diff options
| author | andreas | 2021-05-05 22:05:34 +0200 |
|---|---|---|
| committer | andreas | 2021-05-05 22:05:34 +0200 |
| commit | 4c189014548096ea7ee5badc99e3a02e048d5c34 (patch) | |
| tree | c3eeda7929b5628352b4a53c07b62a49a7c5458d | |
| parent | 15089d0c05de86b345b33607a6e1aaa63b37c365 (diff) | |
| download | dotfiles-4c189014548096ea7ee5badc99e3a02e048d5c34.zip dotfiles-4c189014548096ea7ee5badc99e3a02e048d5c34.tar.gz | |
(iptables) Add some security rules. Try another ping rule.
| -rw-r--r-- | src/firewall/src-default | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/src/firewall/src-default b/src/firewall/src-default index a3f44cf..d851063 100644 --- a/src/firewall/src-default +++ b/src/firewall/src-default @@ -5,6 +5,18 @@ -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT +# Drop corrupt (evil) null packets. +-A INPUT -p tcp –tcp-flags ALL NONE -j DROP + +# Drop corrupt (evil) syn packets. +-A INPUT -p tcp ! –syn -m state –state NEW -j DROP + +# Drop XMAS (corrupt/evil) packets +-A INPUT -p tcp –tcp-flags ALL ALL -j DROP + +# Anti DoS attack +#-A INPUT -p tcp --dport 1:1024 -m limit --limit 1/seconds --limit-burst 100 -j ACCEPT + # DNS client #-A OUTPUT -p udp --dport 53 -m udp -j ACCEPT #-A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT @@ -17,10 +29,13 @@ #-A OUTPUT -p udp --dport 67:68 -j ACCEPT #-A INPUT -p udp -m state --state ESTABLISHED,RELATED --sport 67:68 -j ACCEPT -# Ping -#-A OUTPUT -p icmp -j ACCEPT -#-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT -#-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT +# Ping client +#-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT +#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT + +# Ping server +#-A INPUT -p icmp --icmp-type echo-request -j ACCEPT +#-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT # Traceroute client #-A OUTPUT -p udp -m udp --match multiport --dports 33434:33523 -j ACCEPT |