Difference between revisions of "Talk:Simple stateful firewall"

From ArchWiki
Jump to: navigation, search
m (status update)
(12 intermediate revisions by 3 users not shown)
Line 1: Line 1:
I'm doing a rewrite of this article to make it more correct and simple, and also to cleanup a lot of unnecessary info. Once the cleanup, etc is done the merge to the iptables article that is suggested on the iptables discussion page will make a lot more sense [[User:Thestinger|Thestinger]] 07:28, 12 March 2010 (EST)
+
Maybe I misunderstood some of the instructions but I found that I needed to insert the rules into the chains TCP and UDP rather than OPEN-TCP and OPEN-UDP as the latter didn't exist:
  
:Except for a few more tweaks, I'm pretty much done with the [[Simple_stateful_firewall_HOWTO#Firewall_for_a_single_machine]] section. I'm going to rewrite the script at the bottom to contain the new rules. Also, I plan on adding a section about the recent module to the "hide your computer" section that shows how to trick portscanners into thinking open ports are closed. Once that's done, I'll read over the NAT section and see what I can do to improve it. :[[User:Thestinger|Thestinger]] 10:25, 15 March 2010 (EDT)
+
# iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
 +
# iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach
  
::Still to finish: port knocking section, ssh bruteforce protection with recent module, rewrite of NAT section, firewall script. I'm probably going to end up rewriting a lot of the stuff too, just to make it short and sweet. [[User:Thestinger|Thestinger]] 12:50, 8 April 2010 (EDT)
+
I also found that I needed to add an --update:
 +
 
 +
# iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --hitcount 6 --seconds 4 -j DROP
 +
 
 +
I believe an --rcheck would also have worked. I'm not sure which would be correct. In general, I found this very helpful in conjunction with the man page for iptables. --[[User:Margali|Margali]] 21:57, 29 December 2011 (EST)
 +
 
 +
 
 +
 
 +
For ipv6 adaptation.
 +
As '''--reject-with icmp6-proto-unreachable''' does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [[https://tools.ietf.org/html/rfc4443#section-3.1]].
 +
I think the '''icmp6-adm-prohibited''' which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--[[User:Cladmi|Cladmi]] 07:28, 15 February 2012 (EST)

Revision as of 12:28, 15 February 2012

Maybe I misunderstood some of the instructions but I found that I needed to insert the rules into the chains TCP and UDP rather than OPEN-TCP and OPEN-UDP as the latter didn't exist:

# iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
# iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach

I also found that I needed to add an --update:

# iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --hitcount 6 --seconds 4 -j DROP

I believe an --rcheck would also have worked. I'm not sure which would be correct. In general, I found this very helpful in conjunction with the man page for iptables. --Margali 21:57, 29 December 2011 (EST)


For ipv6 adaptation. As --reject-with icmp6-proto-unreachable does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [[1]]. I think the icmp6-adm-prohibited which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--Cladmi 07:28, 15 February 2012 (EST)