Child pages
  • iptables Recommendations from NSA

chap 10 정리

Changes to Default Rules




The NSA Recommendation would change this to



Regulate the Ping Command

From Linux, it's possible to flood another system with the -f (flood) switch. It may transmit thousands of packets per second.

One potentially troublesome rule in the default firewall is

-A INPUT -p icmp -j ACCEPT

However, ICMP message go both ways. If you run the ping command on a remote system, the remote system responds with an ICMP packet. So if you want to limit ICMP messages, the following rules allow "acceptable" response to a ping:

-A INPUT -p icmp --icmp-type echo-reploy -j ACCEPT

-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

Block Suspicious IP Addresses

-A INPUT -i eth0 -s -j DROP

-A INPUT -i eth0 -s -j DROP

-A INPUT -i eth0 -s -j DROP

-A INPUT -i eth0 -s -j DROP

-A INPUT -i eth0 -s -j DROP

Regulate Access to SSH