[arch-general] iptables script
F. Gr.
frgroccia at gmail.com
Tue Sep 10 07:27:00 EDT 2013
I'm newbie about iptables. I use this script
<http://pastebin.ca/2447430> for my system. It is based on
<http://wiki.archlinux.org/index.php/Simple_stateful_firewall>. Now I
want to add an iptables log chain and others. What is the correct
line to start adding the following?
<script>
## Logging
$IPT -N LOGDROP
$IPT -A LOGDROP -m limit --limit 5/m --limit-burst 8 -j LOG --log-prefix "IPTables-Dropped: "
$IPT -A LOGDROP -j DROP
# log and drop packets that hit this rule
$IPT -A INPUT -m conntrack --ctstate INVALID -j LOGDROP
</script>
Supposing I want to add the following lines as well, is there any
rules that is superfluous? These rules have to place after or before
the rule "$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP"?
<script>
# SSH bruteforce attacks
$IPT -N IN_SSH
$IPT -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH
$IPT -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
$IPT -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 4 --seconds 1800 -j DROP
$IPT -A IN_SSH -m recent --name sshbf --set -j ACCEPT
$IPT -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH
## Local Area Network Denial (LAND) attack
# Block all packets from your own IP
$IPT -A INPUT -s 192.168.201.2/32 -j DROP
# Block any packet from local network
$IPT -A INPUT -s 127.0.0.0/8 -j DROP
# SYN Flood
$IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# SYN packets
# Drop any tcp packet that does not start a connection with a syn flag
$IPT -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
# NULL packets
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# XMAS packets
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Fragments Packet
$IPT -A INPUT -f -j DROP
# ping of death
$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Furtive port scanner
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
</script>
More information about the arch-general
mailing list