AdminSysGNULinux

Outils pour utilisateurs

Outils du site

Piste : notes_docker_cri-o_podman_buildah notes_video_-_logiciels_edition notes_bios_uefi_efi_-_micrologiciel_-_uefi_shell monitoring_procedure_centreon_snmp_redhat redhat_gnome_minimal_bureau_interface_graphique notes_kubernetes_k8s_-_diag samba_winbind_-_ad_-_exemple_de_conf notes_sites_web_statiques_-_static_site_generators_-_ssg about-config_tb firewall-iptables-icmp
tech:firewall-iptables-icmp
, , ,

Firewall iptables ICMP

http://www.oregontechsupport.com/articles/icmp.txt

Commande iptables de base

Règles par défaut

/etc/sysctl.conf 

kernel.panic=3
net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.tcp_ecn=0
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=0
net.netfilter.nf_conntrack_checksum=0
net.ipv4.netfilter.ip_conntrack_checksum=0
net.ipv4.netfilter.ip_conntrack_max=16384
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3600
net.ipv4.netfilter.ip_conntrack_udp_timeout=60
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180
# net.ipv6.conf.all.forwarding=1
 
# disable bridge firewalling by default
net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0
 
### JIBE
 
# ??
net.netfilter.nf_conntrack_acct=1
 
# Enable IP spoofing protection, turn on Source Address Verification
# Disable routing triangulation. Respond to queries out
# the same interface, not another. Helps to maintain state
# Also protects against IP spoofing
net.ipv4.conf.all.rp_filter=1
 
# Don't send ICMP redirect messages
net.ipv4.conf.all.send_redirects=0
# Don't accept ICMP redirect messages
net.ipv4.conf.all.accept_redirects=0
 
# How may times to retry before killing TCP connection, closed by our side. 
# Default value 7 corresponds to 50sec-16min depending on RTO. 
# If your machine is a loaded WEB server, you should think about lowering this value, such sockets may consume significant resources. Cf. tcp_max_orphans.
net.ipv4.tcp_orphan_retries=0
 
# A boolean flag controlling the behaviour under lots of incoming connections. When enabled, this causes the kernel to actively send RST packets when a service is overloaded.
net.ipv4.tcp_abort_on_overflow=0
 
# if true :  may give a way to route a packet through a firewall to an unreachable IP by specifying that IP in the route
net.ipv4.conf.all.accept_source_route=0
 
# If set, the TCP stack behaves conforming to RFC1337. If unset (the default), we are not conforming to RFC, but prevent TCP TIME-WAIT assassination.
net.ipv4.tcp_rfc1337=0
 
# Limit the maximal rates for sending ICMP packets whose type matches
# icmp_ratemask (see below) to specific targets.
# 0 to disable any limiting, otherwise the maximal rate in jiffies(1)
net.ipv4.icmp_ratelimit=20
# https://wiki.ubuntu.com/ImprovedNetworking/KernelSecuritySettings
net.ipv4.icmp_ratemask = 88089
 
# This allows reusing sockets in TIME_WAIT state for new connections when it is safe from protocol viewpoint. Default value is 0 (disabled). It is generally a safer alternative to tcp_tw_recycle
# It should not be changed without advice/request of technical experts. (default =0)
net.ipv4.tcp_tw_reuse=0
 
# http://pic.dhe.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.base.doc/info/aes/ae/tprf_tunelinux.html
# This determines the number of probes before timing out. (default: 9, recommended 5)
net.ipv4.tcp_keepalive_probes=5
 
# This determines the wait time between isAlive interval probes (default: 75 seconds, recommended: 15-30 seconds)
net.ipv4.tcp_keepalive_intvl=15
 
# http://www.symantec.com/connect/articles/linux-firewall-related-proc-entries
# Honor ICMP redirects only when they come from a router that is currently set up as a default gateway. Should only be enabled if you have multiple routers on your network. If your network is fairly static and stable, it's better to leave this disabled.
net.ipv4.conf.all.secure_redirects=0
 
# Reply to ARP requests if we have a route to the host in question. This may be necessary in some firewall or VPN/router setups, but is generally a bad idea on hosts.
net.ipv4.conf.all.proxy_arp=0
 
#### 
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.default.proxy_arp=0
 
net.ipv4.conf.lo.rp_filter=1
net.ipv4.conf.lo.send_redirects=0
net.ipv4.conf.lo.accept_redirects=0
net.ipv4.conf.lo.accept_source_route=0
net.ipv4.conf.lo.secure_redirects=0
net.ipv4.conf.lo.proxy_arp=0
 
net.ipv4.conf.eth0.rp_filter=1
net.ipv4.conf.eth0.send_redirects=0
net.ipv4.conf.eth0.accept_redirects=0
net.ipv4.conf.eth0.accept_source_route=0
net.ipv4.conf.eth0.secure_redirects=0
net.ipv4.conf.eth0.proxy_arp=0
 
net.ipv4.conf.eth0.0.rp_filter=1
net.ipv4.conf.eth0.0.send_redirects=0
net.ipv4.conf.eth0.0.accept_redirects=0
net.ipv4.conf.eth0.0.accept_source_route=0
net.ipv4.conf.eth0.0.secure_redirects=0
net.ipv4.conf.eth0.0.proxy_arp=0
 
net.ipv4.conf.eth0.1.rp_filter=1
net.ipv4.conf.eth0.1.send_redirects=0
net.ipv4.conf.eth0.1.accept_redirects=0
net.ipv4.conf.eth0.1.accept_source_route=0
net.ipv4.conf.eth0.1.secure_redirects=0
net.ipv4.conf.eth0.1.proxy_arp=0
 
net.ipv4.conf.wlan0.rp_filter=1
net.ipv4.conf.wlan0.send_redirects=0
net.ipv4.conf.wlan0.accept_redirects=0
net.ipv4.conf.wlan0.accept_source_route=0
net.ipv4.conf.wlan0.secure_redirects=0
net.ipv4.conf.wlan0.proxy_arp=0
 
net.ipv4.conf.mon.wlan0.rp_filter=1
net.ipv4.conf.mon.wlan0.send_redirects=0
net.ipv4.conf.mon.wlan0.accept_redirects=0
net.ipv4.conf.mon.wlan0.accept_source_route=0
net.ipv4.conf.mon.wlan0.secure_redirects=0
net.ipv4.conf.mon.wlan0.proxy_arp=0
####
tech/firewall-iptables-icmp.txt · Dernière modification : de Jean-Baptiste
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki