It will have no effect AFAIK (I'd expect the kernel to drop any packets with that source address arriving on an actual external network interface), and just confuses things a bit. Specifically I wouldn't exclude 127.0.0.0/8. Looks pretty ok there's not that many, probably doesn't make that much difference.ΔΆ) About inclusion/exclusion of some private IP ranges (or maybe delete rule #1 at all) This is the screenshot of the policy rules as shown in Firewall Builder. ![]() $IPTABLES -A In_RULE_5 -j LOG -log-level info -log-prefix "SYN FLOOD: " $IPTABLES -A INPUT -i eth0 -p tcp -m tcp -tcp-flags ACK,RST,SYN,FIN SYN -m limit -limit 3/second -limit-burst 5 -j In_RULE_5 The compiled rule #5 is: $IPTABLES -N In_RULE_5 Anything else you might seem important to include or delete.Rule #4 might also not work for the same reason. I used the Apache bench tool to create hundreds of connections to the server and they all come through, so I suppose the rules does not work. Whatever I tried, rule #5 does not seem work and is disabled as shown by the red X in the rule number. Rules #4 and #5 use the limit module of iptables to mitigate flood of RST packets and DOS attacks.Whether the rules must be stateless or not (watch for new connections only).About inclusion/exclusion of some private IP ranges (or maybe delete rule #1 at all). ![]() Specifically, I would like your opinion about: ![]() The vps comes with one NIC with public IP (marked as outside in the rules). I use Firewall Builder to create my rules and I would like some suggestions or your opinion about it. I just switched to a new vps, which I installed Linux and I wish to harden it a bit by applying firewall rules using iptables.
0 Comments
Leave a Reply. |