FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 01-04-2012, 06:02 PM
Reindl Harald
 
Default SOLVED iptables: block source-ip after connect to port

Am 04.01.2012 06:54, schrieb Reindl Harald:
> hi
>
> i would like to drop all icoming packets of any ip tried
> to connect to telnet (port 23) which is meant as trap
> for port-scans, there are some samples out there but i got
> none of them working until now :-(
>
> iptables -N port-scan
> iptables -A port-scan -p tcp --dport 23 --tcp-flags ALL SYN -m limit --limit 3/m --limit-burst 5 -j LOG
> --log-prefix "portscan trap: "
> iptables -A port-scan -p tcp --dport 23 --tcp-flags ALL SYN -m recent --update --seconds 60 -j RETURN
> iptables -A port-scan -j DROP

that does the trick (loopback-device and LAN excluded)

ports directly before common services whcih are unused triggering
and after touching one of them each packet to the machine from
the source-ip is rejected for 10 seconds, so if one tries ports
from 1-0124 in ascending order he would close port 80 directly
before test it

this should help to prevent many port-scans

PORTSCAN_TRIGGERS="19,23,24,52,79,109,142,442,464, 586,992,994"
iptables -A INPUT ! -i lo ! -s 10.0.0.0/24 -m recent --name portscan --rcheck --seconds 10 -j REJECT
iptables -A INPUT ! -i lo ! -s 10.0.0.0/24 -m recent --name portscan --remove
iptables -A INPUT ! -i lo ! -s 10.0.0.0/24 -p tcp -m multiport --destination-port $PORTSCAN_TRIGGERS -m limit
--limit 10/m -j LOG --log-prefix "Portscan: "
iptables -A INPUT ! -i lo ! -s 10.0.0.0/24 -p tcp -m multiport --destination-port $PORTSCAN_TRIGGERS -m tcp -m
recent --name portscan --set -j REJECT
______________________________

the follwoing rules are filtering out a lot of others unwanted
packets including alternate techniques of nmap for portscans

iptables -A INPUT ! -i lo -m state --state INVALID -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags ALL FIN -j DROP
iptables -A INPUT ! -i lo -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT ! -i lo -f -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT ! -i lo -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT ! -i lo -s 127.0.0.0/8 -j DROP

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 

Thread Tools




All times are GMT. The time now is 08:25 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org