/proc/sys/net/ipv4/ip_forward iptables -F INPUT iptables -F OUTPUT iptables -F : Notes">

NotesWhat is notes.io?

Notes brand slogan

Notes - notes.io

Popular notes
#!/bin/bash -x

logger "FW CREATED RULE"
dev_wan=eth0
net_wan=10.0.1.0/24
server_wan=10.0.1.1

dev_lan=eth1
net_lan=10.0.2.0/24
server_lan=10.0.1.1


admin=10.0.1.1
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
#tuning ip stack
#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
#ANTISPOOFING
for a in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 1 > $a
done
#SYN COOKIES
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo $ICMP_ECHOREPLY_RATE > /proc/sys/net/ipv4/icmp_echoreply_rate
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
# NUMBER OF CONNECTIONS TO TRACK
echo "65535" > /proc/sys/net/ipv4/ip_conntrack_max


# Allowing ssh to local machine from admin
iptables -A INPUT -s $admin -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -d $admin -p tcp --sport 22 -j ACCEPT

# Using stateful packet filtration
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Denying scaning
# FIN
iptables -A INPUT -p tcp --tcp-flags ALL FIN -m limit --limit 3/m --limit-burst 5 -j LOG --log-prefix "FW:PROTECTION FIN scan "
iptables -A INPUT -p tcp --tcp-flags ALL FIN -m recent --name blacklist_60 --set -m comment --comment "Drop/Blacklist FIN scan" -j DROP
# XMAS
iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -m limit --limit 3/m --limit-burst 5 -j LOG --log-prefix "FW:PROTECTION XMAS scan "
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 3/m --limit-burst 5 -j LOG --log-prefix "FW:PROTECTION XMAS-PSH scan "
iptables -A INPUT -p tcp --tcp-flags ALL ALL -m limit --limit 3/m --limit-burst 5 -j LOG --log-prefix "FW:PROTECTION XMAS-ALL scan "
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m recent --name blacklist_60 --set -m comment --comment "Drop/Blacklist Xmas/PSH scan" -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -m recent --name blacklist_60 --set -m comment --comment "Drop/Blacklist Xmas scan" -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -m recent --name blacklist_60 --set -m comment --comment "Drop/Blacklist Xmas/All scan" -j DROP
# NULL scan
iptables -A INPUT -p tcp --tcp-flags ALL NONE -m recent --name blacklist_60 --set -m comment --comment "Drop/Blacklist Null scan" -j DROP
# ACK
iptables -A INPUT -p tcp ! --syn -m state --state NEW -m comment --comment "Drop TCP connection not starting by SYN" -j DROP
# SYN scan. If someone tries connect to 23-rd and 79-th port - this is scaning
iptables -A INPUT -p tcp -m multiport --dports 23,79 --tcp-flags ALL SYN -m limit --limit 3/m --limit-burst 5 -j LOG --log-prefix "FW:PROTECTIONSYN scan trap:"
iptables -A INPUT -p tcp -m multiport --dports 23,79 --tcp-flags ALL SYN -m recent --name blacklist_180 --set -j DROP
# UDP scan
iptables -A INPUT -p udp -m limit --limit 6/h --limit-burst 1 -m length --length 0:28 -j LOG --log-prefix "FW:PROTECTION0 length udp "
iptables -A INPUT -p udp -m length --length 0:28 -m comment --comment "Drop UDP packet with no content" -j DROP


### chains to DROP too many SYN-s ######
iptables -N syn-flood
iptables -A syn-flood -m limit --limit 100/second --limit-burst 150 -j RETURN
iptables -A syn-flood -m limit --limit 3/m --limit-burst 1 -m length --length 0:28 -j LOG --log-prefix "FW:PROTECTION syn flood "
iptables -A syn-flood -j DROP
# Allawing all in loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allowing DNS forwarding
iptables -A FORWARD -m conntrack --ctstate NEW -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate NEW -p udp --dport 53 -j ACCEPT


# Allowing http,https, ftp access
iptables -A FORWARD -p tcp -s $net_lan --dport http -j ACCEPT
iptables -A FORWARD -p tcp -s $net_lan --dport https -j ACCEPT
iptables -A FORWARD -s $net_lan -p tcp --dport 21 -j ACCEPT

# Allow connection to local dns server
iptables -A INPUT -s $net_lan -p udp --dport 53 -j ACCEPT
iptables -A INPUT -s $net_lan -p tcp --dport 53 -j ACCEPT
# Allowing web serfing from local machine and dns
iptables -A OUTPUT -s $server_wan -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -s $server_wan -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -s $server_wan -p tcp --dport http -j ACCEPT
iptables -A OUTPUT -s $server_wan -p tcp --dport https -j ACCEPT


iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

#iptables -A INPUT -p icmp --icmp-type echo-request,echo-reply,destination-unreacheable -j ACCEPT


iptables -A INPUT -j LOG --log-prefix "FW:POLYCITY INPUT DROP:"
iptables -A OUTPUT -j LOG --log-prefix "FW:POLYCITY OUTPUT DROP:"
iptables -A FORWARD -j LOG --log-prefix "FW:POLYCITY FORWARD DROP:"

iptables -t nat -A POSTROUTING -j MASQUERADE
     
 
what is notes.io
  

Notes.io is a web-based application for taking notes. You can take your notes and share with others people. If you like taking long notes, notes.io is designed for you. To date, over 8,000,000,000 notes created and continuing...

With notes.io;

  • * You can take a note from anywhere and any device with internet connection.
  • * You can share the notes in social platforms (YouTube, Facebook, Twitter, instagram etc.).
  • * You can quickly share your contents without website, blog and e-mail.
  • * You don't need to create any Account to share a note. As you wish you can use quick, easy and best shortened notes with sms, websites, e-mail, or messaging services (WhatsApp, iMessage, Telegram, Signal).
  • * Notes.io has fabulous infrastructure design for a short link and allows you to share the note as an easy and understandable link.

Fast: Notes.io is built for speed and performance. You can take a notes quickly and browse your archive.

Easy: Notes.io doesn’t require installation. Just write and share note!

Short: Notes.io’s url just 8 character. You’ll get shorten link of your note when you want to share. (Ex: notes.io/q )

Free: Notes.io works for 12 years and has been free since the day it was started.


You immediately create your first note and start sharing with the ones you wish. If you want to contact us, you can use the following communication channels;


Email: [email protected]

Twitter: http://twitter.com/notesio

Instagram: http://instagram.com/notes.io

Facebook: http://facebook.com/notesio



Regards;
Notes.io Team

     
 
Shortened Note Link
  
 
Looding Image
 
     
 
Long File
  
 

For written notes was greater than 18KB Unable to shorten.

To be smaller than 18KB, please organize your notes, or sign in.

  
     

Notes

I'm Feeling Lucky

repost for Instagram

Paste Keyboard iOS - Quick Replies

v 2.7.3

We'd love to hear from you. Please email us at [email protected]

Copyright 2022 Metromedya

ios uygulama geliştirme