SOLVED Re: iptables: block source-ip after connect to port
Reindl Harald
h.reindl at thelounge.net
Wed Jan 4 19:02:50 UTC 2012
Am 04.01.2012 06:54, schrieb Reindl Harald:
> hi
>
> i would like to drop all icoming packets of any ip tried
> to connect to telnet (port 23) which is meant as trap
> for port-scans, there are some samples out there but i got
> none of them working until now :-(
>
> iptables -N port-scan
> iptables -A port-scan -p tcp --dport 23 --tcp-flags ALL SYN -m limit --limit 3/m --limit-burst 5 -j LOG
> --log-prefix "portscan trap: "
> iptables -A port-scan -p tcp --dport 23 --tcp-flags ALL SYN -m recent --update --seconds 60 -j RETURN
> iptables -A port-scan -j DROP
that does the trick (loopback-device and LAN excluded)
ports directly before common services whcih are unused triggering
and after touching one of them each packet to the machine from
the source-ip is rejected for 10 seconds, so if one tries ports
from 1-0124 in ascending order he would close port 80 directly
before test it
this should help to prevent many port-scans
PORTSCAN_TRIGGERS="19,23,24,52,79,109,142,442,464,586,992,994"
iptables -A INPUT ! -i lo ! -s 10.0.0.0/24 -m recent --name portscan --rcheck --seconds 10 -j REJECT
iptables -A INPUT ! -i lo ! -s 10.0.0.0/24 -m recent --name portscan --remove
iptables -A INPUT ! -i lo ! -s 10.0.0.0/24 -p tcp -m multiport --destination-port $PORTSCAN_TRIGGERS -m limit
--limit 10/m -j LOG --log-prefix "Portscan: "
iptables -A INPUT ! -i lo ! -s 10.0.0.0/24 -p tcp -m multiport --destination-port $PORTSCAN_TRIGGERS -m tcp -m
recent --name portscan --set -j REJECT
______________________________
the follwoing rules are filtering out a lot of others unwanted
packets including alternate techniques of nmap for portscans
iptables -A INPUT ! -i lo -m state --state INVALID -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags ALL FIN -j DROP
iptables -A INPUT ! -i lo -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT ! -i lo -f -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT ! -i lo -s 127.0.0.0/8 -j DROP
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20120104/0ced23e1/attachment.sig>
More information about the users
mailing list