> intendi una cosa del genere ? > > iptables -P INPUT DROP > iptables -P OUTPUT DROP > iptables -P FORWARD DROP > > ma queste regole mi proteggono da vari pingofdeath/portscanner/synflood ??? > > cioč se imposto quelle regole, aggiungere questa č inutile ?? > iptables -A INPUT -p tcp -i $INTERNET --syn -m limit --limit 1/s -j ACCEPT >
io uso questo #--------------------------------------------------------------- # Enabling spooginf protection #--------------------------------------------------------------- echo '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #--------------------------------------------------------------- # Enabling SYN-flood protection - Protection from Denial of Service (DOS) attacks #--------------------------------------------------------------- echo "1" > /proc/sys/net/ipv4/tcp_syncookies #--------------------------------------------------------------- # Disableing the acception of ICMP-redirect messages. #--------------------------------------------------------------- echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects #--------------------------------------------------------------- # Disable responding to ping broadcasts #--------------------------------------------------------------- echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #------------------------------------------------------------- # ICMP Dead Error Messages protection #------------------------------------------------------------- echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #--------------------------------------------------------------- # Disable routing triangulation. Respond to queries out # the same interface, not another. Helps to maintain state # Also protects against IP spoofing #--------------------------------------------------------------- echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter #--------------------------------------------------------------- # Drop Invalid packets #--------------------------------------------------------------- iptables -A INPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP #--------------------------------------------------------------- # Allow world to send ICMP packets? #--------------------------------------------------------------- iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT #--------------------------------------------------------------- # Drop (NMAP) scan packets # #--------------------------------------------------------------- iptables -N VALID_CHECK iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP #--------------------------------------------------------------- # Drop packets with bad tcp flags #--------------------------------------------------------------- iptables -A VALID_CHECK -p tcp --tcp-option 64 -j DROP iptables -A VALID_CHECK -p tcp --tcp-option 128 -j DROP iptables -A INPUT -p tcp --dport 0 -j DROP iptables -A INPUT -p udp --dport 0 -j DROP iptables -A INPUT -p tcp --sport 0 -j DROP iptables -A INPUT -p udp --sport 0 -j DROP #--------------------------------------------------------------- # General stealth scan drop #--------------------------------------------------------------- iptables -A INPUT -p tcp ! --syn -j DROP # LoSpippolo LATITANTI: Poligoni con moltissime facce.