![]() When a packet arrives, netfilter will perform a very quick bitmap search for the packet's source (src) IP against the Allowed_Hosts IP Set. Then, populate it with the addresses: for ip in $LIST_OF_ALLOWED_IP do ipset -A Allowed_Hosts $ip doneįinally, replace the hundreds of iptables rules above with one rule: iptables -m set -match-set Allowed_Hosts src -j ACCEPT But that still means hundreds of rules.įirst, define an IP Set of ipmap type: ipset -N Allowed_Hosts ipmap -network 192.168.0.0/16 Of course, experienced sysadmins will split the rules by subnet. This means that a packet with the source address of 192.168.251.177 must first traverse hundreds of rules before it can get its verdict of ACCEPT. If you write a lot of similar rules based on mere IP, port, or both, consider using ipset to optimize netfilter's performance.įor example: iptables -s 192.168.1.11 -j ACCEPT Optimize netfilter's Performance Using ipset Iptables -A INPUT -p icmp -m icmp -icmp-type 8 -j DROP Iptables -A INPUT -p tcp -m tcp -tcp-flags RST RST -m limit -limit 2/second -limit-burst 2 -j ACCEPTīlock ICMP (aka ping) # Don't allow pings through # Drop excessive RST packets to avoid smurf attacks ![]() Iptables -A INPUT -p icmp -m icmp -j DROP Iptables -A INPUT -p icmp -m icmp -icmp-type timestamp-request -j DROP Iptables -A INPUT -p icmp -m icmp -icmp-type address-mask-request -j DROP Iptables -A OUTPUT -m state -state INVALID -j DROP Iptables -A FORWARD -m state -state INVALID -j DROP Iptables -A INPUT -m state -state INVALID -j DROP # These adresses are mostly used for LAN's, so if these would come to a WAN-only server, drop them. Spoofed/Invalid packets # Reject spoofed packets Iptables -A FORWARD -p tcp -m tcp -dport 139 -m recent -name portscan -set -j DROP Iptables -A FORWARD -p tcp -m tcp -dport 139 -m recent -name portscan -set -j LOG -log-prefix "Portscan:" Iptables -A INPUT -p tcp -m tcp -dport 139 -m recent -name portscan -set -j DROP Iptables -A INPUT -p tcp -m tcp -dport 139 -m recent -name portscan -set -j LOG -log-prefix "Portscan:" # These rules add scanners to the portscan list, and log the attempt. Iptables -A FORWARD -m recent -name portscan -remove Iptables -A INPUT -m recent -name portscan -remove # Once the day has passed, remove them from the portscan list Iptables -A FORWARD -m recent -name portscan -rcheck -seconds 86400 -j DROP Iptables -A INPUT -m recent -name portscan -rcheck -seconds 86400 -j DROP # Anyone who tried to portscan us is locked out for an entire day. $IPTABLES -A INPUT -t filter -p udp -dport $port -j ACCEPTīlocking portscan # Attempt to block portscans $IPTABLES -A INPUT -t filter -p tcp -dport $port -j ACCEPT $IPTABLES -A INPUT -t filter -s $x -j DROP Using whitelist and blacklist with iptables #!/bin/bashįor x in `grep -v ^# $WHITELIST | awk ''` do
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |