From 839f2540ac29eceae790ddb21a1fb382859ffb27 Mon Sep 17 00:00:00 2001
From: Saeid Bostandoust <49065072+ssbostan@users.noreply.github.com>
Date: Fri, 10 Jan 2020 17:23:29 +0330
Subject: [PATCH] add some kernel configuration
---
README.md | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 67 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index b41d2d0..ae39088 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,6 @@
## :ballot_box_with_check: Todo
- [ ] Add useful Iptables configuration examples
-- [ ] Add useful Kernel Settings (sysctl) configuration examples
- [ ] Add links to useful external resources
- [ ] Add advanced configuration examples, commands, rules
@@ -38,6 +37,7 @@
- [Tools to help you configure Iptables](#tools-to-help-you-configure-iptables)
- [Manuals/Howtos/Tutorials](#manualshowtostutorials)
+- [Useful Kernel Settings (sysctl) configuration](#useful-kernel-settings-sysctl-configuration)
- [How it works?](#how-it-works)
- [Iptables Rules](#iptables-rules)
* [Saving Rules](#saving-rules)
@@ -129,6 +129,72 @@
:small_orange_diamond: Per-IP rate limiting with iptables
+### Kernel Settings (sysctl) Configuration
+
+```bash
+cat << EOF > /etc/sysctl.d/40-custom.conf
+
+#---------------------------------------------------------------
+# Disable routing triangulation. Respond to queries out
+# the same interface, not another. Helps to maintain state
+# Also protects against IP spoofing
+#---------------------------------------------------------------
+
+net/ipv4/conf/all/rp_filter = 1
+
+
+#---------------------------------------------------------------
+# Enable logging of packets with malformed IP addresses
+#---------------------------------------------------------------
+
+net/ipv4/conf/all/log_martians = 1
+
+
+#---------------------------------------------------------------
+# Disable redirects
+#---------------------------------------------------------------
+
+net/ipv4/conf/all/send_redirects = 0
+
+
+#---------------------------------------------------------------
+# Disable source routed packets
+#---------------------------------------------------------------
+
+net/ipv4/conf/all/accept_source_route = 0
+
+
+#---------------------------------------------------------------
+# Disable acceptance of ICMP redirects
+#---------------------------------------------------------------
+
+net/ipv4/conf/all/accept_redirects = 0
+
+
+#---------------------------------------------------------------
+# Turn on protection from Denial of Service (DOS) attacks
+#---------------------------------------------------------------
+
+net/ipv4/tcp_syncookies = 1
+
+
+#---------------------------------------------------------------
+# Disable responding to ping broadcasts
+#---------------------------------------------------------------
+
+net/ipv4/icmp_echo_ignore_broadcasts = 1
+
+
+#---------------------------------------------------------------
+# Enable IP routing. Required if your firewall is protecting a
+# network, NAT included
+#---------------------------------------------------------------
+
+net/ipv4/ip_forward = 1
+
+EOF
+```
+
### How it works?