On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl <tansta...@libertytrek.org> wrote: >
[-- LE SNIP --] > Ok, well, maybe I should have posted my entire ruleset... > > I have this above where I define my chains: > > # > *filter > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT DROP [0:0] > # > > Does it matter where this goes? > Yes. Chain declarations must come before the rules themselves. > And then above that, I have something else that I've never understood: > > *mangle Begin declaration of the "mangle" table. > :PREROUTING ACCEPT [1378800222:449528056411] > :INPUT ACCEPT [1363738727:447358082301] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [1221121261:1103241097263] > :POSTROUTING ACCEPT [1221116979:1103240864155] The numbers within [brackets] are statistics/countes. Just replace them with [0:0], unless you really really really have a good reason to not start counting from 0... The second word is the 'policy' of the chain, i.e., the default action taken if no rules match in the chain > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG > -j DROP > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP > -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP Alright, the `--tcp-flags` option takes two parameters: <flags_to_check> and <expected_flags> These 4 rules collectively block 'well-known TCP Attacks', which I've listed here: http://serverfault.com/a/245713/15440 NOTE: In that ServerFault posting, I suggested using the anti-attack rules in -t raw -A PREROUTING. This saves a great deal of processing, becase the "raw" table is just that: raw, unadulterated, unanalyzed packets. The CPU assumes nothing, it merely tries to match well-known fields' values. You *do* have to make sure that you don't forget to compile kernel support for RAW tables ;-) > COMMIT End of "mangle" table declaration. Commit all chain definitions and chain rules in one atomic operation. >> ipset create ssh_in iphash >> ipset add ssh_in 1.2.3.4 >> >> and then this works: >> -A -m set --match-set ssh_in src -j ACCEPT >> >> ipset has the same save/load type things as ipt (minor differences >> with how you handle reload, but google or ask if you want to know). >> The set needs to be in place before the ipt rule is added, so ipset >> comes first in your boot sequence. > > > Thanks, looks interesting and useful... > > So much to learn, so little time... ;) > iptables is a powerful beast; learn it well, and you'll prosper :-) Rgds, -- FdS Pandu E Poluan ~ IT Optimizer ~ • LOPSA Member #15248 • Blog : http://pandu.poluan.info/blog/ • Linked-In : http://id.linkedin.com/in/pepoluan
