Results 1 to 6 of 6
Thread: Help with IPTABLES
-
09-02-2008, 04:52 PM #1Junior Guru Wannabe
- Join Date
- Jul 2007
- Posts
- 61
Help with IPTABLES
Would somebody please look this over & tell me if it will do the trick or not, and kindly make any suggestions to improve it.
Code:# Generated by iptables-save v1.3.5 on Mon Aug 25 22:17:02 2008 *filter :INPUT ACCEPT [8:240] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [10:6291] -A INPUT -p tcp --tcp-flags ALL NONE -j DROP -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A INPUT -i eth0 -s 0.0.0.0/8 -j DROP -A INPUT -i eth0 -s 169.254.0.0/16 -j DROP -A INPUT -i eth0 -s 192.0.2.0/24 -j DROP -A INPUT -p tcp -s 0/0 -d 0/0 --dport 113 -j REJECT -A INPUT -p udp -s 0/0 -d 0/0 --dport 113 -j REJECT -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT COMMIT # Generated by webmin *mangle :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed # Generated by webmin *nat :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed
-
09-02-2008, 05:19 PM #2Web Hosting Guru
- Join Date
- Nov 2002
- Location
- Bay Area, California
- Posts
- 309
This is a server?
I would never use connection tracking on a server -leads too easily to denial of service. My personal opinion
And can you tell us the purpose of the rate limit?
If you are going to reject traffic from odd sources the list should be quite a big longer than what you have here.Sunwave Communications
http://www.sunwave.com/
Safety - Service - Economy
-
09-02-2008, 05:23 PM #3Web Hosting Guru
- Join Date
- Nov 2002
- Location
- Bay Area, California
- Posts
- 309
oh yes, i think all the recent dns vulnerability updates randomize the outbound port number for dns requests, so if you were trying to allow outbound dns, and if you've done a recent update, this may not work.
Sunwave Communications
http://www.sunwave.com/
Safety - Service - Economy
-
09-02-2008, 05:27 PM #4Web Hosting Guru
- Join Date
- Nov 2002
- Location
- Bay Area, California
- Posts
- 309
Oh, so i guess this would be a problem for inbound dns requests too doh!
Sunwave Communications
http://www.sunwave.com/
Safety - Service - Economy
-
09-02-2008, 05:30 PM #5Web Hosting Guru
- Join Date
- Nov 2002
- Location
- Bay Area, California
- Posts
- 309
If the policy on your table is accept, then you don't need any accept lines that follow the last deny line
Sunwave Communications
http://www.sunwave.com/
Safety - Service - Economy
-
09-02-2008, 05:31 PM #6Web Hosting Guru
- Join Date
- Nov 2002
- Location
- Bay Area, California
- Posts
- 309
did you really mean 0.0.0.0/8 or is that a typo on 10.0.0.0/8?
Sunwave Communications
http://www.sunwave.com/
Safety - Service - Economy