IP Tables Rules

service iptables start service iptables status iptables -L iptables -F ############### START SCRIPT ###########
############### LOOPBACK ############### iptables -A INPUT -i lo -p all -j ACCEPT -m comment --comment " Allow Loopback " iptables -A OUTPUT -o lo -p all -j ACCEPT ############### LOOPBACK ############### ############# ANTI-SPY ################# # reject whois.sc/domaintools.com bots: iptables -A INPUT -s 64.246.160.0/19 -j DROP -m comment --comment " Whois.sc bot " iptables -A INPUT -s 66.249.160.0/23 -j DROP -m comment --comment " domaintools bot #1 " iptables -A INPUT -s 216.145.0.0/19 -j DROP -m comment --comment " domaintools bot #2 " #reject Nexgen ( PHP Tracker ) bots : iptables -A INPUT -s 88.163.156.141 -j DROP -m comment --comment " nexen bot # 1" iptables -A INPUT -s 217.174.223.0/24 -j DROP -m comment --comment " nexen bot # 2" #Spammer from Taiwan looking for SMTP open-reply : iptables -A INPUT -s 118.165.0.1/16 -p tcp --dport 25 -j DROP -m comment --comment " dynamic.hinet spam " #reject an IP ( referer spam ) + add timestamp : iptables -A INPUT -s 66.34.204.26 -j DROP -m comment --comment " keywordsspy.com - 10/05 @ 17:53 " # Reject packets from RFC1918 class networks (i.e. spoofed) iptables -A INPUT -s 10.0.0.0/8 -j DROP iptables -A INPUT -s 169.254.0.0/16 -j DROP iptables -A INPUT -s 172.16.0.0/12 -j DROP iptables -A INPUT -s 127.0.0.0/8 -j DROP iptables -A INPUT -s 224.0.0.0/4 -j DROP iptables -A INPUT -d 224.0.0.0/4 -j DROP iptables -A INPUT -d 224.0.0.0/5 -j DROP iptables -A INPUT -s 224.0.0.0/5 -j DROP iptables -A INPUT -s 0.0.0.0/8 -j DROP iptables -A INPUT -d 0.0.0.0/8 -j DROP iptables -A INPUT -d 239.255.255.0/24 -j DROP iptables -A INPUT -d 255.255.255.255 -j DROP ############# ANTI-SPY #################
############### SESSION ESTABLISHED #### iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT ############### SESSION ESTABLISHED ####
############### WEB #################### iptables -A INPUT -i eth1 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT ############### WEB ####################
################# DOMAIN ################ iptables -I INPUT -i eth1 -p udp -m udp --dport 53 -m state --state ESTABLISHED -j ACCEPT iptables -I OUTPUT -o eth1 -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT iptables -I INPUT -i eth1 -p tcp -m tcp --dport 53 -m state --state ESTABLISHED -j ACCEPT iptables -I OUTPUT -o eth1 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT #iptables -A INPUT -i eth1 -p tcp --dport 953 -j ACCEPT #iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT ################# DOMAIN ################ ################## SSH ################## #iptables -A INPUT -p tcp --dport 2199 -j ACCEPT iptables -I INPUT -p tcp --dport 2199 -i eth1 -m state --state NEW,ESTABLISHED -m recent --set --j ACCEPT iptables -I INPUT -p tcp --dport 2199 -i eth1 -m state --state NEW -m recent --update --seconds 600 --hitcount 2 -j LOG iptables -I INPUT -p tcp --dport 2199 -i eth1 -m state --state NEW -m recent --update --seconds 600 --hitcount 5 -j DROP ###################SSH###################
################# MYSQL ################# #iptables -A INPUT -i eth1 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT ################# MYSQL #################
################# SMTP ################# iptables -A INPUT -i eth1 -p tcp --dport 25 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT ################# SMTP #################
############### ICMP ################### iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix " PING-DROP: " --log-level 7 iptables -A INPUT -p icmp -j DROP iptables -N LOGDROP iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 iptables -A LOGDROP -p tcp -m limit --limit 5/min -j LOG --log-prefix "Denied TCP: " --log-level 7
iptables -A LOGDROP -p udp -m limit --limit 5/min -j LOG --log-prefix "Denied UDP: " --log-level 7 iptables -A LOGDROP -p icmp -m limit --limit 5/min -j LOG --log-prefix "Denied ICMP: " --log-level 7 # Drop excessive RST packets to avoid SMURF attackets, by given the next real data packet in the sequence a better change to arrive first. #iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m imit --limit 2/second --limit-burst 2 -j ACCEPT ################ ICMP ####################
################ SYN ##################### #Blocking excessive syn packet iptables -N syn_flood iptables -A INPUT -p tcp --syn -j syn_flood # Drop new connections without the SYN flag set. iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN iptables -A syn_flood -j DROP #iptables -A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --set #iptables -A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --update --seconds 1 --hitcount 60 -j DROP ################ SYN ##################### ############### IP PORT SCAN ############# -------------iptables -N port-scan iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN iptables -A port-scan -j DROP --------------# Anyone who tried to portscan us is locked out for an entiere day. #iptables -A INPUT -m recent --name portscan --recheck --seconds 86400 -j DROP #iptables -A FORWARD -m recent --name portscan --recheck --seconds 86400 -j DROP # Once the day has passed, remove them from the portscan list iptables -A INPUT -m recent --name portscan --remove iptables -A FORWARD -m recent --name portscan --remove #These rules add scanners to the portscan list, adn log the attempt. iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix " Portscan: " iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix " Portscan: " iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP ############### IP PORT SCAN #############
################ LOG ##################### iptables -N LOGGING iptables -A INPUT -j LOGGING iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix " IPTables Packet Dropped : " --log-level 7
iptables -A LOGGING -j DROP ################ LOG #####################
############# END SCRIPT ###############
iptables -P INPUT DROP iptables -P FORWARD DROP service iptables save service iptables restart Available Port www 80 ssh 2199 dns 53 sendmail 953 portmap 111

IP Tables Rules

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

IP Tables Rules

Hochgeladen von

Copyright:

Verfügbare Formate

service iptables start service iptables status iptables -L iptables -F ############### START SCRIPT ###########

iptables -A LOGGING -j DROP ################ LOG #####################

############# END SCRIPT ###############

Das könnte Ihnen auch gefallen