Replace deprecated state match with conntrack
This commit is contained in:
parent
40166ee91a
commit
1f2ccaa6b7
|
@ -1,5 +1,5 @@
|
|||
###############################################################################
|
||||
# Copyright 2012 Jakub Jirutka. All rights reserved.
|
||||
# Copyright 2012-2014 Jakub Jirutka. All rights reserved.
|
||||
#
|
||||
# "THE KOFOLA-WARE LICENSE" (Revision 1):
|
||||
# Jakub Jirutka originally wrote this file. As long as you retain this notice you
|
||||
|
@ -25,8 +25,8 @@
|
|||
# This template is based on http://jdem.cz/v64a3 from University of Leicester
|
||||
#
|
||||
# @author Jakub Jirutka <jakub@jirutka.cz>
|
||||
# @version 1.1
|
||||
# @date 2012-10-05
|
||||
# @version 1.2
|
||||
# @date 2014-01-01
|
||||
#
|
||||
|
||||
###############################################################################
|
||||
|
@ -47,10 +47,10 @@
|
|||
|
||||
# Continue connections that are already established or related to an established
|
||||
# connection
|
||||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
# Drop non-conforming packets, such as malformed headers, etc.
|
||||
-A INPUT -m state --state INVALID -j DROP
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
|
||||
# Block remote packets claiming to be from a loopback address
|
||||
-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
|
||||
|
@ -89,8 +89,8 @@
|
|||
###############################################################################
|
||||
|
||||
# Accept worldwide access to HTTP and HTTPS
|
||||
# -A INPUT -p tcp -m tcp --dport 80 --syn -m state --state NEW -j ACCEPT
|
||||
# -A INPUT -p tcp -m tcp --dport 443 --syn -m state --state NEW -j ACCEPT
|
||||
# -A INPUT -p tcp -m tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT
|
||||
# -A INPUT -p tcp -m tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
|
||||
###############################################################################
|
||||
|
@ -101,16 +101,16 @@
|
|||
|
||||
# Accept worldwide access to SSH and use SSHBRUTE chain for preventing
|
||||
# brute-force attacks.
|
||||
-A INPUT -p tcp -m tcp --dport 22 --syn -m state --state NEW -j SSHBRUTE
|
||||
-A INPUT -p tcp -m tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE
|
||||
|
||||
# Permit useful IMCP packet types
|
||||
# Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests.
|
||||
# Blocking these can make diagnosing of even simple faults much more tricky.
|
||||
# Real security lies in locking down and hardening all services, not by hiding.
|
||||
-A INPUT -p icmp -m icmp --icmp-type 0 -m state --state NEW -j ACCEPT
|
||||
-A INPUT -p icmp -m icmp --icmp-type 3 -m state --state NEW -j ACCEPT
|
||||
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ICMPFLOOD
|
||||
-A INPUT -p icmp -m icmp --icmp-type 11 -m state --state NEW -j ACCEPT
|
||||
-A INPUT -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT
|
||||
-A INPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT
|
||||
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD
|
||||
-A INPUT -p icmp -m icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
# Do not log packets that are going to ports used by SMB
|
||||
# (Samba / Windows Sharing)
|
||||
|
@ -126,7 +126,7 @@
|
|||
-A INPUT -p udp -m udp --sport 53 -j DROP
|
||||
|
||||
# Good practise is to explicately reject AUTH traffic so that it fails fast
|
||||
-A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset
|
||||
-A INPUT -p tcp -m tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
|
||||
|
||||
# Prevent DOS by filling log files
|
||||
-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: "
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
###############################################################################
|
||||
# Copyright 2012 Jakub Jirutka. All rights reserved.
|
||||
# Copyright 2012-2014 Jakub Jirutka. All rights reserved.
|
||||
#
|
||||
# "THE KOFOLA-WARE LICENSE" (Revision 1):
|
||||
# Jakub Jirutka originally wrote this file. As long as you retain this notice you
|
||||
|
@ -25,8 +25,8 @@
|
|||
# This template is based on http://jdem.cz/v64a3 from University of Leicester
|
||||
#
|
||||
# @author Jakub Jirutka <jakub@jirutka.cz>
|
||||
# @version 1.1
|
||||
# @date 2012-10-05
|
||||
# @version 1.2
|
||||
# @date 2014-01-01
|
||||
#
|
||||
|
||||
###############################################################################
|
||||
|
@ -47,10 +47,10 @@
|
|||
|
||||
# Continue connections that are already established or related to an established
|
||||
# connection
|
||||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
# Drop non-conforming packets, such as malformed headers, etc.
|
||||
-A INPUT -m state --state INVALID -j DROP
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
|
||||
# Block remote packets claiming to be from a loopback address
|
||||
-A INPUT -s ::1/128 ! -i lo -j DROP
|
||||
|
@ -82,8 +82,8 @@
|
|||
###############################################################################
|
||||
|
||||
# Accept worldwide access to HTTP and HTTPS
|
||||
# -A INPUT -p tcp -m tcp --dport 80 --syn -m state --state NEW -j ACCEPT
|
||||
# -A INPUT -p tcp -m tcp --dport 443 --syn -m state --state NEW -j ACCEPT
|
||||
# -A INPUT -p tcp -m tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT
|
||||
# -A INPUT -p tcp -m tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
|
||||
###############################################################################
|
||||
|
@ -94,7 +94,7 @@
|
|||
|
||||
# Accept worldwide access to SSH and use SSHBRUTE chain for preventing
|
||||
# brute-force attacks.
|
||||
-A INPUT -p tcp -m tcp --dport 22 --syn -m state --state NEW -j SSHBRUTE
|
||||
-A INPUT -p tcp -m tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE
|
||||
|
||||
# Permit needed ICMP packet types for IPv6 per RFC 4890
|
||||
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
|
||||
|
@ -136,7 +136,7 @@
|
|||
-A INPUT -p udp -m udp --sport 53 -j DROP
|
||||
|
||||
# Good practise is to explicately reject AUTH traffic so that it fails fast
|
||||
-A INPUT -p tcp -m tcp --dport 113 --syn -m state --state NEW -j REJECT --reject-with tcp-reset
|
||||
-A INPUT -p tcp -m tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
|
||||
|
||||
# Prevent DOS by filling log files
|
||||
-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6tables[DOS]: "
|
||||
|
|
Loading…
Reference in New Issue