Network Security: Detailed info on Need help with iptables

Subject:	Need help with iptables
Date:	Sat, 25 Aug 2007 02:06:31 +0300

IPTABLES=/sbin/iptables 
LOGLEVEL=DEBUG 
LOGLIMIT="2/s" # Overall Limit for Loggging in Logging-Chains 
LOGLIMITBURST="10" # Burst Limit for Logging in Logging-Chains 

$IPTABLES -N LOG_BAD_FLAG #TCP-Packets with one ore more bad flags
(commomly scans) 
$IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags ALL FIN,URG,PSH -m limit
--limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level
$LOGLEVEL --log-prefix "Stealth XMAS scan: " # (NMAP) FIN/URG/PSH 
$IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m
limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level
$LOGLEVEL --log-prefix "Stealth XMAS-PSH scan: " # SYN/RST/ACK/FIN/URG 
$IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags ALL ALL -m limit --limit
$LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL
--log-prefix "Stealth XMAS-ALL scan: " # ALL/ALL 
$IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags ALL FIN -m limit --limit
$LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL
--log-prefix "Stealth FIN scan: " # NMAP FIN Stealth 
$IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags SYN,RST SYN,RST -m limit
--limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level
$LOGLEVEL --log-prefix "Stealth SYN/RST scan: " # SYN/RST 
$IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit
--limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level
$LOGLEVEL --log-prefix "Stealth SYN/FIN scan(?): " # SYN/FIN (probably) 
$IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags ALL NONE -m limit --limit
$LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL
--log-prefix "Stealth Null scan: " # Null scan 
$IPTABLES -A LOG_BAD_FLAG -j DROP 



$IPTABLES -N CHECK_BAD_FLAG 
$IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j
LOG_BAD_FLAG # NMAP FIN/URG/PSH 
$IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG
-j LOG_BAD_FLAG # SYN/RST/ACK/FIN/URG 
$IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags ALL ALL -j LOG_BAD_FLAG #
ALL/ALL Scan 
$IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags ALL NONE -j LOG_BAD_FLAG
# NMAP Null Scan 
$IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags SYN,RST SYN,RST -j
LOG_BAD_FLAG # SYN/RST 
$IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j
LOG_BAD_FLAG # SYN/FIN -- Scan(probably) 
$IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags ALL FIN -j LOG_BAD_FLAG #
NMAP FIN Stealth 

$IPTABLES -A INPUT -p tcp -j CHECK_BAD_FLAG

here is mine rules set of iptables for preventing port scans. I was
trying to scan ports with nmap with different types of scanning methods,
but I saw that with Null scan it passes mine iptables rules set and
daemon for example Openssh answers to invalid packet sequence=( maybe I
have made a mistake in tcp flag specification?

and second question can I somehow to prevent from stealth scan and -sT
(new connection scan) with iptables?

<Prev in Thread]	Current Thread	[Next in Thread>
Need help with iptables, farhod <=

Previous by Date:	need some advice please (rather long read), Matt
Next by Date:	Seen this before?, barcajax
Previous by Thread:	need some advice please (rather long read), Matt
Next by Thread:	Seen this before?, barcajax
Indexes:	[Date] [Thread] [Top] [All Lists]