Blokada port skenera
Code:
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=2w chain=\
"port scanners" comment="Port scanners na listu" disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=\
"port scanners" comment="NMAP FIN Stealth scan" disabled=no protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=\
"port scanners" comment="SYN/FIN scan" disabled=no protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=\
"port scanners" comment="SYN/RST scan" disabled=no protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=\
"port scanners" comment="FIN/PSH/URG scan" disabled=no protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=\
"port scanners" comment="ALL/ALL scan" disabled=no protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=\
"port scanners" comment="NMAP NULL scan" disabled=no protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain="port scanners" comment="Dropping port scanners" disabled=no src-address-list=\
"port scanners"
ICMP flood zastita
Code:
add action=accept chain=icmp comment="0:0 and limit for 5pac/s" disabled=no icmp-options=0:0-255 limit=\
5,5 protocol=icmp
add action=accept chain=icmp comment="3:3 and limit for 5pac/s" disabled=no icmp-options=3:3 limit=5,5 \
protocol=icmp
add action=accept chain=icmp comment="3:4 and limit for 5pac/s" disabled=no icmp-options=3:4 limit=5,5 \
protocol=icmp
add action=accept chain=icmp comment="8:0 and limit for 5pac/s" disabled=no icmp-options=8:0-255 limit=\
5,5 protocol=icmp
add action=accept chain=icmp comment="11:0 and limit for 5pac/s" disabled=no icmp-options=11:0-255 \
limit=5,5 protocol=icmp
add action=drop chain=icmp comment="Drop else ICMP" disabled=no protocol=icmp
Zastita od previse konekcija
Code:
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=\
"Connection limit" comment="Block to many connections" connection-limit=150,32 disabled=no \
protocol=tcp
add action=tarpit chain="Connection limit" comment="" connection-limit=3,32 disabled=no protocol=tcp \
src-address-list=blocked-addr
Zastita od SYN-flooda
Code:
add action=accept chain=SYN-protect comment=SYN-protect connection-state=new disabled=no limit=400,5 \
protocol=tcp tcp-flags=syn
add action=drop chain=SYN-protect comment=SYN-drop connection-state=new disabled=no protocol=tcp \
tcp-flags=syn
E sad ovo su ti sve lanci ( chain ) sad mozes da napravis recimo pravilo da ti sav INPUT ili FORWARD ( ja iskreno drzim i jedno i drugo ) ide JUMP na ove lance gore
primer:
Code:
add action=jump chain=forward comment="Forward na chain icmp" disabled=no jump-target=icmp
sav saobracaj koji ide na forward prvo ce biti proveren za pravila u lancu ICMP ( jump-target=icmp ) i svaki paket koji prodje proveru ide na forward ili ako imas vise jump pravila ide na sledecu proveru i sve tako dok ne prodje sve provere koje si mu zadao i tek onda odlazi na forward. Nadam se da te nisam zbunio. U principu izgleda tesko i komplikovano ali nije. Fora ti je da pravis ovako grupe pravila ( chain ) i da stavljas saobracaj da ide JUMP na njih.