here is what I have for a firewall
not the best way to load the iptables-restore, but good enough until I figure out the right way to do it.
.bashrc = <!
#B691ED#B791F0. /etc/profile
iptables-restore /root/firewall
alias ls="ls --color=auto"
alias lsd="ls -lad"
alias lswd="ls -ad"
alias ll="ls -la"
alias mf="more $1"
alias vi=defaulttexteditor
#v1.0.5 need to override TERM setting in /etc/profile...
#export TERM=xterm
# ...v2.13 removed.
#export HISTFILESIZE=2000#000000
#export HISTCONTROL=ignoredups
#...v2.13 removed.
#B791F0
!>
firewall = <!
# Generated by iptables-save v1.3.8 on Thu Feb 26 21:16:44 2009
*mangle
:PREROUTING ACCEPT [60:9146]
:INPUT ACCEPT [60:9146]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [53:3849]
:POSTROUTING ACCEPT [60:4584]
COMMIT
# Completed on Thu Feb 26 21:16:44 2009
# Generated by iptables-save v1.3.8 on Thu Feb 26 21:16:44 2009
*nat
:PREROUTING ACCEPT [7:1546]
:POSTROUTING ACCEPT [53:3849]
:OUTPUT ACCEPT [53:3849]
COMMIT
# Completed on Thu Feb 26 21:16:44 2009
# Generated by iptables-save v1.3.8 on Thu Feb 26 21:16:44 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [53:3849]
:CHECK_ICMP - [0:0]
:CHECK_TCP - [0:0]
:INET_IN - [0:0]
:INET_IN_TCP - [0:0]
:INET_IN_UDP - [0:0]
:INET_OUT - [0:0]
:PACKET_DROP - [0:0]
:SPOOFING - [0:0]
:SYN_FLOOD - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j INET_IN
-A INPUT -j PACKET_DROP
-A FORWARD -j PACKET_DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j INET_OUT
-A CHECK_TCP -m state --state INVALID -m limit --limit 1/sec -j LOG --log-prefix "INVALID Packet " --log-level 6
-A CHECK_TCP -p tcp -m tcp --tcp-option 64 -m limit --limit 1/sec -j LOG --log-prefix "BAD TCP FLAG(64) " --log-level 6
-A CHECK_TCP -p tcp -m tcp --tcp-option 128 -m limit --limit 1/sec -j LOG --log-prefix "BAD TCP FLAG(128) " --log-level 6
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 1/sec -j LOG --log-prefix "BAD TCP FLAG " --log-level 6
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 1/sec -j LOG --log-prefix "BAD TCP FLAG " --log-level 6
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 1/sec -j LOG --log-prefix "BAD TCP FLAG " --log-level 6
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 1/sec -j LOG --log-prefix "BAD TCP FLAG " --log-level 6
-A CHECK_TCP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 1/sec -j LOG --log-prefix "BAD TCP FLAG " --log-level 6
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 1/sec -j LOG --log-prefix "BAD TCP FLAG " --log-level 6
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A CHECK_TCP -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A CHECK_TCP -m state --state INVALID -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-option 64 -j DROP
-A CHECK_TCP -p tcp -m tcp --tcp-option 128 -j DROP
-A INET_IN -j SPOOFING
-A INET_IN -p tcp -j INET_IN_TCP
-A INET_IN -p udp -j INET_IN_UDP
-A INET_IN -s 216.239.116.65 -j DROP
-A INET_IN -m state --state ESTABLISHED -j ACCEPT
-A INET_IN_TCP -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j SYN_FLOOD
-A INET_IN_TCP -j CHECK_TCP
-A INET_IN_TCP -p tcp -m tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INET_IN_UDP -s 208.180.43.6 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INET_IN_UDP -s 66.76.2.132 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A INET_IN_UDP -s 66.76.2.133 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A INET_IN_UDP -p udp -m udp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INET_OUT -m state --state INVALID -j DROP
-A PACKET_DROP -p tcp -m limit --limit 1/sec -j LOG --log-prefix "TCP Dropped " --log-level 6
-A PACKET_DROP -p udp -m limit --limit 1/sec -j LOG --log-prefix "UDP Dropped " --log-level 6
-A PACKET_DROP -f -m limit --limit 1/sec -j LOG --log-prefix "FRAGMENT Dropped " --log-level 6
-A PACKET_DROP -j DROP
-A SPOOFING -s 0.0.0.0/255.0.0.0 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -s 10.0.0.0/255.0.0.0 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -s 127.0.0.0/255.0.0.0 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -s 169.254.0.0/255.255.0.0 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -s 172.16.0.0/255.240.0.0 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -s 224.0.0.0/240.0.0.0 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -s 240.0.0.0/248.0.0.0 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -s 248.0.0.0/248.0.0.0 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -s 255.255.255.255 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -s 75.108.115.230 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -d 255.255.255.255 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -d 0.0.0.0 -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SPOOFED Packet " --log-level 6
-A SPOOFING -s 0.0.0.0/255.0.0.0 -j DROP
-A SPOOFING -s 10.0.0.0/255.0.0.0 -j DROP
-A SPOOFING -s 127.0.0.0/255.0.0.0 -j DROP
-A SPOOFING -s 169.254.0.0/255.255.0.0 -j DROP
-A SPOOFING -s 172.16.0.0/255.240.0.0 -j DROP
-A SPOOFING -s 224.0.0.0/240.0.0.0 -j DROP
-A SPOOFING -s 240.0.0.0/248.0.0.0 -j DROP
-A SPOOFING -s 248.0.0.0/248.0.0.0 -j DROP
-A SPOOFING -s 255.255.255.255 -j DROP
-A SPOOFING -s 75.108.115.230 -j DROP
-A SPOOFING -d 255.255.255.255 -j DROP
-A SPOOFING -d 0.0.0.0 -j DROP
-A SYN_FLOOD -m limit --limit 12/sec --limit-burst 24 -j RETURN
-A SYN_FLOOD -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SYN_FLOOD Dropped " --log-level 6
-A SYN_FLOOD -j DROP
COMMIT
# Completed on Thu Feb 26 21:16:44 2009
!>
firewall
Antivirus, forensics, intrusion detection, cryptography, etc.
Message
Author
- shadowKnows
- Posts: 2
- Joined: Fri 28 Jan 2011, 03:31
- Location: Charleston, WV
Jump to
- House Training
- ↳ Beginners Help ( Start Here)
- ↳ Users ( For the regulars )
- ↳ Für deutschsprachige Anhänger
- ↳ Pour les francophones
- ↳ Usuarios de habla Hispana
- ↳ HOWTO ( Solutions )
- ↳ Bugs ( Submit bugs )
- Advanced Topics
- ↳ Additional Software (PETs, n' stuff)
- ↳ Package Collections / Repositories
- ↳ REQUESTS
- ↳ Browsers and Internet
- ↳ Business
- ↳ Compiling
- ↳ Desktop
- ↳ Documents
- ↳ Drivers
- ↳ Educational
- ↳ Engineering/Science/Simulation
- ↳ Eye Candy
- ↳ Filesystem
- ↳ Games
- ↳ Graphics
- ↳ Multimedia
- ↳ Network
- ↳ Security/Privacy
- ↳ System
- ↳ Utilities
- ↳ Virtualization
- ↳ Unsorted
- ↳ Cutting edge
- ↳ Multi-session live-CD/DVD
- ↳ Hardware
- ↳ Audio
- ↳ Networking
- ↳ Dialup
- ↳ Ethernet
- ↳ Wireless
- ↳ Printers
- ↳ Video
- ↳ Puppy Derivatives
- ↳ Puppy Projects
- ↳ Next Puppy Development
- ↳ 4.x
- ↳ Bugs (4.x dev)
- ↳ Usability Issues (4.x dev)
- ↳ 5.x
- ↳ Bugs (5.x dev)
- ↳ Usability Issues (5.x dev)
- ↳ Localization Project
- ↳ Documentation Project
- Taking the Puppy out for a walk
- ↳ Announcements
- ↳ Puppy Power
- ↳ Suggestions
- ↳ Misc
- Off-Topic Area
- ↳ Programming
- ↳ Security
- ↳ Truly off-topic conversations
- ↳ Spam reports