forked from VitalyPokataev/Patch
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Натройка iptables.txt
54 lines (40 loc) · 2.44 KB
/
Натройка iptables.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
 Debian:
aptitude install module-assistant xtables-addons-source
module-assistant prepare
module-assistant auto-install xtables-addons-source
depmod -a
sudo nano /etc/network/if-pre-up.d/iptables
Add these lines to it:
#!/bin/bash
/sbin/iptables-restore < /home/server/iptables.rules
The file needs to be executable so change the permissions:
sudo chmod +x /etc/network/if-pre-up.d/iptables
sudo /sbin/iptables-restore < /home/server/iptables2.rules
netstat -a 10 > C:\netstatlog.txt
-- Ïèøåò â ëîã âñ¸)) ïîìîæåò îò ääîñà
http://wowjp.net/forum/224-140925-1
Õî÷åøü ïîñûëàòü âñåõ ñïðóòåîðâ?, ïîæàëóéñòà, îí ðàáîòàåò ïî ïðîòîêîëó tcp ñ ôëàãîì syn, îòêðûâàÿ ñîêåòû íà ïîäêëþ÷åíèå, ïðàâèëî ïðîñòî è íàäåæíî
-A INPUT -p tcp -m tcp --dport 80 -m connlimit --connlimit-above 40 --connlimit-mask 32 -j -j DROP ñ öèôðîé 40 ìîæíî ïîèãðàòüñÿ, íî äóìàþ, ýòî îïòèìàëüíî.
Íå ïëîõî áûëî áû ïîñòàâèòü îãðàíè÷åíèå íà ïîñûëêó ñâîåãî ðîäà òðàôôèêà è òîæå íà ïîðò
-A INPUT -p tcp --dport 80 -m connbytes --connbytes :10000 --connbytes-dir original --connbytes-mode bytes -j ACCEPT - ðàçðåøàåì ïîñûëêó íå áîëåå10 êáàéò íà 80 ïîðò
-A INPUT -p tcp --dport 80 -j DROP - âñ¸ îñòàëüíîå, ÷òî áîëüøå 10 êáàéò óíè÷òîæàåì
Ñ ïàêåòàìè hashlimit è limit èñïîëüçîâàòü, íó, äóìàþ, ñòàðò äàí, îñòàëüíîå ìîæíî ïî÷èòàòü â ìàíàõ)
// WEB
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 32/sec --limit-burst 32 -j ACCEPT
iptables -P INPUT DROP
// SERVER
iptables -I INPUT -p tcp --dport 3724 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 3724 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 15 -j DROP
# è îòáðàñûâàåì ïèíã (â ïðèíöèïå, îí è òàê îòáðàñûâàåòñÿ äåéñòâèåì
# ïî óìîë÷àíèþ, íî ýòî ïðàâèëî äëÿ âîçìîæíîãî ðåäàêòèðîâàíèÿ)
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP # Ping
# ñëåäóþùèì ïðàâèëîì ìîæíî çàìåíèòü ïðåäûäóùåå, òîãäà ïðè ïèíãîâàíèè
# íàøåé ìàøèíû âìåñòî ñîîáùåíèÿ î òàéìàóòå áóäåò ïðèõîäèòü ñîîáùåíèå
# Host unreachable
#$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j REJECT --reject-with icmp-host-unreachable
http://linuxru.org/tips/72
http://linuxru.org/linux/56
http://www.xakep.ru/post/53653/?print=true
http://sys.dmitrow.com/node/35
http://sobrs.ru/index.php/-linux/-firewall-linux/3977.html àâòîáëîêèðîâàíèå