Thankyou for the reply. This was the log from one of my client who was attacked from a client on other subnet. My network consist of clients from different subnets of /24. The attacks from one subnet travels through my linux router and hits the client on other subnet. I tried few rules as below but seems not to be working. -----------Cut From fwscript.sh------------------------- echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 0 > /proc/sys/net/ipv4/conf/all/log_martians echo 0 > /proc/sys/net/ipv4/tcp_timestamps echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses iptables -F iptables -t nat -F iptables -t mangle -F iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p icmp --icmp-type echo-request -m length --length 92 -j DROP iptables -A INPUT -i lo -j ACCEPT iptables -A FORWARD -p tcp --syn -m limit --limit 10/s -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p ip -f -j DROP iptables -A FORWARD -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP ----------------------------------------------- Regards, Rikunj Patel ----- Original Message ----- From: "Jason Opperisano" <opie@xxxxxxxxxxx> To: <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Thursday, April 28, 2005 5:16 PM Subject: Re: How to stop the flood? > On Thu, Apr 28, 2005 at 04:35:14PM +0300, Rikunj wrote: > > > > Hello All, > > > > I am seeing lots of this kind of scanning flood attack from different IP > > within my > > > > network and even from outside. > > > > How can I stop and protect from this kind of attack? > > the word "blocked" means, well...blocked. so you already are > "protecting"... > > as for "stopping," go to the person sitting at 192.168.25.208 and kick > their teeth down their throat. > > -j > > -- > "Peter: Wow, it's like I died and went to heaven, then God realized it > wasn't my time yet, so He sent me back to a brewery." > --Family Guy >
