# /etc/sysctl.conf<br /><br /># Disable ICMP send_redirects.<br />net.ipv4.conf.all.send_redirects = 0<br /><br /># Disable source routed packages.<br />net.ipv4.conf.all.accept_source_route = 0<br /><br /># Ignore ICMP packages sent to broadcast addresses.<br />net.ipv4.icmp_echo_ignore_broadcasts = 1<br /><br /># ICMP Dead Error Messages protection.<br />net.ipv4.icmp_ignore_bogus_error_responses = 1<br /><br /># Increase the security against DoS.<br />net.ipv4.tcp_fin_timeout = 10<br />net.ipv4.tcp_keepalive_time = 1800<br />net.ipv4.tcp_window_scaling = 0<br />net.ipv4.tcp_sack = 0<br /><br /># Avoid spoofing.<br />net.ipv4.conf.all.rp_filter = 1<br /><br /># Disable syn-cookies.<br />net.ipv4.tcp_syncookies = 1
Queste sono tutte voci del filesystem runtime /proc, attento a disabilitare i TCP/IP SYN cookies poichè può minare il funzionamento di alcuni servizi, per es. un web server ad alto traffico.

Per quanto riguarda IPTables queste sono le mie politiche:

# Default policy is DROP.<br />iptables -t filter -P INPUT DROP<br />iptables -t filter -P FORWARD DROP<br />iptables -t filter -P OUTPUT DROP<br /><br /># Block RFC 1918 address on INPUT chain on eth1 interface.<br />iptables -t filter -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP<br />iptables -t filter -A INPUT -i eth1 -s 172.16.0.0/16 -j DROP<br />iptables -t filter -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP<br /><br /># ICMP policies on INPUT chain.<br />iptables -t filter -A INPUT -i eth0 -p icmp --icmp-type any -j ACCEPT<br />iptables -t filter -A INPUT -i eth1 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT<br />iptables -t filter -A INPUT -i eth1 -p icmp --icmp-type destination-unreachable -j ACCEPT<br />iptables -t filter -A INPUT -i eth1 -p icmp --icmp-type echo-request -j ACCEPT<br />iptables -t filter -A INPUT -i eth1 -p icmp --icmp-type fragmentation-needed -j ACCEPT<br />iptables -t filter -A INPUT -i eth1 -p icmp --icmp-type time-exceeded -j ACCEPT
Il resto varia a seconda delle esigenze.