Искам да знам дали поредността на правилата във веригите е правилна. И дали тази защитна стена според вас е ефективна за обикновена десктоп машина. В правилата има добавени и три отворени порта за торенти.
Ето съдържанието на файла ми iptables.rules
GeSHi (Bash):
# Generated by iptables-save v1.4.12 on Thu Jun 6 09:55:03 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [17:4185]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 30/min --limit-burst 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN --rsource -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN --rsource -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN --rsource -j REJECT --reject-with tcp-reset
-A TCP -p tcp -m tcp --dport 1234 -j ACCEPT
-A UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN --rsource -j REJECT --reject-with icmp-port-unreachable
-A UDP -p udp -m udp --dport 1234:1236 -j ACCEPT
COMMIT
# Completed on Thu Jun 6 09:55:03 2013
Ето и изхода от iptables -LChain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 30/min burst 8
DROP icmp -- anywhere anywhere icmp echo-request
UDP udp -- anywhere anywhere ctstate NEW
TCP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN ctstate NEW
REJECT tcp -- anywhere anywhere recent: SET name: TCP-PORTSCAN side: source reject-with tcp-reset
REJECT udp -- anywhere anywhere recent: SET name: UDP-PORTSCAN side: source reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain TCP (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere recent: UPDATE seconds: 60 name: TCP-PORTSCAN side: source reject-with tcp-reset
ACCEPT tcp -- anywhere anywhere tcp dpt:1234
Chain UDP (1 references)
target prot opt source destination
REJECT udp -- anywhere anywhere recent: UPDATE seconds: 60 name: UDP-PORTSCAN side: source reject-with icmp-port-unreachable
ACCEPT udp -- anywhere anywhere udp dpts:1234:1236
За съставянето на правилата е ползван наръчника за Arch Linux