LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Blogs
User Name
Password

Notices


Old

My iptables firewall

Posted 10-14-2014 at 10:33 PM by sag47
Tags iptables

Recently I posted about my firewall. Here I'm reposting that to my blog.

Here's a redacted version of my firewall rules. I'll point out a couple of things. This firewall is designed similarly to how the new RHEL7 firewalld behaves. When evaluating RHEL7 I saw some cool firewall tricks and incorporated it into my firewall (this way you can take advantage of doing things like dynamically adding and removing rules without having to refresh the firewall).

At the top...
Senior Member
Posted in Uncategorized
Views 3292 Comments 0 sag47 is offline
Old

iptables workstation config

Posted 11-17-2013 at 10:03 AM by sag47
Updated 11-17-2013 at 11:07 AM by sag47
Tags iptables, ufw

Here's a decent iptables for a workstation that doesn't normally serve hosted applications. It is meant to just block the network while allowing the user to still use the network unhindered. If services will need to connect to your system then you'll have to open ports in the firewall.

Code:
#load firewall config with iptables-restore < iptables.rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#The following rules required
...
Senior Member
Posted in Uncategorized
Views 2984 Comments 0 sag47 is offline
Old

-m recent --rdest or don't trust the man(page)

Posted 10-07-2012 at 12:35 PM by zhjim
Updated 10-07-2012 at 12:37 PM by zhjim

Looking for a way to block those 404 hoppers I match the outgoing packages from sport 80 for the string 404. Now that I have those classified I needed a way to block them when they would return. Normaly i would use the recent module for this. But as its a outgoing packet and recent normally uses the source ip I would block myself to come back in. But the man pages has the --rdest option which matches/saves on the destination ip. That would be cool but I would need it to block on the incoming package....
Senior Member
Posted in Uncategorized
Views 1096 Comments 0 zhjim is offline
Old

Iptables rule traversal: bandwidth at >= 10K of IP addresses

Posted 11-24-2011 at 08:07 PM by unSpawn
Updated 11-24-2011 at 02:53 PM by unSpawn

Anyone who is interested in iptables performance will find Harris, Melara, Smith and Nico's "Performance analysis of the Linux firewall in a host" (2002) and Kadlecsik and Pásztor's "Netfilter Performance Testing" (2005). But what actually is the effect of a large rule set on performance?

The attached PDF I created is not an an exhaustive study of Netfilter performance but shows you Jperf data and pictures (joy!) for plain rule sets, ipset (iphash) and the iptables...
Attached Images
File Type: pdf Iptables rule traversal.pdf (551.9 KB, 166 views)
Moderator
Posted in Uncategorized
Views 6150 Comments 0 unSpawn is offline
Old

Limiting and blocking connections dynamically.

Posted 10-31-2011 at 03:46 PM by sag47
Updated 01-29-2014 at 11:14 AM by sag47

Today I feel like talking about limiting connections which get made to a server. There are a few ways to do it; some cooler than others. I'd like to feature some open source software while I'm at it.

Today I happened upon this thread which hilariously got closed for good reason. Once you wade through all the crap you'll see some pretty cool posts which explain how to limit incoming connections within a certain time period and other suggestions. I'll point out the most useful related...
Senior Member
Posted in Uncategorized
Views 2614 Comments 0 sag47 is offline

  



All times are GMT -5. The time now is 08:59 PM.

Main Menu
Advertisement
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration