Results 1 to 6 of 6
  1. #1
    Join Date
    Jul 2007
    Posts
    61

    Help with IPTABLES

    Would somebody please look this over & tell me if it will do the trick or not, and kindly make any suggestions to improve it.

    Code:
    # Generated by iptables-save v1.3.5 on Mon Aug 25 22:17:02 2008
    *filter
    :INPUT ACCEPT [8:240]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [10:6291]
    -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
    -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
    -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
    -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -i eth0 -s 0.0.0.0/8 -j DROP
    -A INPUT -i eth0 -s 169.254.0.0/16 -j DROP
    -A INPUT -i eth0 -s 192.0.2.0/24 -j DROP
    -A INPUT -p tcp -s 0/0 -d 0/0 --dport 113 -j REJECT
    -A INPUT -p udp -s 0/0 -d 0/0 --dport 113 -j REJECT
    -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
    -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
    -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
    -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
    -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT
    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
    -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
    COMMIT
    # Generated by webmin
    *mangle
    :FORWARD ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    COMMIT
    # Completed
    # Generated by webmin
    *nat
    :OUTPUT ACCEPT [0:0]
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    COMMIT
    # Completed
    I need to keep ports 2222 for DA open apart from the standard ports, thankyou.

  2. #2
    Join Date
    Nov 2002
    Location
    Bay Area, California
    Posts
    309
    This is a server?

    I would never use connection tracking on a server -leads too easily to denial of service. My personal opinion

    And can you tell us the purpose of the rate limit?

    If you are going to reject traffic from odd sources the list should be quite a big longer than what you have here.
    Sunwave Communications
    http://www.sunwave.com/
    Safety - Service - Economy

  3. #3
    Join Date
    Nov 2002
    Location
    Bay Area, California
    Posts
    309
    oh yes, i think all the recent dns vulnerability updates randomize the outbound port number for dns requests, so if you were trying to allow outbound dns, and if you've done a recent update, this may not work.
    Sunwave Communications
    http://www.sunwave.com/
    Safety - Service - Economy

  4. #4
    Join Date
    Nov 2002
    Location
    Bay Area, California
    Posts
    309
    Oh, so i guess this would be a problem for inbound dns requests too doh!
    Sunwave Communications
    http://www.sunwave.com/
    Safety - Service - Economy

  5. #5
    Join Date
    Nov 2002
    Location
    Bay Area, California
    Posts
    309
    If the policy on your table is accept, then you don't need any accept lines that follow the last deny line
    Sunwave Communications
    http://www.sunwave.com/
    Safety - Service - Economy

  6. #6
    Join Date
    Nov 2002
    Location
    Bay Area, California
    Posts
    309
    did you really mean 0.0.0.0/8 or is that a typo on 10.0.0.0/8?
    Sunwave Communications
    http://www.sunwave.com/
    Safety - Service - Economy

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •