Re: port scanning

SBlaze <dagent.geo@xxxxxxxxx> · Thu, 18 Mar 2004 16:15:20 -0800 (PST)

--- Jorge Garcia <anarkophobia@xxxxxxxxxxxxx> wrote:
> hi, i need an example of script ( please, i need the example works, becuouse
> i found a lot on internet that doesnt work) for logging and dropping port
> scans with iptables.
> thanx
> 
> http://www.latinmail.com - La forma más cómoda de enviar y recibir tus
e-mails

This is what I use and it works very well. You will need to allow services(if
you have any that is.) Those rules must be placed before these lines. Also of
course you must have the device reflect your internet device.

# NMAP and Connection killer
 #
 # iptables -A INPUT -p tcp -i eth0 -m state --state NEW -j LOG
 iptables -A INPUT -p tcp -i eth0 -m state --state NEW,INVALID -j DROP
 iptables -A INPUT -p tcp -i eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT

 # UDP Filters
 #
 #iptables -A INPUT -p udp -i eth0 -m state --state NEW,INVALID -j LOG
 iptables -A INPUT -p udp -i eth0 -m state --state NEW,INVALID -j DROP
 iptables -A INPUT -p udp -i eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT

 # ICMP Filtration
 #
 iptables -A INPUT -p icmp -i eth0 -m state --state NEW,INVALID -j DROP
 iptables -A INPUT -p icmp -i eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT

Proof that it works?

hogwarts:~# iptables -vnL
Chain INPUT (policy ACCEPT 789K packets, 166M bytes)
 pkts bytes target     prot opt in     out     source               destination
15813 1383K LOG        tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0  
        tcp dpt:80 LOG flags 0 level 4
 2137  128K DROP       all  --  eth0   *       12.175.0.35          0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   *       68.1.132.236         0.0.0.0/0
13676 1255K ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0  
        tcp dpt:80
 3727  208K DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0  
        state INVALID,NEW
 2516 3759K ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0  
        state RELATED,ESTABLISHED
  27M 3361M DROP       udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0  
        state INVALID,NEW
 1543  227K ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0  
        state RELATED,ESTABLISHED
 1697 1426K DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0  
        state INVALID,NEW
  133  7448 ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0  
        state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT 11M packets, 3359M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1452K packets, 1121M bytes)
 pkts bytes target     prot opt in     out     source               destination

=====
In the absence of order there will be chaos.

__________________________________
Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam
http://mail.yahoo.com