※ 引述《[email protected] (晨曦)》之銘言:
> 看到Linux版有人討論如何在IPTABLES防火牆阻擋惡意掃瞄:
> ;擋ICMP echo-request、亂掃 port 和不當的封包
> iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
${fwcmd} add deny icmp from any to me icmptypes 8
> iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
> iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
> iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
> iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
> iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
> iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
/etc/sysctl.conf:
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
--
Resistance is futile.
<[email protected]>
--
※ Origin: 邪惡小鹿鹿 <Deer.twbbs.org> ◆ From: news.math.nctu.edu.tw