• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

IPTables

John Connor

John Connor

Lifer
Anyone know something about IPTables? I have a WRT54GL flashed with DD-WRT and have a set of IPTables in the commands section under firewall and was wondering if these are alright.



iptables -t mangle -I PREROUTING -i `get_wanface` -j TTL --ttl-set 10
iptables -t mangle -I POSTROUTING -o `get_wanface` -j TTL --ttl-set 128
iptables -t mangle -I POSTROUTING -o `get_wanface` -j TTL --ttl-inc 1
iptables -I OUTPUT -d 239.255.255.250 -j DROP
iptables -I OUTPUT -d 224.0.0.22 -j DROP
#Syn-flood protection
iptables -N syn_flood
iptables -A syn-flood -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACEPT
iptables -A syn_flood -j REJECT
# Furtive port scanner:
iptables -N port_scan
iptables -A port_scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A port_scan -j REJECT
iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j REJECT
iptables -t nat -A PREROUTING-p tcp --tcp-flags ALL ALL -j REJECT
iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL NONE -j REJECT
iptables -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT
#XMAS
iptables -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT
iptables -t nat -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j REJECT
# FIN packet scans
iptables -t nat -A PREROUTING -p tcp--tcp-flags ALL SYN,RST,ACK,FIN,URG -j REJECT
#SSH Protection
iptables -N rate_limit
iptables -F rate_limit
iptables -A rate_limit -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j ACCEPT
iptables -A rate_limit -p udp --dport 22 -m limit --limit 3/min --limit-burst 3 -j ACCEPT
iptables -A rate_limit -p ICMP --icmp-type echo-request -m limit --limit 3/sec -j ACCEPT
iptables -A rate_limit -p ! ICMP -j LOG --log-prefix " Connection dropped!! "
iptables -A rate_limit -p tcp -j REJECT --reject-with tcp-reset
iptables -A rate_limit -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A rate_limit -j DROP
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -j rate_limit
iptables -I INPUT -p udp --dport 22 -m state --state NEW -j rate_limit
iptables -A INPUT -i vlan1 -p igmp -j DROP
iptables -I INPUT -i vlan1 -d 192.168.0.0/16 -p igmp -j DROP
Click to expand...
 
Last edited:
I corrected a few things.

iptables -t mangle -I PREROUTING -i `get_wanface` -j TTL --ttl-set 10
iptables -t mangle -I POSTROUTING -o `get_wanface` -j TTL --ttl-set 128
iptables -t mangle -I POSTROUTING -o `get_wanface` -j TTL --ttl-inc 1
iptables -I OUTPUT -d 239.255.255.250 -j DROP
iptables -I OUTPUT -d 224.0.0.22 -j DROP
#Syn-flood protection
iptables -N syn_flood
iptables -A syn-flood -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT
iptables -A syn_flood -j REJECT
# Furtive port scanner:
iptables -N port_scan
iptables -A port_scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A port_scan -j REJECT
iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j REJECT
iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL ALL -j REJECT
iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL NONE -j REJECT
iptables -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT
#XMAS
iptables -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT
iptables -t nat -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j REJECT
# FIN packet scans
iptables -t nat -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j REJECT
#SSH Protection
iptables -N rate_limit
iptables -F rate_limit
iptables -A rate_limit -p tcp --dport 43500 -m limit --limit 3/min --limit-burst 3 -j ACCEPT
iptables -A rate_limit -p udp --dport 43500 -m limit --limit 3/min --limit-burst 3 -j ACCEPT
iptables -A rate_limit -p ICMP --icmp-type echo-request -m limit --limit 3/sec -j ACCEPT
iptables -A rate_limit -p ICMP -j LOG --log-prefix " Connection dropped!! "
iptables -A rate_limit -p tcp -j REJECT --reject-with tcp-reset
iptables -A rate_limit -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A rate_limit -j DROP
iptables -I INPUT -p tcp --dport 43500 -m state --state NEW -j rate_limit
iptables -I INPUT -p udp --dport 43500 -m state --state NEW -j rate_limit
iptables -A INPUT -i vlan1 -p igmp -j DROP
iptables -I INPUT -i vlan1 -d 192.168.0.0/16 -p
Click to expand...
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top