Re: Yet another question on iptables, firewall and, or net-filter
- From: Clifford Kite <kite@xxxxxxxxxxxxxxxx>
- Date: Mon, 30 Oct 2006 11:27:57 -0600
"Balwinder S \"bsd\" Dheeman" <bsd.SANSPAM@xxxxxxxxxxxxxxxxx> wrote:
Hi friends!
If I set all my default policies to *DROP* for INPUT, FORWARD and, or
OUTPUT chains, do I still need to add the following rules?
I'm no expert but it's probably a good idea to put them before other
rules and get rid of the trash. And it has the potential to prevent
over-loading rules that may be looking to accept similar incoming.
## Anti-spoofing
iptables -A INPUT -m state --state INVALID -j DROP
Take out the trash before it enters other rules.
## Watch for a basic packet crafting vulnerabilities, these are totally
## invalid and are not filtered with --state INVALID
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
These rules could be added before a rule such as
iptables -A INPUT -p tcp --tcp-flags SYN -j ACCEPT
in order to prevent SYN,{RST,FIN} floods from entering it.
## new tcp packet (not established) and no syn bit... must be trash
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
As the comment says, trash.
## drop reserved addresses, not valid on the open Internet
iptables -A INPUT -i ${WIFACE} -s 224.0.0.0/4 -j DROP
iptables -A INPUT -i ${WIFACE} -s 240.0.0.0/5 -j DROP
The above said WIFACE is interface (eth1) on the WAN side of this machine.
More trash.
--
Clifford Kite
.
- Prev by Date: Re: Messaging Protocol
- Next by Date: Re: Cannot connect t internal mail server
- Previous by thread: Re: Yet another question on iptables, firewall and, or net-filter
- Next by thread: ip route problem
- Index(es):
Relevant Pages
|
