Re: lug-bg:
- Subject: Re: lug-bg:
- From: vlk@xxxxxxxxxxxxxxxxx (Vesselin Kolev)
- Date: Mon, 2 Dec 2002 12:21:36 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Za prevencia na ICMP Flood mozhesh da izpolzvash malko po-uslozhnena shema...
pyrvo izpolzvash modula length za da ogranichish maximalnata golemina na
paketite za echo-request. Normalno te ne sa po-golemi ot 84 baita (672 bita).
Mozhesh da napravish taka, che pyrvo da se dopuskat paketi sys golemina pod
maksimalnata, a posle da limitirash tehnia broi. T.e. ideiata e, che niama
smisal da se puskat golemite paketi:
(Politikata po podrazbirane e ACCEPT)
iptables -t filter -A INPUT -s 0/0 -p icmp -m icmp --icmp-type 8 -m length !
- --length 0:682 -j DROP
iptables -t filter -A INPUT -s 0/0 -m icmp -m icmp --icmp-type 8 -m limit
- --limit 3/s -j ACCEPT
iptables -t filter -A INPUT -s 0/0 -m icmp -m icmp --icmp-type 8 -j DROP
Mnogo chesta greshka e da ne se napishe poslednia red. Ako toi ne se napishe
to reda
iptables -t filter -A INPUT -s 0/0 -m icmp -m icmp --icmp-type 8 -m limit
- --limit 3/s -j ACCEPT
hte deistva samo kato statist:)) t.e. samo shte otchita.
Ako tezi pravila sa zadadeni na router i iskash te da vazhat ne samo na INPUT,
no i na FORWARD verigi, mozhesh da izpolzvash tablicata nat i verigata
PREROUTING:
iptables -t nat -A PREROUTING -s 0/0 -p icmp -m icmp --icmp-type 8 -m length !
- --length 0:682 -j DROP
iptables -t nat -A PREROUTING -s 0/0 -m icmp -m icmp --icmp-type 8 -m limit
- --limit 3/s -j ACCEPT
iptables -t nat -A PREROUTING -s 0/0 -m icmp -m icmp --icmp-type 8 -j DROP
Taka pravilata shte vazhat SUMARNO kakto za nasochenite kym routera zaiavki,
taka i kym tezi, nasocheni za mrezhovoto prostranstvo zad routera.
Pozdravi i pozhelania za uspehi:
Vesselin Kolev
On Monday 02 Dec 2002 11:10, Àòàíàñ Ìàâðîâ wrote:
> Çäðàâåéòå,
> èìàì äâà âúïðîñà íà êîèòî èëè ñúì íàìåðèë ÷àñòè÷íî ðåøåíèå. Àêî íÿêîè èìà
> æåëàíèå äà ñïîäåëè ñâîÿ îïèò ùå ñúì ìó áëàãîäàðåí. :-)
> Ïúðâèÿ âúïðîñ å îïèñàí â netfilter howto, íî ñëåä êàòî ãî ïðîìåíèõ ìàëêî íå
> ðàáîòè ñúâñåì êîðåêòíî /ïðèìåðíî ãóáÿò ìè ñå ïàêåòè, êîèòî áè òðÿáâàëî äà
> ïîëó÷à/. Çíà÷è àç ñúì íàïðàâèë òàêà:
>
> iptables -P INPUT DROP
> iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit
> 1/s -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j
> ACCEPT
> iptables -A INPUT -p -tcp --syn -m limit --limit 1/s -j ACCEPT
> ............................................................
> Èìà ëè ïî-äîáúð âàðèàíò? À êàê ìîãà äà ïðîñëåäÿ èçòî÷íèêà íà ñêàíèðàíåòî
> /flood/?
> Âòîðèÿ ìè âúïðîñ å ìîæå ëè äà ñå ïðîñëåäè â ëîêàëíà ìðåæà çà ïóñíàò
> sniffer? À èìà ëè íÿêàêúâ âàðèàíò äà ñå ïðåäïàçèì îò òàêîâà íåùî /å îñâåí
> ssh :-)/. Áëàãîäàðÿ.
> ===========================================================================
>= A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
> http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara
> Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
> ===========================================================================
>=
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE96zQ3+48lZPXaa+MRAme/AJ9giod0FwYyXT+M0jiHKK/zt3DHIgCgoiCa
zWF21tnMYdwhaKbfX16haJg=
=MUwu
-----END PGP SIGNATURE-----
============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================
- Относно:
- lug-bg:
- Изпратено от: bugar@xxxxxxx ( )
|