X-Git-Url: http://lab.mitty.jp/git/?a=blobdiff_plain;f=iptables%2Fufw%2Fraw.rules;fp=iptables%2Fufw%2Fraw.rules;h=8b4a30622cdda6c68db6ed0a9dbbca1c58e16b09;hb=49996391c0a72e72d2f07c9959e94f6036d621bb;hp=0000000000000000000000000000000000000000;hpb=ab902ad3696baaa38816efef2c2b60610daae511;p=lab.git

diff --git a/iptables/ufw/raw.rules b/iptables/ufw/raw.rules
new file mode 100644
index 0000000..8b4a306
--- /dev/null
+++ b/iptables/ufw/raw.rules
@@ -0,0 +1,33 @@
+#
+# This file is used by /etc/init.d/setfilter
+#
+# Rules that should be stored in raw table.
+# These are mainly used to filter evil or wrong packets.
+
+
+*raw
+:LOG_ICMP - [0:0]
+:LOG_SPOOF - [0:0]
+
+## LOG and DROP fragmented packets (not head fragments)
+-A PREROUTING --fragment -j LOG --log-prefix "[UFW BLOCK FRAGMENTED]: " --log-level err -m limit --limit 3/min --limit-burst 10
+-A PREROUTING --fragment -j DROP
+
+## LOG and DROP strange icmp packets
+-A LOG_ICMP -j LOG --log-prefix "[UFW BLOCK BAD-ICMP]: " --log-level err -m limit --limit 3/min --limit-burst 10
+-A LOG_ICMP -j DROP
+# Too large icmp requests
+-A PREROUTING -p icmp --icmp-type echo-request -m length --length 85: -j LOG_ICMP
+# Too many times of icmp requests (only 5 packets per second if over 10pkts/sec)
+-A PREROUTING -p icmp --icmp-type echo-request -m limit --limit 5/s --limit-burst 10 -j ACCEPT
+-A PREROUTING -p icmp --icmp-type echo-request -j LOG_ICMP
+
+## LOG and DROP IP spoofing (eth1:WAN)
+-A LOG_SPOOF -j LOG --log-prefix "[UFW BLOCK IP-SPOOFING]: " --log-level err -m limit --limit 3/min --limit-burst 10
+-A LOG_SPOOF -j DROP
+-A PREROUTING -i eth1 -s    127.0.0.0/8 -j LOG_SPOOF
+-A PREROUTING -i eth1 -s     10.0.0.0/8 -j LOG_SPOOF
+-A PREROUTING -i eth1 -s  172.16.0.0/12 -j LOG_SPOOF
+-A PREROUTING -i eth1 -s 192.168.0.0/16 -j LOG_SPOOF
+
+COMMIT