[ale] DOS protection in iptables

Boris Borisov bugyatl at gmail.com
Tue Apr 22 20:09:24 EDT 2014 

I extracted this file from floppy image of my favorite floppy firewall
distro: http://www.zelow.no/floppyfw/download.html

I'm sending it as attachment ...


On Tue, Apr 22, 2014 at 5:37 PM, Jim Kinney <jim.kinney at gmail.com> wrote:

> That script was hoisted from here:
>
> http://www.hermann-uwe.de/files/fw_laptop
>
> That link has a better version and much better comments.
>
>
> On Tue, Apr 22, 2014 at 4:39 PM, Chris Fowler <cfowler at outpostsentinel.com
> > wrote:
>
>>  I had someone today ask me about tracking DNAT connections.   I
>> modified the iptables rules of the system so log new connections and I'm
>> hammering it using Perl.  Now that I have gone down the rabbit hole I'm
>> interested in tweaking  the standard rules to protect against DOS
>> attacks.     The user has no control over the rules until we get to the
>> custom section so  I'm looking to apply "best practices."
>>
>> I did find this info so some things I do will need to be via sysctl.
>>
>>
>> https://forums.digitalpoint.com/threads/ddos-protection-script-for-iptables.1031456/
>>
>> I'm not sure why my limit is not working for logging.  I'm trying to
>> limit logging to 20/min so that we do not
>> fill flash.  I'm seeing a limit of 5 in the log file.
>>
>> ------------- [ cut here ]
>> -------------------------------------------------------------------
>> #!/bin/sh
>> ######################################################################
>> # Flush all rules
>> ######################################################################
>> /sbin/iptables -P INPUT ACCEPT
>> /sbin/iptables -P FORWARD ACCEPT
>> /sbin/iptables -P OUTPUT ACCEPT
>> /sbin/iptables -F
>> /sbin/iptables -X
>> /sbin/iptables -t nat -F
>> /sbin/iptables -t nat -X
>> /sbin/iptables -t mangle -F
>> /sbin/iptables -t mangle -X
>>
>> ######################################################################
>> # Enable Masquerading on net 1
>> ######################################################################
>> /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>
>> ######################################################################
>> # Create a target to log all new inbound connections
>> ######################################################################
>> /sbin/iptables -N LOGP
>> # Limit logging to 20/min to prevent filling up flash.
>> /sbin/iptables -A LOGP -j LOG -m limit --limit 20/min --log-prefix '
>> INBOUND TCP ' --log-level 4
>> /sbin/iptables -A LOGP -j ACCEPT
>> /sbin/iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j
>> ACCEPT
>> /sbin/iptables -A INPUT -p tcp -i '!' lo -j LOGP
>>
>> ######################################################################
>> # Create a DNAT rules per configuration and allow access
>> # to them via PPP interfaces.
>> ######################################################################
>> # DNAT: 10.0.6.201 -> 192.168.1.201
>> /sbin/iptables -t nat -A PREROUTING -d 10.0.6.201 -j DNAT
>> --to-destination 192.168.1.201
>> /sbin/iptables -A INPUT -s 0/0 -i ppp+ -d 10.0.6.201 -j ACCEPT
>> /sbin/iptables -A FORWARD -s 0/0 -i ppp+ -d 10.0.6.201 -j ACCEPT
>> # DNAT: 10.0.6.254 -> 192.168.1.254
>> /sbin/iptables -t nat -A PREROUTING -d 10.0.6.254 -j DNAT
>> --to-destination 192.168.1.254
>> /sbin/iptables -A INPUT -s 0/0 -i ppp+ -d 10.0.6.254 -j ACCEPT
>> /sbin/iptables -A FORWARD -s 0/0 -i ppp+ -d 10.0.6.254 -j ACCEPT
>>
>> ######################################################################
>> # Apply any custom rules from iptables config (if any are enabled).
>> ######################################################################
>> ######################################################################
>> # END
>> ######################################################################
>> ------------- [ cut here ]
>> -------------------------------------------------------------------
>>
>> Thanks,
>> Chris
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>
>
>
> --
> --
> James P. Kinney III
>
> Every time you stop a school, you will have to build a jail. What you gain
> at one end you lose at the other. It's like feeding a dog on his own tail.
> It won't fatten the dog.
> - Speech 11/23/1900 Mark Twain
>
>
> *http://heretothereideas.blogspot.com/
> <http://heretothereideas.blogspot.com/>*
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140422/abca8dc9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: firewall.ini
Type: application/octet-stream
Size: 9923 bytes
Desc: not available
URL: <http://mail.ale.org/pipermail/ale/attachments/20140422/abca8dc9/attachment-0001.obj>

More information about the Ale mailing list