Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N
/etc/sysconfig/SuSEfirewall2
FW_ALLOW_PING_FW="no"
FW_ALLOW_FW_SOURCEQUENCH="no"
uselessinfoguru wrote:I know it should, but can still be pinged... I know it's odd.. I'm thinking the process of upgrading to php7 then installing wordpress did something to overwrite the firewall settings? Or make it so the Ping settings in the firewall are ignored? The whitelisted IPs for all unopened ports still works.
uselessinfoguru wrote:Ping works... grr... lol
WhateverIWant:~ # iptables --help
iptables v1.4.21
Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--wait -w wait for the xtables lock
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
WhateverIWant:~ # iptables -save
iptables v1.4.21: no command specified
Try `iptables -h' or 'iptables --help' for more information.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [234617:234538329]
:forward_ext - [0:0]
:input_ext - [0:0]
:reject_func - [0:0]
-A INPUT -m set --match-set geoblock src -j DROP
-A INPUT -m set --match-set badips src -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 80 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 81 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 81 -j ACCEPT
-A input_ext -s xx.xx.xx.xx/32 -p tcp -m conntrack --ctstate NEW -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-ACC " --log-tcp-options --log-ip-options
-A input_ext -s xx.xx.xx.xx/32 -p tcp -j ACCEPT
-A input_ext -s xx.xx.xx.xx/32 -p udp -m conntrack --ctstate NEW -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-ACC " --log-tcp-options --log-ip-options
-A input_ext -s xx.xx.xx.xx/32 -p udp -j ACCEPT
-A input_ext -s 192.168.1.0/24 -p tcp -m conntrack --ctstate NEW -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-ACC " --log-tcp-options --log-ip-options
-A input_ext -s 192.168.1.0/24 -p tcp -j ACCEPT
-A input_ext -s 192.168.1.0/24 -p udp -m conntrack --ctstate NEW -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-ACC " --log-tcp-options --log-ip-options
-A input_ext -s 192.168.1.0/24 -p udp -j ACCEPT
-A input_ext -s xx.xx.xx.xx/32 -p tcp -m conntrack --ctstate NEW -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-ACC " --log-tcp-options --log-ip-options
-A input_ext -s xx.xx.xx.xx/32 -p tcp -j ACCEPT
-A input_ext -s xx.xx.xx.xx/32 -p udp -m conntrack --ctstate NEW -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-ACC " --log-tcp-options --log-ip-options
-A input_ext -s xx.xx.xx.xx/32 -p udp -j ACCEPT
-A input_ext -s xx.xx.xx.xx/32 -p tcp -m conntrack --ctstate NEW -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-ACC " --log-tcp-options --log-ip-options
-A input_ext -s xx.xx.xx.xx/32 -p tcp -j ACCEPT
-A input_ext -s xx.xx.xx.xx/32 -p udp -m conntrack --ctstate NEW -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-ACC " --log-tcp-options --log-ip-options
-A input_ext -s xx.xx.xx.xx/32 -p udp -j ACCEPT
-A input_ext -m comment --comment "sfw2.insert.pos" -m pkttype ! --pkt-type unicast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# defaults to "yes" if not set
#
FW_ALLOW_PING_FW="no"
## Type: yesno
#
# Allow hosts in the dmz to be pinged from hosts in other zones even
# if neither FW_FORWARD nor FW_MASQUERADE is set
#
# Requires: FW_ROUTE
#
# defaults to "no" if not set
#
FW_ALLOW_PING_DMZ=""
## Type: yesno
#
# Allow hosts in the external zone to be pinged from hosts in other
# zones even if neither FW_FORWARD nor FW_MASQUERADE is set
#
# Requires: FW_ROUTE
#
# defaults to "no" if not set
#
FW_ALLOW_PING_EXT="no"
## Type: yesno
#
# Allow ICMP sourcequench from your ISP?
#
# If set to yes, the firewall will notice when connection is choking, however
# this opens yourself to a denial of service attack. Choose your poison.
#
# Defaults to "yes" if not set
#
FW_ALLOW_FW_SOURCEQUENCH="no"
- Code: Select all
-A input_ext -p tcp -m tcp --dport 80 -j ACCEPT
- Code: Select all
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -j input_ext
iptables -D INPUT -j input_ext
uselessinfoguru wrote:I'll keep you updated lol, so far, nothing, oh the web directories are whitelisted, btw, through http.d so, the only access outside our internal network is to the wordpress website. All other web directories throw a 403 error.
dspaan wrote:Don't install Wordpress on a vicidial machine, it's just asking for trouble. And no benefit.
Also, use Wordfence. You'll be amazed to see how many attacks your website is getting.
uselessinfoguru wrote:0 hackers
Users browsing this forum: No registered users and 30 guests