SOLVED Re: iptables: block source-ip after connect to port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Am 04.01.2012 06:54, schrieb Reindl Harald:
> hi
> 
> i would like to drop all icoming packets of any ip tried
> to connect to telnet (port 23) which is meant as trap
> for port-scans, there are some samples out there but i got
> none of them working until now :-(
> 
> iptables -N port-scan
> iptables -A port-scan -p tcp --dport 23 --tcp-flags ALL SYN -m limit --limit 3/m --limit-burst 5 -j LOG
> --log-prefix "portscan trap: "
> iptables -A port-scan -p tcp --dport 23 --tcp-flags ALL SYN -m recent --update --seconds 60 -j RETURN
> iptables -A port-scan -j DROP

that does the trick (loopback-device and LAN excluded)

ports directly before common services whcih are unused triggering
and after touching one of them each packet to the machine from
the source-ip is rejected for 10 seconds, so if one tries ports
from 1-0124 in ascending order he would close port 80 directly
before test it

this should help to prevent many port-scans

PORTSCAN_TRIGGERS="19,23,24,52,79,109,142,442,464,586,992,994"
iptables -A INPUT ! -i lo ! -s 10.0.0.0/24 -m recent --name portscan --rcheck --seconds 10 -j REJECT
iptables -A INPUT ! -i lo ! -s 10.0.0.0/24 -m recent --name portscan --remove
iptables -A INPUT ! -i lo ! -s 10.0.0.0/24 -p tcp -m multiport --destination-port $PORTSCAN_TRIGGERS -m limit
--limit 10/m  -j LOG --log-prefix "Portscan: "
iptables -A INPUT ! -i lo ! -s 10.0.0.0/24 -p tcp -m multiport --destination-port $PORTSCAN_TRIGGERS -m tcp -m
recent --name portscan --set -j REJECT
______________________________

the follwoing rules are filtering out a lot of others unwanted
packets including alternate techniques of nmap for portscans

iptables -A INPUT ! -i lo -m state --state INVALID -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags ALL FIN -j DROP
iptables -A INPUT ! -i lo -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT ! -i lo -f -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT ! -i lo -s 127.0.0.0/8 -j DROP

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux