Changes between Version 3 and Version 4 of jazz/10-03-26

Timestamp:

Mar 26, 2010, 11:59:41 PM (16 years ago)

Author:

jazz

Comment:

--

jazz/10-03-26

@@ -29 +29 @@
 net.ipv4.tcp_tw_recycle = 1 表示開啟TCP連接中TIME-WAIT sockets的快速回收，預設為0，表示關閉
 }}}
+ * 彙整以上的規則，寫一隻 script 來當做開機時啟用安全防護的機制。
+{{{
+#!sh
+echo "clear rules"
+iptables -F
+iptables -X
+iptables -Z
+iptables -t nat -F
+echo "drop ping and traceroute"
+iptables -A INPUT -i eth0 -p icmp -s any/0 --icmp-type 8 -j DROP
+iptables -A OUTPUT -o eth0 -p icmp --icmp-type 3 -d any/0 -j DROP
+iptables -A OUTPUT -o eth0 -p icmp --icmp-type 11 -d any/0 -j DROP
+echo "drop abuse IP connections"
+iptables -A INPUT -s 124.254.15.50 -j DROP
+iptables -A INPUT -s 222.191.249.106 -j DROP
+iptables -A INPUT -s 121.235.30.92 -j DROP
+echo "drop connect more than 10 times in 10 seconds ..."
+iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name DEFAULT --rsource
+iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 --name DEFAULT --rsource -j DROP
+echo "decrease TCP socket TIME_WAIT time"
+echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout
+sysctl net.ipv4.tcp_tw_reuse=1
+sysctl net.ipv4.tcp_tw_recycle=1
+}}}