Here's what I've used in the past.
It allows connections for certain ports/places and then drops everything else as the last item.
http://linux.duke.edu/~skvidal/misc/iptables-template
it's pretty painless, really.
If we want to add explicit outbound rules, too, that's fine, but I'd advise enabling logging b/c that stuff is easy to get wrong. :)
This is just a sample but it's simple and straightforward.
-sv
On 5/24/07, seth vidal skvidal@fedoraproject.org wrote:
Here's what I've used in the past.
It allows connections for certain ports/places and then drops everything else as the last item.
http://linux.duke.edu/~skvidal/misc/iptables-template
it's pretty painless, really.
:D good beginning, I believe that the best policy must be more restrictive, block inbound traffic on the chain INPUT and FORWARD with the rule DROP and later opening the ports that are necessary.
If we want to add explicit outbound rules, too, that's fine, but I'd advise enabling logging b/c that stuff is easy to get wrong. :)
Perhaps in the chain POSTROUTING but The OUTPUT chain is rarely used, I don't see some use on fedoraproject now.
"sv" == seth vidal skvidal@fedoraproject.org writes:
sv> Here's what I've used in the past. It allows connections for sv> certain ports/places and then drops everything else as the last sv> item.
sv> http://linux.duke.edu/~skvidal/misc/iptables-template
sv> it's pretty painless, really.
sv> If we want to add explicit outbound rules, too, that's fine, but sv> I'd advise enabling logging b/c that stuff is easy to get wrong. sv> :)
sv> This is just a sample but it's simple and straightforward.
The sample script accepts all non-syn TCP packets, whether they are related to an established connection or not. That is not necessarily a bad thing, I'm just pointing it out so people are aware of it.
/Benny
On Fri, 2007-05-25 at 15:52 +0200, Benny Amorsen wrote:
"sv" == seth vidal skvidal@fedoraproject.org writes:
sv> Here's what I've used in the past. It allows connections for sv> certain ports/places and then drops everything else as the last sv> item.
sv> http://linux.duke.edu/~skvidal/misc/iptables-template
sv> it's pretty painless, really.
sv> If we want to add explicit outbound rules, too, that's fine, but sv> I'd advise enabling logging b/c that stuff is easy to get wrong. sv> :)
sv> This is just a sample but it's simple and straightforward.
The sample script accepts all non-syn TCP packets, whether they are related to an established connection or not. That is not necessarily a bad thing, I'm just pointing it out so people are aware of it.
fair enough drop the -y and let the stateful handler earlier up take care of it.
-sv
seth vidal wrote:
Here's what I've used in the past.
It allows connections for certain ports/places and then drops everything else as the last item.
http://linux.duke.edu/~skvidal/misc/iptables-template
it's pretty painless, really.
If we want to add explicit outbound rules, too, that's fine, but I'd advise enabling logging b/c that stuff is easy to get wrong. :)
This is just a sample but it's simple and straightforward.
Excellent. I much prefer simple firewall rules where possible (its not always possible :)
One RFE:
Could we have a commented section in there to rate limit some of the open ports (http immediately come to mind)? That way if we get slammed again we don't have to go figure out what we've done in the past we can just uncomment it.
What do you think?
-Mike
On 25/05/07, Mike McGrath mmcgrath@redhat.com wrote:
seth vidal wrote:
Here's what I've used in the past.
It allows connections for certain ports/places and then drops everything else as the last item.
http://linux.duke.edu/~skvidal/misc/iptables-template
it's pretty painless, really.
If we want to add explicit outbound rules, too, that's fine, but I'd advise enabling logging b/c that stuff is easy to get wrong. :)
This is just a sample but it's simple and straightforward.
Excellent. I much prefer simple firewall rules where possible (its not always possible :)
One RFE:
Could we have a commented section in there to rate limit some of the open ports (http immediately come to mind)? That way if we get slammed again we don't have to go figure out what we've done in the past we can just uncomment it.
What do you think?
-Mike
Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Hey Mike,
For Apache why not deploy the mod_evasive module. What is mod_evasive?
mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.
I have finished university for the summer, would you like me to look into deploying this next week? Does anyone have any objections to this?
Damian Myerscough wrote:
On 25/05/07, Mike McGrath mmcgrath@redhat.com wrote:
seth vidal wrote:
Here's what I've used in the past.
It allows connections for certain ports/places and then drops
everything
else as the last item.
http://linux.duke.edu/~skvidal/misc/iptables-template
it's pretty painless, really.
If we want to add explicit outbound rules, too, that's fine, but I'd advise enabling logging b/c that stuff is easy to get wrong. :)
This is just a sample but it's simple and straightforward.
Excellent. I much prefer simple firewall rules where possible (its not always possible :)
One RFE:
Could we have a commented section in there to rate limit some of the open ports (http immediately come to mind)? That way if we get slammed again we don't have to go figure out what we've done in the past we can just uncomment it.
What do you think?
-Mike
Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Hey Mike,
For Apache why not deploy the mod_evasive module. What is mod_evasive?
mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.
I have finished university for the summer, would you like me to look into deploying this next week? Does anyone have any objections to this?
Is mod_evasive in extras/epel?
-Mike
mod_evasive is not in the extras :( however I am sure we could package it.
On 25/05/07, Mike McGrath mmcgrath@redhat.com wrote:
Damian Myerscough wrote:
On 25/05/07, Mike McGrath mmcgrath@redhat.com wrote:
seth vidal wrote:
Here's what I've used in the past.
It allows connections for certain ports/places and then drops
everything
else as the last item.
http://linux.duke.edu/~skvidal/misc/iptables-template
it's pretty painless, really.
If we want to add explicit outbound rules, too, that's fine, but I'd advise enabling logging b/c that stuff is easy to get wrong. :)
This is just a sample but it's simple and straightforward.
Excellent. I much prefer simple firewall rules where possible (its not always possible :)
One RFE:
Could we have a commented section in there to rate limit some of the open ports (http immediately come to mind)? That way if we get slammed again we don't have to go figure out what we've done in the past we can just uncomment it.
What do you think?
-Mike
Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Hey Mike,
For Apache why not deploy the mod_evasive module. What is mod_evasive?
mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.
I have finished university for the summer, would you like me to look into deploying this next week? Does anyone have any objections to this?
Is mod_evasive in extras/epel?
-Mike
Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
infrastructure@lists.fedoraproject.org