|(6 intermediate revisions by 3 users not shown)|
|−|Still to finish: port knocking section, ssh bruteforce protection with recent module, rewrite of NAT section, firewall script. I 'm probably going to end up rewriting a lot of the other stuff too, to make the article/guide easier to follow. [[User:Thestinger|Thestinger]] 12: 50, 8 April 2010 (EDT) |+|
I of the to the :
| || |
|−|Also need to fix the portscanner section, right now a local windows machine will get themselves on the list from netbios stuff, it's just a matter of adding a limit to how many packets is normal and then putting ones that go over that on the recent list [[User:Thestinger|Thestinger]] 20:32, 19 April 2010 (EDT) |+|
| || |
|−|== NAT == |+|
| || |
|−|The NAT section here is incomplete and there is a far superior article here: [[NAT'ing firewall - Share your broadband connection]]. If no one opposes it, I'm going to work on improving [[ NAT'ing firewall - Share your broadband connection]] and then get rid of the NAT section here once it has no unique information. This article is for a " Simple Stateful Firewall", not an NAT. [[User: Thestinger| Thestinger]] 13: 35, 9 April 2010 ( EDT) |+|
. I'm []
and the section.
"" , not .[[User:|]] :, ()
Revision as of 12:28, 15 February 2012
Maybe I misunderstood some of the instructions but I found that I needed to insert the rules into the chains TCP and UDP rather than OPEN-TCP and OPEN-UDP as the latter didn't exist:
# iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
# iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach
I also found that I needed to add an --update:
# iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --hitcount 6 --seconds 4 -j DROP
I believe an --rcheck would also have worked. I'm not sure which would be correct. In general, I found this very helpful in conjunction with the man page for iptables. --Margali 21:57, 29 December 2011 (EST)
For ipv6 adaptation.
As --reject-with icmp6-proto-unreachable does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [].
I think the icmp6-adm-prohibited which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--Cladmi 07:28, 15 February 2012 (EST)