Am 28.11.2015 um 10:20 schrieb grarpamp:
First rule is to use some firewall
No it is not, do not do this. An exit needs to pass the traffic that its exitpolicy says it will pass. Otherwise bad things happen with circuit construction and your exit gets badmouthed by users possibly to the point of being banned. If you can't provide an exitpolicy that works as written, then don't provide it.
Unfortunately, I had to do so. The below firewall rule was active for approx one month. During this time, exit-traffic did not decrease nor did I recognise any other negative effect. During this time, I got no new issues with my ISP. Last week, after some patches I rebooted the server and forgot to apply the rules again. Within 3 days, my ISP blocked the server once more because of netscan abuse....
So to say... these rules work. But most probably somebody with more iptables experience might adjust them to be even more effective AND less "problematic".
iptables -N ONEW iptables -A ONEW -o lo -j ACCEPT iptables -A ONEW -p udp --dport 53 -m limit --limit 2/sec --limit-burst 5 -j ACCEPT iptables -A ONEW -p udp --dport 80 -m limit --limit 2/sec --limit-burst 5 -j ACCEPT iptables -A ONEW -m hashlimit --hashlimit-upto 1/second --hashlimit-mode dstip --hashlimit-dstmask 24 --hashlimit-name ONEW -j ACCEPT iptables -A ONEW -m limit --limit 1/sec -j LOG --log-prefix "REJECTED: " iptables -A ONEW -j REJECT --reject-with icmp-admin-prohibited
Thx Vali