[CentOS]iptables設定例(さくらさん)

さくらインターネットさんの記事を参考に・・・というかそのままメモ。
http://knowledge.sakura.ad.jp/beginner/4048/

# (1) policy settings.
# set only OUTPUT to ACCEPT. In terms of INPUT and FORWARD, set only ports will be set to ACCEPT later.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# (2) set loopback(connection from myself) to ACCEPT
-A INPUT -i lo -j ACCEPT

# (3) set packet has no data to DROP
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# (4) set connection is seems SYNflood attack to DROP.
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# (5) set connection is seems Staelth Scan to DROP.
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# (6) settings for icmp(ping)
# use hashlimit
# -m hashlimit : use hashlimit module
# -hashlimit-name t_icmp : record file name
# -hashlimit 1/m : upper limit is only one packet within one minuit
# -hashlimit-burst 10 : limitation will be enable when receive 10 packets within stipulated time.
# -hashlimit-mode srcip : access will be limited by source IP
# -hashlimit-htable-expire 120000 : avairable time of limitation (unit=ms)
-A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-name t_icmp --hashlimit 1/m --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-htable-expire 120000 -j ACCEPT

# (7) accept all packets regardless port number once established connection
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

# (8) accept to receive return packet of any DNS access
-A INPUT -p udp --sport 53 -j ACCEPT

# (9) settings for SSH accept
# use hashlimit
# -m hashlimit : use hashlimit module
# -hashlimit-name t_sshd : record file name
# -hashlimit 1/m : upper limitation is only 1 packet within 1 minuit when limitation is enable
# -hashlimit-burst 10 : limitation will be enable when receive 10 packets within stipulated time.
# -hashlimit-mode srcip : access will be limited by source IP
# -hashlimit-htable-expire 120000 : avairable time of limitation (unit=ms)
-A INPUT -p tcp -m state --syn --state NEW --dport 22 -m hashlimit --hashlimit-name t_sshd --hashlimit 1/m --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-htable-expire 120000 -j ACCEPT

# (10) write settings for acceptable protocol and port individually below
# Here is the example to accept HTTP(TCP 80) and HTTPS(TCP 443)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

COMMIT

スポンサーサイト
カレンダー
12 | 2016/01 | 02
- - - - - 1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31 - - - - - -
累積訪問者
現在の訪問者
現在の閲覧者数:
最新記事
最新トラックバック
最新コメント
月別アーカイブ
カテゴリ
プロフィール

bobgosso

Author:bobgosso
FPGAのブログへようこそ!

検索フォーム
RSSリンクの表示
リンク
ブロとも申請フォーム

この人とブロともになる

QRコード
QRコード