Regras de segurança(contra diversos ataques)
# Contra Sys-flood
iptables –A FORWARD –p tcp –m limit 1/s –j ACCEPT
# Contra ping da morte
Iptables –A FORWARD –p icmp –icmp-type echo-request –m limit –limit 1/s –j ACCEPT
# Contra o nmap
Iptables –A FORWARD –p tcp –tcp-flags SYN,ACK,FIN,RST RST –m limit –limit 1/s –j ACCEPT
# Bloquiando trecertroute
Iptables –A IMPUT –p udp –s 0/0 –i eth1 –dport 33435:33525 –j DROP
#Proteçoes contra ataques
iptables –A IMPUT –m state –state INVALID –j DROP
#Bloquiando um maquina pelo endereco MAC
Iptables –A IMPUT –m –mac-source xx:xx:xx:xx:xx:xx -j DROP
#Proteçao contra ip spoofing
Iptables –A IMPUT –s 172.16.0.0/16 –i ext_face –j DROP
Iptables –A IMPUT –s 192.168.0.0/24 –i ext_face –j DROP
Iptables –A IMPUT –s 192.168.0.0/24 -i ext-face -j DROP
<ext_face sao as interfaces da internet como ppp e ethX >
#Proteçao contra syn-floods
iptables –A FORWARD –p tcp –syn –m limit –limit 1/s –j ACCEPT
#Proteçao contra portscan ocultos
Iptables –A FORWARD –p tcp –tcp-flags SYN,ACK,FIN,RST RST –m limit –limit 1/s –j ACCEPT
#Bloquiando pacetes fragmentados
Iptables –A IMPUT –I INTEXT –m unclean –j log_unclean
Iptables –A IMPUT –f –I INTEXT –j log_fragment
<INTEXT = interface da internet >
#Anulando as respostas do icmp 8 (echo reply)
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
Comment