BlueGreycalmElegant

Català-Valencià – Catalan中文 – Chinese (Simplified)中文 – Chinese (Traditional)Česky – CzechDansk – DanishNederlands – DutchEnglish – EnglishSuomi – FinnishFrançais – FrenchDeutsch – Germanעברית – Hebrewहिंदी – HindiMagyar – HungarianBahasa Indonesia – IndonesianItaliano – Italian日本語 – Japanese한국어 – KoreanМакедонски – Macedonianमराठी – MarathiNorsk – NorwegianPolski – PolishPortuguês – PortuguesePortuguês – Portuguese (Brazil)Русский – RussianSlovenčina – SlovakSlovenščina – SlovenianEspañol – SpanishSvenska – SwedishTürkçe – TurkishУкраїнська – UkrainianOëzbekcha – Uzbek

Compare Revisions

• This comparison shows the changes necessary to convert path

  → /scripts/alcasar-iptables.sh @ 491

  → /scripts/alcasar-iptables.sh @ 492

  ↔ Reverse comparison

• Compare Path:	Rev

  With Path:	Rev

Ignore whitespace Rev 491 → Rev 492

/scripts/alcasar-iptables.sh
6,6 → 6,7
IPTABLES="/sbin/iptables"
FILTERING="no"
QOS="no"
EXTIF="eth0"
INTIF="eth1"
TUNIF="tun0"
19,6 → 20,7
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -N SYN-FLOOD
# Default policies
$IPTABLES -P INPUT DROP
35,6 → 37,23
# accept all on loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
# Block all attempts to spoof the loopback address
$IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -d 127.0.0.0/8 -j DROP
# Block all attempts to spoof the local IP address
$IPTABLES -A INPUT -s $PRIVATE_IP -j DROP
# Block Syn Flood attacks
$IPTABLES -A INPUT -p tcp -m tcp --syn -j SYN-FLOOD
# Syn flood filtering chain
$IPTABLES -A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A SYN-FLOOD -j DROP
# Ensure that TCP connections start with syn packets
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP
#############################
# INTIF rules #
#############################
113,6 → 132,14
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
fi
########################
# If QOS is activate #
########################
if [ $QOS = "yes" ]; then
. /usr/local/etc/alcasar-iptables-qos.sh
fi
# Allow forward connections with log
$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ACCEPT
149,6 → 176,7
$IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE rej-int -- REJECT "
$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP"
# Drop on EXTIF