This shows you the differences between two versions of the page.
Next revision | Previous revision Last revision Both sides next revision | ||
iptables [2014/11/24 01:14] 0.0.0.0 created |
iptables [2014/11/24 02:11] ben |
||
---|---|---|---|
Line 3: | Line 3: | ||
===== Gateway Firewall Configuration ===== | ===== Gateway Firewall Configuration ===== | ||
The firewall configuration is held in subversion, at the url | The firewall configuration is held in subversion, at the url | ||
- | <tt>svn+ssh:// | + | '' |
- | To test rules while editing the rules file, the <tt>iptables-restore</ | + | To test rules while editing the rules file, the '' |
To add new holes for specific machines, scroll to the bottom of the file and copy an existing example. To add new machines is slightly more complex, but there are already examples for most scenarios in this file. | To add new holes for specific machines, scroll to the bottom of the file and copy an existing example. To add new machines is slightly more complex, but there are already examples for most scenarios in this file. | ||
Line 25: | Line 25: | ||
{{Kernel|2.6.28-gentoo-r1|< | {{Kernel|2.6.28-gentoo-r1|< | ||
- | Create an alternate routing table by adding the following line to the end of <tt>rt_tables</tt>. | + | Create an alternate routing table by adding the following line to the end of '' |
{{File|/ | {{File|/ | ||
Line 33: | Line 33: | ||
{{File|/ | {{File|/ | ||
- | Now we need to specify that certain connections will be sent according to the alternate routing table instead of the main one. These scripts are stored in subversion, under <tt>routing-rules</ | + | Now we need to specify that certain connections will be sent according to the alternate routing table instead of the main one. These scripts are stored in subversion, under '' |
{{File|/ | {{File|/ | ||
Line 52: | Line 52: | ||
In the mangle table | In the mangle table | ||
- | <source lang="bash"> | + | <code bash> |
- Mark packets depending on which vlan the arrived from | - Mark packets depending on which vlan the arrived from | ||
- use the lower 4 bits of the mark space to store this information | - use the lower 4 bits of the mark space to store this information | ||
Line 69: | Line 69: | ||
-A PREROUTING -m state --state NEW -m physdev --physdev-in vlan11 -j CONNMARK --set-mark 11/15 | -A PREROUTING -m state --state NEW -m physdev --physdev-in vlan11 -j CONNMARK --set-mark 11/15 | ||
-A PREROUTING -m state --state NEW -m physdev --physdev-in ath0 -j CONNMARK --set-mark 12/15 | -A PREROUTING -m state --state NEW -m physdev --physdev-in ath0 -j CONNMARK --set-mark 12/15 | ||
- | </source> | + | </code> |
==== Blocking too many rapid connection attempts ==== | ==== Blocking too many rapid connection attempts ==== | ||
The following iptables rules block rapid SSH connections from a single source. | The following iptables rules block rapid SSH connections from a single source. | ||
- | <source lang="bash"> | + | <code bash> |
- Ssh Whitelisting | - Ssh Whitelisting | ||
-N SSH_WHITELIST | -N SSH_WHITELIST | ||
Line 92: | Line 92: | ||
-A SSH_WHITELIST -s 152.78.0.0/ | -A SSH_WHITELIST -s 152.78.0.0/ | ||
-A SSH_WHITELIST -j RETURN | -A SSH_WHITELIST -j RETURN | ||
- | </source> | + | </code> |