Dear all, can you tell me how to block SYN&FIN portscans. I implemented part of the rules i got from the list I got successful in blocking XMAS+NULL. The rulz I use are forwarded as attachment. 10x in advance, Dimitar
# Generated by iptables-save v1.2.2 on Thu Dec 6 17:59:57 2001 # *nat - ban blatant spoofs :PREROUTING ACCEPT [24:2352] -A PREROUTING -s 10.0.0.0/8 -j DROP -A PREROUTING -s 255.255.255.255/32 -j DROP -A PREROUTING -s 172.16.0.0/16 -j DROP -A PREROUTING -s 192.168.0.0/16 -j DROP -A PREROUTING -s 127.0.0.0/8 -j DROP -A PREROUTING -s 0.0.0.0/8 -j DROP -A PREROUTING -s 212.124.64.5 -i ppp0 -p tcp -m tcp --sport 3128 -j REDIRECT --to-port 80 -A PREROUTING -j REDIRECT -p tcp -m tcp --dport 3128 --to-port 80 :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A OUTPUT -s 10.0.0.0/8 -o ppp0 -p tcp -j DROP -A OUTPUT -s 255.255.255.255/32 -o ppp0 -p tcp -j DROP -A OUTPUT -s 172.16.0.0/12 -o ppp0 -p tcp -j DROP -A OUTPUT -s 192.168.0.0/16 -o ppp0 -p tcp -j DROP -A OUTPUT -s 127.0.0.0/8 -o ppp0 -p tcp -j DROP -A OUTPUT -s 0.0.0.0/8 -o ppp0 -p tcp -j DROP COMMIT # Completed on Thu Dec 6 17:59:57 2001 # Generated by iptables-save v1.2.2 on Thu Dec 6 17:59:57 2001 *mangle :PREROUTING ACCEPT [24:2352] :OUTPUT ACCEPT [24:2352] -A OUTPUT -s 255.255.255.255/32 -o ppp0 -j DROP -A OUTPUT -s 172.16.0.0/12 -o ppp0 -j DROP -A OUTPUT -s 10.0.0.0/8 -o ppp0 -j DROP -A OUTPUT -s 192.168.0.0/16 -o ppp0 -j DROP -A OUTPUT -s 127.0.0.0/8 -o ppp0 -j DROP -A OUTPUT -s 0.0.0.0/8 -o ppp0 -p tcp -j DROP COMMIT # Completed on Thu Dec 6 17:59:57 2001 # Generated by iptables-save v1.2.2 on Thu Dec 6 17:59:57 2001 *filter :INPUT DROP [0:0] #:INPUT DROP [24:2352] # #lo+X # -A INPUT -i lo -j ACCEPT -A INPUT -i ppp0 -p tcp -m tcp --dport 6000 -j DROP # #take care of spoofs # -A INPUT -s 255.255.255.255/32 -i ppp0 -j DROP -A INPUT -s 172.16.0.0/12 -i ppp0 -j DROP -A INPUT -s 10.0.0.0/8 -i ppp0 -j DROP -A INPUT -s 127.0.0.0/8 -i ppp0 -j DROP -A INPUT -s 192.168.0.0/16 -i ppp0 -j DROP # #my conns only # -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -i ! ppp0 -m state --state NEW -j ACCEPT # #frags # -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,FIN -m limit --limit 3/hour --limit-burst 30 -m state --state INVALID,NEW,RELATED,ESTABLISHED -j LOG -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN,FIN -j DROP #-A INPUT -p tcp -f -m limit --limit 3/hour --limit-burst 20 -j LOG #-A INPUT -p tcp -f -m limit --limit 15/min -j ACCEPT -A INPUT -p tcp -f -j DROP # #ssh - temporarily stopped # -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT #-A INPUT -s 212.124.64.5 -i ppp0 -p tcp -m tcp --dport 11110 -j ACCEPT #-A INPUT -i lo -p tcp -m tcp --dport 11110 -j ACCEPT #-A FORWARD -i lo -p tcp -m tcp --dport 11110 -j ACCEPT #-A FORWARD -i ppp0 -p tcp -m tcp --dport 11110 -m state --state ESTABLISHED,RELATED -j ACCEPT # #smtp # -A INPUT -s 212.124.64.5 -i ppp0 -p tcp -m tcp --dport 25 -j ACCEPT # #DNS # -A INPUT -s 212.124.64.5 -i ppp0 -p tcp -m tcp --sport 53 --dport 53 -j ACCEPT -A INPUT -s 212.124.64.2 -i ppp0 -p tcp -m tcp --sport 53 --dport 53 -j ACCEPT # -A INPUT -s 212.124.64.5 -i ppp0 -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset # #web # -A INPUT -i ppp0 -p tcp -m tcp --dport 80 -j ACCEPT #-A INPUT -i ppp0 -p tcp -m tcp --dport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT # #icmp # -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/hour --limit-burst 30 -m state --state INVALID,NEW -j LOG -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 20/min -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT # #portscans #A)FIN -A INPUT -i ppp0 -p tcp -m tcp --tcp-flags ALL,FIN FIN -j LOG --log-level crit --log-prefix "nmap fin scanning" -A INPUT -i ppp0 -p tcp -m tcp --tcp-flags ALL,FIN FIN -j DROP #B)XMAS Tree #-A INPUT -i ppp0 -p tcp -m tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level crit --log-prefix "nmap xmas scanning" -A INPUT -i ppp0 -p tcp -m tcp --tcp-flags ALL FIN,URG,PSH -j DROP #C)Fin/Syn -A INPUT -i ppp0 -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level crit --log-prefix "nmap syn/fin scan" -A INPUT -i ppp0 -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # #ACK # -A INPUT -i ppp0 -p tcp -m tcp --tcp-flags ALL,ACK ALL,ACK -j LOG --log-level crit --log-prefix "ack scan" -A INPUT -i ppp0 -p tcp -m tcp --tcp-flags ALL,ACK ACK -j DROP #beshe ALL,ACK # #NULL # -A INPUT -i ppp0 -p tcp -m tcp --tcp-flags ALL NONE -j LOG --log-level crit --log-prefix "null scan" -A INPUT -i ppp0 -p tcp -m tcp --tcp-flags ALL NONE -j DROP # #NMAP # #-A INPUT -i ppp0 -p tcp -m tcp --tcp-flags SYN,ACK,FIN,RST SYN,ACK,FIN,RST -m limit 3/hour --limit-burst 20 -j LOG -A INPUT -i ppp0 -p tcp -m tcp --tcp-flags SYN,ACK,FIN,RST SYN,ACK,FIN,RST -j DROP # #udp ban # -A INPUT -i ppp0 -p udp -j DROP #-A INPUT -i ppp0 -p tcp -m tcp --dport 631 -j DROP # #forward na zabranenite paketi (of banned pax - used to enhance filtering) # # Completed on Thu Dec 6 17:59:57 2001
:FORWARD DROP [0:0] -A FORWARD -m unclean -j DROP -A FORWARD -i lo -j ACCEPT #-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 3/hour --limit-burst 30 -m state --state INVALID,NEW -j LOG #-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 20/min -m state --state ESTABLISHED,RELATED -j ACCEPT # -A FORWARD -p tcp -m tcp --tcp-flags SYN ALL -m limit --limit 3/hour --limit-burst 30 -m state --state INVALID,NEW -j LOG #-A FORWARD -p tcp -m tcp --tcp-flags SYN ALL -m limit --limit 20/min -m state --state ESTABLISHED,RELATED -j ACCEPT # -A FORWARD -p tcp -m tcp --tcp-flags SYN ALL -m limit --limit 3/hour --limit-burst 30 -m state --state INVALID,NEW -j LOG #-A FORWARD -p tcp -m tcp --tcp-flags SYN ALL -m limit --limit 20/min -m state --state NEW -j DROP # -A FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 3/hour --limit-burst 30 -m state --state INVALID,NEW -j LOG -A FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 20/min -m state --state ESTABLISHED,RELATED -j ACCEPT #-A FORWARD -p tcp -f -m limit --limit 3/hour --limit-burst 20 -j LOG #-A FORWARD -p tcp -f -m limit --limit 15/min -j ACCEPT -A FORWARD -s 127.0.0.0/255.255.255.0 -i ppp0 -p tcp -j DROP :OUTPUT ACCEPT [22:2156] COMMIT
