source: lab.git/iptables/ufw/raw.rules @ 71b798c

trunk
Last change on this file since 71b798c was 4999639, checked in by mitty <mitty@…>, 15 years ago
  • change --log-level to "err"
  • accept FORWARD from LAN (eth0 with 192.168.100.0/24)
  • drop CIFS access from/to WAN (eth1)
  • accept access from LAN
  • add custom rules for 'setfilter' script
    • mangle.rules, raw.rules

git-svn-id: https://lab.mitty.jp/svn/lab/trunk@12 7d2118f6-f56c-43e7-95a2-4bb3031d96e7
  • Property mode set to 100644
File size: 1.3 KB
RevLine 
[4999639]1#
2# This file is used by /etc/init.d/setfilter
3#
4# Rules that should be stored in raw table.
5# These are mainly used to filter evil or wrong packets.
6
7
8*raw
9:LOG_ICMP - [0:0]
10:LOG_SPOOF - [0:0]
11
12## LOG and DROP fragmented packets (not head fragments)
13-A PREROUTING --fragment -j LOG --log-prefix "[UFW BLOCK FRAGMENTED]: " --log-level err -m limit --limit 3/min --limit-burst 10
14-A PREROUTING --fragment -j DROP
15
16## LOG and DROP strange icmp packets
17-A LOG_ICMP -j LOG --log-prefix "[UFW BLOCK BAD-ICMP]: " --log-level err -m limit --limit 3/min --limit-burst 10
18-A LOG_ICMP -j DROP
19# Too large icmp requests
20-A PREROUTING -p icmp --icmp-type echo-request -m length --length 85: -j LOG_ICMP
21# Too many times of icmp requests (only 5 packets per second if over 10pkts/sec)
22-A PREROUTING -p icmp --icmp-type echo-request -m limit --limit 5/s --limit-burst 10 -j ACCEPT
23-A PREROUTING -p icmp --icmp-type echo-request -j LOG_ICMP
24
25## LOG and DROP IP spoofing (eth1:WAN)
26-A LOG_SPOOF -j LOG --log-prefix "[UFW BLOCK IP-SPOOFING]: " --log-level err -m limit --limit 3/min --limit-burst 10
27-A LOG_SPOOF -j DROP
28-A PREROUTING -i eth1 -s    127.0.0.0/8 -j LOG_SPOOF
29-A PREROUTING -i eth1 -s     10.0.0.0/8 -j LOG_SPOOF
30-A PREROUTING -i eth1 -s  172.16.0.0/12 -j LOG_SPOOF
31-A PREROUTING -i eth1 -s 192.168.0.0/16 -j LOG_SPOOF
32
33COMMIT
Note: See TracBrowser for help on using the repository browser.