Passion is like genius; a miracle.

my iptables configuration

Tags:

Comments are welcome!

# Generated by-save v1.3.0 on Wed Aug 10 19:31:08 2005
*filter
:FORWARD DROP [0:0]
:INPUT DROP [7:1221]
:OUTPUT ACCEPT [2:130]
:syn_flood – [0:0]
:scan_detect – [0:0]
:invalid_ip – [0:0]
:bad_packet – [0:0]
:in_tcp – [0:0]
:in_udp – [0:0]
:out_tcp – [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j invalid_ip
-A INPUT -j bad_packet
-A INPUT -p ipv6-crypt -j ACCEPT
-A INPUT -p ipv6-auth -j ACCEPT
-A INPUT -p tcp –syn -j syn_flood
-A INPUT -j scan_detect
-A INPUT -p tcp -j in_tcp
-A INPUT -p udp -j in_udp
-A OUTPUT -p tcp -j out_tcp
-A OUTPUT -p udp -j ACCEPT
-A in_tcp -p tcp -m state –dport 1024:65535 –state RELATED,ESTABLISHED -j ACCEPT
-A in_tcp -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 22 -j ACCEPT
-A in_tcp -p tcp -m state –state NEW,ESTABLISHED -m tcp -s xxx.xxx.xxx.xxx –dport xxxx -j ACCEPT
-A in_tcp -j LOG –log-level info –log-prefix “iptables: [Worm or Scan] ”
-A in_tcp -j DROP
-A in_udp -p udp –dport 1024:65535 -j ACCEPT
-A out_tcp -p tcp -o eth0 –sport 25 -j DROP
-A syn_flood -m limit –limit 12/sec –limit-burst 24 -j RETURN
-A syn_flood -j DROP
-A scan_detect -p icmp –icmp-type echo-request -m limit –limit 5/minute -j LOG –log-level info –log-prefix “iptables: [Ping Scan] ”
-A scan_detect -p icmp –icmp-type echo-request -m limit –limit 5/minute -j DROP
-A scan_detect -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s –limit-burst 5 -j LOG –log-level info –log-prefix “iptables: [Stealth Scan] ”
-A scan_detect -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s –limit-burst 5 -j DROP
-A scan_detect -p tcp –tcp-flags ALL FIN,URG,PSH -m limit –limit 5/m -j LOG –log-level info –log-prefix “iptables: [XMAS Scan] ”
-A scan_detect -p tcp –tcp-flags ALL FIN,URG,PSH -m limit –limit 5/m -j DROP
-A scan_detect -p tcp –tcp-flags SYN,RST SYN,RST -m limit –limit 5/m -j LOG –log-level info –log-prefix “iptables: [SYN/RST Scan] ”
-A scan_detect -p tcp –tcp-flags SYN,RST SYN,RST -m limit –limit 5/m -j DROP
-A scan_detect -p tcp –tcp-flags SYN,FIN SYN,FIN -m limit –limit 5/m -j LOG –log-level info –log-prefix “iptables: [SYN/FIN Scan] ”
-A scan_detect -p tcp –tcp-flags SYN,FIN SYN,FIN -m limit –limit 5/m -j DROP
-A invalid_ip -s 0.0.0.0 -j DROP
-A invalid_ip -s 10.0.0.0/8 -j DROP
-A invalid_ip -s 169.254.0.0/16 -j DROP
-A invalid_ip -s 172.16.0.0/16 -j DROP
-A invalid_ip -s 192.0.2.0/24 -j DROP
-A invalid_ip -s 192.168.0.0/16 -j DROP
-A invalid_ip -s 224.0.0.0/4 -j DROP
-A invalid_ip -s 240.0.0.0/5 -j DROP
-A invalid_ip -s 248.0.0.0/5 -j DROP
-A invalid_ip -s 172.0.0.0/12 -j DROP
-A invalid_ip -s 192.0.0.0/24 -j DROP
-A invalid_ip -s 255.255.255.255/32 -j DROP
-A invalid_ip -s 127.0.0.0/8 -j DROP
-A bad_packet -p tcp ! –syn -m state –state NEW -j LOG –log-level info –log-prefix “iptables: [Con. w/o SYN] ”
-A bad_packet -p tcp ! –syn -m state –state NEW -j DROP
-A bad_packet -p tcp -m state –state INVALID -m limit –limit 10/m -j LOG –log-level info –log-prefix “iptables: [Invalid Packet] ”
-A bad_packet -p tcp -m state –state INVALID -m limit –limit 10/m -j DROP
-A bad_packet -p tcp –tcp-option 64 -m limit –limit 5/m -j LOG –log-level info –log-prefix “iptables: [Bad TCP FLAG] ”
-A bad_packet -p tcp –tcp-option 64 -m limit –limit 5/m -j DROP
-A bad_packet -p tcp –tcp-option 128 -m limit –limit 5/m -j LOG –log-level info –log-prefix “iptables: [Bad TCP FLAG)] ”
-A bad_packet -p tcp –tcp-option 128 -m limit –limit 5/m -j DROP
COMMIT
# Completed on Wed Aug 10 19:31:08 2005

—–

Now, I changed a lot of this def. cuz I’m using portsentry. In portsentry, at least some packets to the invalid ports must be able to go through the firewall; otherwise, there’s no way of detecting scans. (15 Aug. 2005)

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *