Re: How do you think about this....

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Sorry I forgot the attachment (again) :-)

>
> The iptables rule at the attachment... (almost forgot this) :-)
>
> I have a gateway with the firewall function, it has 4 interfaces
>
> 			OUTSIDE NETWORK
> 			     ||
> 			    eth0
> 			167.205.30.75
> 	_____________________||________________________
>     eth1		     eth2			eth3
> 167.205.102.0/26	167.205.102.64/27	167.205.102.128/27
>
> the gateway just running SMTP and ssh, i want to log and prevent (as I
> can) the port scan from the outside. I was able to slow down the nmap
> from about 50 seconds to about 250 seconds from other host (from the
> outside network) to my internal box (167.205.102.2)
> Does somebody can tell me how to increase this (slow down the nmap), some
> suggest will be good too...
>
> Sorry for my english....
>
> Regards, D. Prima Prayudi
>
> IPv6-enabled
> ARC-ITB 2001:d30:3:160::2/64
>
>
#!/bin/bash
# Loading required kernel-modules
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
# reset all rules
iptables -F
iptables -X
iptables -Z


# THE UDP-INPUT RULES
# accept all udp input
iptables -N udp_input
iptables -A udp_input -j ACCEPT


# THE INVALID-TCP RULES
# log and drop all strange / invalid packet
iptables -N invalid_tcp
iptables -A invalid_tcp -p tcp ! --syn -m state --state NEW -j ULOG \
	--ulog-prefix "!!_NEW_NOT_SYN_!! "
iptables -A invalid_tcp -p tcp ! --syn -m state --state NEW -j DROP
iptables -A invalid_tcp -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j ULOG \
	--ulog-prefix "!!_SPOOFED_TCP_!! " 
iptables -A invalid_tcp -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
iptables -A invalid_tcp -p tcp -m state --state INVALID -j ULOG \
	--ulog-prefix "!!_INVALID_TCP_!! "
iptables -A invalid_tcp -p tcp -m state --state INVALID -j DROP
iptables -A invalid_tcp -p tcp --tcp-flags SYN,ACK,FIN,RST NONE -j ULOG \
	--ulog-prefix "!!_TCP_NULL_!!"
iptables -A invalid_tcp -p tcp --tcp-flags SYN,ACK,FIN,RST NONE -j DROP


# THE TCP-INPUT RULES
# only accept tcp to this port
iptables -N tcp_input
iptables -A tcp_input -p tcp --syn --dport 22 -j ACCEPT
iptables -A tcp_input -p tcp --syn --dport 25 -j ACCEPT
iptables -A tcp_input -p tcp --syn --dport 113 -j ACCEPT
iptables -A tcp_input -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A tcp_input -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# trap port-scan to this port
iptables -A tcp_input -p tcp -m multiport --dports 79,1023 -j ULOG \
	--ulog-prefix "!!_PORT_SCAN_!! "
# finally drop other tcp packet
iptables -A tcp_input -j DROP


# THE TCP-WWW RULES 
# accept tcp only to this port
iptables -N tcp_www
iptables -A tcp_www -p tcp -j invalid_tcp
iptables -A tcp_www -p tcp --syn --dport 21 -j ACCEPT
iptables -A tcp_www -p tcp --syn --dport 22 -j ACCEPT
iptables -A tcp_www -p tcp --syn --dport 25 -j ACCEPT
iptables -A tcp_www -p tcp --syn --dport 80 -j ACCEPT
iptables -A tcp_www -p tcp --syn --dport 110 -j ACCEPT
iptables -A tcp_www -p tcp --syn --dport 113 -j ACCEPT
iptables -A tcp_www -p tcp --syn --dport 143 -j ACCEPT
iptables -A tcp_www -p tcp --syn --dport 3130 -j ACCEPT
iptables -A tcp_www -p tcp --syn --dport 8080 -j ACCEPT
iptables -A tcp_www -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A tcp_www -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# to trap port scan 
iptables -A tcp_www -p tcp -m multiport --dports 79,1023 -j ACCEPT
iptables -A tcp_www -j DROP


# THE WWW-RULES 
iptables -N www_rules
iptables -A www_rules -p tcp -j tcp_www
iptables -A www_rules -j ACCEPT

#
# THE REAL RULES
# Begin here
# THE INPUT RULES
iptables -A INPUT -s 192.168.0.0/24 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -p udp -j udp_input
iptables -A INPUT -p tcp -j invalid_tcp
iptables -A INPUT -p tcp -j tcp_input

# THE FORWARD RULES
iptables -A FORWARD -s 192.168.0.0/24 -j DROP
iptables -A FORWARD -s 10.0.0.0/8 -j DROP
iptables -A FORWARD -d 167.205.102.0/24 -j invalid_tcp
# allow forward to own interface (gate.fsrd)
iptables -A FORWARD -d 167.205.30.75 -j ACCEPT
iptables -A FORWARD -d 167.205.102.1 -j ACCEPT
iptables -A FORWARD -d 167.205.102.65 -j ACCEPT
iptables -A FORWARD -d 167.205.102.130 -j ACCEPT
# FSRD SERVER, ROUTER, ART, DKV
iptables -A FORWARD -d 167.205.102.2 -j www_rules
iptables -A FORWARD -d 167.205.102.3 -j ACCEPT
iptables -A FORWARD -d 167.205.102.66 -j ACCEPT
iptables -A FORWARD -d 167.205.102.130 -j ACCEPT
# only accept non-privileges port to client
iptables -A FORWARD -d 167.205.102.0/24 -p tcp --dport 1:1023 -j REJECT
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux