#This is going to drop packets that claim to be from the loopback interface but
#are coming in on a physical network interface. These packets are clearly
#spoofed and should be dropped.
#$IPTABLES -A INPUT --in-interface ! lo --source 127.0.0.0/8 -j DROP
#above is the version that yields an error, use the one below instead
$IPTABLES -A INPUT --in-interface $EXTIF --source 127.0.0.0/8 -j DROP
#This line prevents the smurf attack, which depends on flooding a
#network with ping requests. We can prevent this attack by only allowing
#one ping request per second.
$IPTABLES -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
#We also want to drop any packets that have TCP flags that don't make
#any sense. To really understand these lines, you are going to need to
#understand the TCP protocol and that is beyond the scope of this video.
#All you really need to know is that the TCP protocol allows different
#flags to be set, and we are going to drop packets where the flags
#contradict each other or otherwise don't make logical sense.
$IPTABLES -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
$IPTABLES -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPTABLES -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
$IPTABLES -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPTABLES -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
No comments:
Post a Comment