Iptables initial Configuration

Iptables Configuration*filter

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

Block all other hackers and hacking attempts or exclusive block here

-A INPUT –s x.x.x.x –j DROP

Reject packets from RFC1918 class networks on your wan interface, which would mean spoofed

Assumption made that the WAN Interface here is eth0

-A INPUT -i eth0 -s 10.0.0.0/8     -j DROP
-A INPUT -i eth0 -s 169.254.0.0/16 -j DROP
-A INPUT -i eth0 -s 172.16.0.0/12  -j DROP
-A INPUT -i eth0 -s 127.0.0.0/8    -j DROP
-A INPUT -s 224.0.0.0/4      -j DROP
-A INPUT -d 224.0.0.0/4      -j DROP
-A INPUT -s 240.0.0.0/5      -j DROP
-A INPUT -d 240.0.0.0/5      -j DROP
-A INPUT -s 0.0.0.0/8        -j DROP
-A INPUT -d 0.0.0.0/8        -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255  -j DROP

Allow normal ICMP packets but drop flood attacks

-A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
-A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
-A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT

Drop Any Invalid Packets

-A INPUT   -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A OUTPUT  -m state --state INVALID -j DROP

Drop bogus TCP packets (All Flags Set, XMAS Scan etc)

-A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP

-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

-A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
-A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
-A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

Drop Abnormal and excessive RST packets (Smurf Attacks)

-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

Attempt to avoid SYN Flood Attack by limiting new connections from any single host to 60/s

-A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --set
-A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --update --seconds 1 --hitcount 60 -j DROP

Block port scanners for a day

-A INPUT   -m recent --name portscan --rcheck --seconds 86400 -j DROP
-A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
-A INPUT   -m recent --name portscan --remove
-A FORWARD -m recent --name portscan --remove

Add Scanners to the list named portscan and write to log file

-A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
-A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT

Your Other Allow Rules Start Here

Your Accept Rules End, block everything else in the INPUT and FORWARD Chain

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Your Iptables module may not be configured for rate limit of 60/s , so  if you run into errors, update that :

echo “options ipt_recent ip_pkt_list_tot=60″ >> /etc/modprobe.d/ipt.conf

Now Reload the module :

modprobe -r ipt_recent modprobe ipt_recent

You Can view any ips in the list in corresponding name at this place :

ls /proc/self/net/xt_recent/

Sign up for more like this.

Enter your email
Subscribe