Thread: ISPC 3.0.3 - Help me optimize Apache+MySQL
View Single Post
  #4  
Old 23rd November 2010, 11:40
itsnedkeren itsnedkeren is offline
Senior Member
  
Join Date: May 2009
Location: Denmark
Posts: 128
Thanks: 32
Thanked 10 Times in 10 Posts
Default
I forgot, here is a snip from my iptables firewall.

I'm not sure if this could cause any problems regarding the test.

Code:
########################################
# Kernel flags
########################################

echo -e "	- Setting kernel flags"

# set log level to 1 so only panic messages are printed to the console(s)
dmesg -n 1

# enable forwarding in the kernel
echo "0" > /proc/sys/net/ipv4/ip_forward

# enable response to ping
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all 

# disable response to broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets. Attackers can use source routing to generate 
# traffic pretending to be from inside your network. 
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Log spoofed packets, source routed packets, redirect packets. 
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

########################################
# Loading modules
########################################

echo -e "	- Loading modules"

modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

########################################
# Reset iptables
########################################

echo -e "	- Resetting IPTables"

# setup default drop policy indtil de andre regler er paa plads
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# clean up

iptables -F
iptables -X
iptables -Z

iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z


########################################
# Enable loopback (localhost)
########################################

echo -e "	- Enabling Loopback interface"

# allow unlimited traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

########################################
# Enable connection tracking
########################################

echo -e "	- Enabling connection tracking"

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

########################################
# SYN-flooding protection 
########################################

echo -e "	- Enabling SYN-flood protection"

# begraenser antallet af nye indgaaende connections til maksimum 20 pr. sekund.  
iptables -N SYNCHECK
iptables -A INPUT -i $PUBLIC_ETH -p tcp --syn -j SYNCHECK 
iptables -A SYNCHECK -m limit --limit 1/s --limit-burst 20 -j RETURN 
iptables -A SYNCHECK -m limit --limit 5/minute -j LOG --log-level notice --log-prefix "SYN flood: "
iptables -A SYNCHECK -j DROP 

########################################
# Make sure NEW tcp connections are SYN packets 
########################################

echo -e "	- Making sure new connections are SYN packets"

iptables -A INPUT -i $PUBLIC_ETH -p tcp ! --syn -m state --state NEW -j DROP 

########################################
# Deny OS detection
########################################

echo -e "	- Denying OS Detection"

iptables -A FORWARD -p tcp --tcp-flags RST,RST ACK  -m limit --limit 5/minute -j LOG --log-level notice --log-prefix "OS detect: "
iptables -A FORWARD -p tcp --tcp-flags RST,RST ACK -j DROP

########################################
# Don't allow fragments
########################################

echo -e "	- Disallowing fragments"

iptables -A FORWARD -f -j LOG --log-prefix "IP fragment: "
iptables -A FORWARD -f -j DROP

########################################
# Prevent spoofing 
########################################

echo -e "	- Preventing spoofing"

# Most of this anti-spoofing stuff is theoretically not really necessary 
# with the flags we have set in the kernel above

# Refuse spoofed packets pretending to be from your IP address. 
iptables -A INPUT  -i $PUBLIC_ETH -s $PUBLIC_IP -j DROP 

# Refuse packets claiming to be from a Class A private network. 
# iptables -A INPUT  -i $PUBLIC_ETH -s $CLASS_A -j DROP 

# Refuse packets claiming to be from a Class B private network. 
# iptables -A INPUT  -i $PUBLIC_ETH -s $CLASS_B -j DROP 

# Refuse packets claiming to be from a Class C private network. 
# iptables -A INPUT  -i $PUBLIC_ETH -s $CLASS_C -j DROP 

# Refuse Class D multicast addresses. Multicast is illegal as a source address. 
iptables -A INPUT -i $PUBLIC_ETH -s $CLASS_D_MULTICAST -j DROP 

# Refuse Class E reserved IP addresses. 
iptables -A INPUT -i $PUBLIC_ETH -s $CLASS_E_RESERVED_NET -j DROP 

# Refuse packets claiming to be to the loopback interface. 
iptables -A INPUT  -i $PUBLIC_ETH -d $LOOPBACK -j DROP 

# Refuse broadcast address packets. 
iptables -A INPUT -i $PUBLIC_ETH -d $PUBLIC_BROADCAST -j DROP 

########################################
# Deny bad packets 
########################################

echo -e "	- Denying bad packets"

iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level notice --log-prefix "NMAP: "
iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level notice --log-prefix "SYN/FIN: " 
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST  -m limit --limit 5/minute -j LOG --log-level notice --log-prefix "SYN/RST: "
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
__________________
Best regards

Jim
Reply With Quote