callihn DD-WRT Novice
Joined: 10 Jul 2008 Posts: 49
|
Posted: Fri Dec 18, 2009 21:35 Post subject: General tweaks + No SMTP on ChilliSpot |
|
Here are some general tweaks I've been using as well as some settings to disable SMTP on the Chillispot.
http://192.168.2.1/Diagnostics.asp
I use this as my "Startup" script:
Code: |
#!/bin/sh
echo 1 > /proc/sys/net/ipv4/conf/eth0/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/conf/eth0/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 64000 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 48000 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 10 > /proc/sys/net/ipv4/ipfrag_time
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
echo 1 > /proc/sys/net/ipv4/conf/eth0/log_martians
echo 10 > /proc/sys/net/ipv4/neigh/eth0/locktime
echo 0 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 50 > /proc/sys/net/ipv4/neigh/eth0/gc_stale_time
#
# The following entries secure the last bit and provide a
# moderate protection against man-in-the-middle attacks.
#
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/secure_redirects
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 5 > /proc/sys/net/ipv4/igmp_max_memberships
echo 2 > /proc/sys/net/ipv4/igmp_max_msf
echo 1024 > /proc/sys/net/ipv4/tcp_max_orphans
echo 2 > /proc/sys/net/ipv4/tcp_syn_retries
echo 2 > /proc/sys/net/ipv4/tcp_synack_retries
echo 1 > /proc/sys/net/ipv4/tcp_abort_on_overflow
echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 0 > /proc/sys/net/ipv4/route/redirect_number
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 61 > /proc/sys/net/ipv4/ip_default_ttl
# DoS protection by tweaking the timeouts
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
# We pretend to be a Checkpoint firewall on Windows XP
echo 4096 87380 4194304 >/proc/sys/net/ipv4/tcp_rmem
echo 4096 87380 4194304 >/proc/sys/net/ipv4/tcp_wmem
# Check network overload (explicit congestion notification)
echo 1 > /proc/sys/net/ipv4/tcp_ecn
# Change port range for outgoing traffic
echo "30000 60000" > /proc/sys/net/ipv4/ip_local_port_range
# Change default queue size
# Modified for DD-WRT because of missing proc entries
echo 4096 > /proc/sys/net/ipv4/ip_conntrack_max
# LED signal feedback when script ends
sleep 1
gpio disable 3
sleep 1
gpio enable 3
sleep 1
gpio disable 3
sleep 1
gpio enable 2
sleep 1
gpio disable 2
sleep 1
gpio enable 2
# If you'd like to disable the web interface uncomment
# the following line
#killall httpd
|
I put this under "Firewall" to disable SMTP on the Chillispot:
Code: |
# ALL outgoing mail must travel via webmail on the ChilliSpot AP.
iptables -A OUTPUT -p tcp -s 192.168.182.0/24 --sport 0:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j DROP
iptables -A INPUT -p tcp -s 0/0 --sport 25 -d 192.168.182.0/24 --dport 0:65535 -m state --state NEW,ESTABLISHED,RELATED -j DROP
iptables -A OUTPUT -p tcp -s 192.168.182.0/24 --sport 0:65535 -d 0/0 --dport 465 -m state --state NEW,ESTABLISHED,RELATED -j DROP
iptables -A INPUT -p tcp -s 0/0 --sport 465 -d 192.168.182.0/24 --dport 0:65535 -m state --state NEW,ESTABLISHED,RELATED -j DROP
|
|
|