kai kati na kanei process kai
summarize to log.
>Epishs den eimai sigouros kata poso to rule sto port 113 einai
>kalo....[mou to eixe pei kapoios palia, mporei kai apo th lista]
>
>
--
Christos Ricudis ricudis at itc.auth.gr
Systems Administrator +30-2310-998656
IT Support Center
Aristotle University of Thessaloniki, GREECE
More information about the Linux-greek-users
mailing list