22 lines
1.3 KiB
Plaintext
22 lines
1.3 KiB
Plaintext
|
add table ip filter
|
||
|
|
add chain ip filter INPUT { type filter hook input priority 0; }
|
||
|
|
add chain ip filter FORWARD { type filter hook forward priority 0; }
|
||
|
|
add chain ip filter OUTPUT { type filter hook output priority 0; }
|
||
|
|
add chain ip filter TCP
|
||
|
|
add chain ip filter UDP
|
||
|
|
add chain ip filter SSH
|
||
|
|
add rule ip filter INPUT icmp type echo-request limit rate 30/minute burst 8 packets counter accept
|
||
|
|
add rule ip filter INPUT icmp type echo-request counter drop
|
||
|
|
add rule ip filter INPUT ct state related,established counter accept
|
||
|
|
add rule ip filter INPUT iifname lo counter accept
|
||
|
|
add rule ip filter INPUT ct state invalid counter drop
|
||
|
|
add rule ip filter INPUT tcp dport 22 ct state new counter jump SSH
|
||
|
|
# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
|
||
|
|
# -t filter -A SSH -m recent --name sshbf --rttl --rcheck --hitcount 20 --seconds 1800 -j DROP
|
||
|
|
# -t filter -A SSH -m recent --name sshbf --set -j ACCEPT
|
||
|
|
add rule ip filter INPUT ip protocol udp ct state new counter jump UDP
|
||
|
|
add rule ip filter INPUT tcp flags & fin|syn|rst|ack == syn ct state new counter jump TCP
|
||
|
|
add rule ip filter INPUT ip protocol udp counter reject
|
||
|
|
add rule ip filter INPUT ip protocol tcp counter reject with tcp reset
|
||
|
|
add rule ip filter INPUT counter reject with icmp type prot-unreachable
|