I'm newbie about iptables. I use this script <http://pastebin.ca/2447430> for my system. It is based on <http://wiki.archlinux.org/index.php/Simple_stateful_firewall>. Now I want to add an iptables log chain and others. What is the correct line to start adding the following? <script> ## Logging $IPT -N LOGDROP $IPT -A LOGDROP -m limit --limit 5/m --limit-burst 8 -j LOG --log-prefix "IPTables-Dropped: " $IPT -A LOGDROP -j DROP # log and drop packets that hit this rule $IPT -A INPUT -m conntrack --ctstate INVALID -j LOGDROP </script> Supposing I want to add the following lines as well, is there any rules that is superfluous? These rules have to place after or before the rule "$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP"? <script> # SSH bruteforce attacks $IPT -N IN_SSH $IPT -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH $IPT -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP $IPT -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 4 --seconds 1800 -j DROP $IPT -A IN_SSH -m recent --name sshbf --set -j ACCEPT $IPT -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH ## Local Area Network Denial (LAND) attack # Block all packets from your own IP $IPT -A INPUT -s 192.168.201.2/32 -j DROP # Block any packet from local network $IPT -A INPUT -s 127.0.0.0/8 -j DROP # SYN Flood $IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT # SYN packets # Drop any tcp packet that does not start a connection with a syn flag $IPT -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP # NULL packets $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # XMAS packets $IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # Fragments Packet $IPT -A INPUT -f -j DROP # ping of death $IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # Furtive port scanner $IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT </script>