<div dir="ltr"><div>That script was hoisted from here:<br><br><a href="http://www.hermann-uwe.de/files/fw_laptop">http://www.hermann-uwe.de/files/fw_laptop</a><br><br></div>That link has a better version and much better comments.<br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 22, 2014 at 4:39 PM, Chris Fowler <span dir="ltr"><<a href="mailto:cfowler@outpostsentinel.com" target="_blank">cfowler@outpostsentinel.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<font size="-1">I had someone today ask me about tracking DNAT
connections. I modified the iptables rules of the system so log
new connections and I'm hammering it using Perl. Now that I have
gone down the rabbit hole I'm interested in tweaking the standard
rules to protect against DOS attacks. The user has no control
over the rules until we get to the custom section so I'm looking
to apply "best practices." <br>
<br>
I did find this info so some things I do will need to be via
sysctl.<br>
<br>
<a href="https://forums.digitalpoint.com/threads/ddos-protection-script-for-iptables.1031456/" target="_blank">https://forums.digitalpoint.com/threads/ddos-protection-script-for-iptables.1031456/</a><br>
<br>
I'm not sure why my limit is not working for logging. I'm trying
to limit logging to 20/min so that we do not<br>
fill flash. I'm seeing a limit of 5 in the log file.<br>
<br>
------------- [ cut here ]
-------------------------------------------------------------------<br>
<font face="Courier New, Courier, monospace">#!/bin/sh<br>
######################################################################<br>
# Flush all rules<br>
######################################################################<br>
/sbin/iptables -P INPUT ACCEPT<br>
/sbin/iptables -P FORWARD ACCEPT<br>
/sbin/iptables -P OUTPUT ACCEPT<br>
/sbin/iptables -F<br>
/sbin/iptables -X<br>
/sbin/iptables -t nat -F<br>
/sbin/iptables -t nat -X<br>
/sbin/iptables -t mangle -F<br>
/sbin/iptables -t mangle -X<br>
<br>
######################################################################<br>
# Enable Masquerading on net 1<br>
######################################################################<br>
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br>
<br>
######################################################################<br>
# Create a target to log all new inbound connections<br>
######################################################################<br>
/sbin/iptables -N LOGP<br>
# Limit logging to 20/min to prevent filling up flash.<br>
/sbin/iptables -A LOGP -j LOG -m limit --limit 20/min
--log-prefix ' INBOUND TCP ' --log-level 4<br>
/sbin/iptables -A LOGP -j ACCEPT<br>
/sbin/iptables -A INPUT -p tcp -m state --state
ESTABLISHED,RELATED -j ACCEPT<br>
/sbin/iptables -A INPUT -p tcp -i '!' lo -j LOGP<br>
<br>
######################################################################<br>
# Create a DNAT rules per configuration and allow access <br>
# to them via PPP interfaces.<br>
######################################################################<br>
# DNAT: 10.0.6.201 -> 192.168.1.201<br>
/sbin/iptables -t nat -A PREROUTING -d 10.0.6.201 -j DNAT
--to-destination 192.168.1.201<br>
/sbin/iptables -A INPUT -s 0/0 -i ppp+ -d 10.0.6.201 -j ACCEPT<br>
/sbin/iptables -A FORWARD -s 0/0 -i ppp+ -d 10.0.6.201 -j ACCEPT<br>
# DNAT: 10.0.6.254 -> 192.168.1.254<br>
/sbin/iptables -t nat -A PREROUTING -d 10.0.6.254 -j DNAT
--to-destination 192.168.1.254<br>
/sbin/iptables -A INPUT -s 0/0 -i ppp+ -d 10.0.6.254 -j ACCEPT<br>
/sbin/iptables -A FORWARD -s 0/0 -i ppp+ -d 10.0.6.254 -j ACCEPT<br>
<br>
######################################################################<br>
# Apply any custom rules from iptables config (if any are
enabled).<br>
######################################################################<br>
######################################################################<br>
# END<br>
######################################################################</font><br>
</font><font size="-1">------------- [ cut here ]
-------------------------------------------------------------------<br>
<br>
Thanks,<br>
Chris<br>
</font>
</div>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div dir="ltr">-- <br>James P. Kinney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br></i></i></i></i></div>
</div>