@@ -0,0 +1,21 | |||||
|
1 | add table ip filter | |||
|
2 | add chain ip filter INPUT { type filter hook input priority 0; } | |||
|
3 | add chain ip filter FORWARD { type filter hook forward priority 0; } | |||
|
4 | add chain ip filter OUTPUT { type filter hook output priority 0; } | |||
|
5 | add chain ip filter TCP | |||
|
6 | add chain ip filter UDP | |||
|
7 | add chain ip filter SSH | |||
|
8 | add rule ip filter INPUT icmp type echo-request limit rate 30/minute burst 8 packets counter accept | |||
|
9 | add rule ip filter INPUT icmp type echo-request counter drop | |||
|
10 | add rule ip filter INPUT ct state related,established counter accept | |||
|
11 | add rule ip filter INPUT iifname lo counter accept | |||
|
12 | add rule ip filter INPUT ct state invalid counter drop | |||
|
13 | add rule ip filter INPUT tcp dport 22 ct state new counter jump SSH | |||
|
14 | # -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP | |||
|
15 | # -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP | |||
|
16 | # -t filter -A SSH -m recent --name sshbf --set -j ACCEPT | |||
|
17 | add rule ip filter INPUT ip protocol udp ct state new counter jump UDP | |||
|
18 | add rule ip filter INPUT tcp flags & fin|syn|rst|ack == syn ct state new counter jump TCP | |||
|
19 | add rule ip filter INPUT ip protocol udp counter reject | |||
|
20 | add rule ip filter INPUT ip protocol tcp counter reject with tcp reset | |||
|
21 | add rule ip filter INPUT counter reject with icmp type prot-unreachable |
@@ -0,0 +1,24 | |||||
|
1 | add table ip6 filter | |||
|
2 | add chain ip6 filter INPUT { type filter hook input priority 0; } | |||
|
3 | add chain ip6 filter FORWARD { type filter hook forward priority 0; } | |||
|
4 | add chain ip6 filter OUTPUT { type filter hook output priority 0; } | |||
|
5 | add chain ip6 filter TCP | |||
|
6 | add chain ip6 filter UDP | |||
|
7 | add chain ip6 filter SSH | |||
|
8 | add rule ip6 filter INPUT rt type 0 counter drop | |||
|
9 | add rule ip6 filter OUTPUT rt type 0 counter drop | |||
|
10 | add rule ip6 filter FORWARD rt type 0 counter drop | |||
|
11 | add rule ip6 filter INPUT meta l4proto ipv6-icmp icmpv6 type echo-request limit rate 30/minute burst 8 packets counter accept | |||
|
12 | add rule ip6 filter INPUT meta l4proto ipv6-icmp icmpv6 type echo-request counter drop | |||
|
13 | add rule ip6 filter INPUT ct state related,established counter accept | |||
|
14 | add rule ip6 filter INPUT iifname lo counter accept | |||
|
15 | add rule ip6 filter INPUT ct state invalid counter drop | |||
|
16 | add rule ip6 filter INPUT tcp dport 22 ct state new counter jump SSH | |||
|
17 | # -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP | |||
|
18 | # -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP | |||
|
19 | # -t filter -A SSH -m recent --name sshbf --set -j ACCEPT | |||
|
20 | add rule ip6 filter INPUT meta l4proto udp ct state new counter jump UDP | |||
|
21 | add rule ip6 filter INPUT tcp flags & fin|syn|rst|ack == syn ct state new counter jump TCP | |||
|
22 | add rule ip6 filter INPUT meta l4proto udp counter reject with icmpv6 type admin-prohibited | |||
|
23 | add rule ip6 filter INPUT meta l4proto tcp counter reject with icmpv6 type admin-prohibited | |||
|
24 | add rule ip6 filter INPUT counter reject with icmpv6 type admin-prohibited |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant