bmaeser / iptables-boilerplate Goto Github PK

Hi, not sure if this is normal or not but I'm getting these two error messages:
update-rc.d: warning: firewall start runlevel arguments (2 3 4 5) do not match LSB Default-Start values (S)
update-rc.d: warning: firewall stop runlevel arguments (0 1 6) do not match LSB Default-Stop values (0 6)

This is on a Digital Ocean 12.04.3 Ubuntu VPS.

Hello, I try to use it on Debian 9 for my LAMP and it works OK. Nevertheless, when I perform Nmap port scan from my PC, ksoftirqd/0 utilizes 100% of my server CPU for the scan time. As long as I have only 1 vcore on my VPS this makes whole server stuck for some time. Is there a way to improve it?

PS: I have disbaled "port scan" option in firewall, but it doesn't help.

The script sets the limit to 120 connections per minute, but the max number of packets to remember is set to 20.

I did not send a pull request as my experience with iptables is extremely limited, but for my setup I have limited the number of connections to 20 per minute, which is sufficient for my needs.

Hello:

Is iptables-boilerplate ready to be used in Debian 9?

Thank you

title says it all

Hello, I've some questions:

1. Is this safe to put "EXTERNAL CONFIGS" section BEFORE all attacks detection rules ?

2. Regarding https://security.stackexchange.com/questions/4603/tips-for-a-secure-iptables-config-to-defend-from-attacks-client-side, I think that 2 rules are missing:

## MAKE SURE NEW INCOMING TCP CONNECTIONS ARE SYN PACKETS
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
## DROP PACKETS WITH INCOMING FRAGMENTS
$IPTABLES -A INPUT -f -j DROP

3. Why duplicate the invalid packets droping rules (Lines 68 and 146) ?

4. Why martians loging turned off by default ?

5. Can you add a "enable/disable ICMP" option ? Or, at least, add a "limit", to prevent a PING flood.

6. I don't need to restart a service (networking?) to apply sysctl settings, right ?

BTW, great boilerplate, very useful, thank you!

title says it all