On Sun, 06 Jan 2002 16:14:28 +0800 Chang <[EMAIL PROTECTED]> spewed into the bitstream:
> > Is my iptables ok? I wanted to submit it indeed... :) > > -- > The pivotal point is the "second chance", judged by another set of > criteria. > In Linux We Trust -- http://linux.nf and news://news.hkpcug.org #explicitly enable ECN # some software may need eco to be disabled... if [ -e /proc/sys/net/ipv4/tcp_ecn ] then echo 1 > /proc/sys/net/ipv4/tcp_ecn fi Disable the above, still too many borken firewalls on the internet. # create my own logdrop chain $IPT -N logdrop $IPT -A logdrop -j LOG -m limit --limit 10/minute --log-prefix "iptables " # according to ibm's article, this could fool into believing # that there are actually no service activated at my ports. $IPT -A logdrop -j REJECT -p tcp --reject-with tcp-reset $IPT -A logdrop -j REJECT -p udp --reject-with icmp-port-unreachable There's an experimental psd match you can add if you use `make patch-o-matic` in iptables made for port scans. If this is just for folks trying to connect to closed ports, you're already dropping those. $IPT -A INPUT -i $OUTIF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED -j ACCEPT $IPT -A OUTPUT -o $OUTIF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT The above are redundant. You already have these covered in the more general state match higher up. #if using static IP, use source NAT $IPT -t nat -A POSTROUTING -o $OUTIF -j SNAT --to $OUTIP you really should specify the source addresses you want to nat (-s x.x.x.x) like in the commented out line a little below the above Lots of confusing redundancy. Rules that will never be used. Looks like several scripts cobbled together from all the overlap. Needs general cleaning up (get rid of all the unused lines). Ciao, David A. Bandel -- Focus on the dream, not the competition. -- Nemesis Racing Team motto Internet (H323) phone: 206.28.187.30 _______________________________________________ Linux-users mailing list Archives, Digests, etc at http://linux.nf/mailman/listinfo/linux-users
