Hi all, Iīm trying to detect and block portscan.... and Im using rules below..... Itīs doesnīt work... I use a lot of portscan and no one have been detected;;; what is wrong??? Thanks RULES..... $IPTABLES -F NOVA_CONEXAO $IPTABLES -X NOVA_CONEXAO > /dev/null ## NAT $IPTABLES -t nat -F $IPTABLES -N NOVA_CONEXAO ## New packets $IPTABLES -A INPUT -i $EXTIF -p ! icmp -m state --state NEW -j NOVA_CONEXAO ## PortScanners - Detection #$IPTABLES -A NOVA_CONEXAO -j LOG --log-prefix "############################" ## NMAP FIN/URG/PSH $IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 2/s -j LOG --log-prefix "(Nmap) Stealth XMAS Scan: " # SYN/RST $IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 2/s -j LOG --log-prefix "SYN/RST Scan: " # SYN/FIN (probably) $IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 2/s -j LOG --log-prefix "SYN/FIN Scan(?): " # NMAP FIN Stealth $IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL FIN -m limit --limit 2/s -j LOG --log-prefix "(Nmap) Stealth FYN Scan: " # ALL/ALL Scan $IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL ALL -m limit --limit 2/s -j LOG --log-prefix "ALL/ALL Scan: " # NMAP Null Scan (probably) $IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL NONE -m limit --limit 2/s -j LOG --log-prefix "(Nmap) Stealth Null Scan(?): " ## Now Dropping $IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL FIN -j DROP $IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL ALL -j DROP $IPTABLES -A NOVA_CONEXAO -p tcp --tcp-flags ALL NONE -j DROP ################################ ## Now my rules..... INPUT
