Google
 

« postfixインストール | メイン | wget »

2007年02月03日

●portscan drop chain

# ====================== define portscan drop chain ======================

# create chain PORTSCAN_DROP
iptables -N PORTSCAN_DROP

# log packet header
iptables -A PORTSCAN_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP "

# drop packet
iptables -A PORTSCAN_DROP -j DROP


# ==================== build input/output block chains ===================

# create chains BLOCK_INPUT and BLOCK_OUTPUT
iptables -N BLOCK_INPUT
iptables -N BLOCK_OUTPUT

echo "*** Blocking ***"

# block ICMP type 5 (redirect)
iptables -A BLOCK_INPUT -i eth0 -p icmp --icmp-type 5 -j DROP
for i in /proc/sys/net/ipv4/conf/*; do
echo 0 > $i/accept_redirects
done
echo "ICMP Type 5 (redirect) blocked"

# block LAN broadcasts
iptables -A BLOCK_INPUT -i eth0 -s 255.255.255.255 -j PORTSCAN_DROP
iptables -A BLOCK_OUTPUT -o eth0 -d 255.255.255.255 -j PORTSCAN_DROP

# block incoming packets from private ip adresses (RFC 1918)
iptables -A BLOCK_INPUT -i eth0 -s 127.255.255.255/8 -j PORTSCAN_DROP
iptables -A BLOCK_INPUT -i eth0 -s 10.255.255.255/8 -j PORTSCAN_DROP
iptables -A BLOCK_INPUT -i eth0 -s 172.31.255.255/12 -j PORTSCAN_DROP
iptables -A BLOCK_INPUT -i eth0 -s 192.168.255.255/16 -j PORTSCAN_DROP

# block outgoing packets to private ip addresses (RFC 1918)
iptables -A BLOCK_OUTPUT -o eth0 -d 127.255.255.255/8 -j PORTSCAN_DROP
iptables -A BLOCK_OUTPUT -o eth0 -d 10.255.255.255/8 -j PORTSCAN_DROP
iptables -A BLOCK_OUTPUT -o eth0 -d 172.31.255.255/12 -j PORTSCAN_DROP
iptables -A BLOCK_OUTPUT -o eth0 -d 192.168.255.255/16 -j PORTSCAN_DROP
echo "RFC 1918 addresses on public interface blocked"

# drop corrupt packets
iptables -A BLOCK_INPUT -m state --state INVALID -j PORTSCAN_DROP
iptables -A BLOCK_OUTPUT -m state --state INVALID -j PORTSCAN_DROP
echo "dropping invalid packets"

# -------------- block invalid packets (stealth scans etc) ---------------

echo "Packet drop:"

# no flags set
iptables -A BLOCK_INPUT -p tcp --tcp-flags ALL NONE -j PORTSCAN_DROP
echo " no flags set"

# SYN and FIN set
iptables -A BLOCK_INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j PORTSCAN_DROP
echo " SYN+FIN"

# SYN and RST set
iptables -A BLOCK_INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j PORTSCAN_DROP
echo " SYN+RST"

# FIN and RST set
iptables -A BLOCK_INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j PORTSCAN_DROP
echo " FIN+RST"

# FIN without ACK
iptables -A BLOCK_INPUT -p tcp --tcp-flags ACK,FIN FIN -j PORTSCAN_DROP
echo " FIN without ACK"

# PSH without ACK
iptables -A BLOCK_INPUT -p tcp --tcp-flags ACK,PSH PSH -j PORTSCAN_DROP
echo " PSH without ACK"

# URG without ACK
iptables -A BLOCK_INPUT -p tcp --tcp-flags ACK,URG URG -j PORTSCAN_DROP
echo " URG without ACK"

Posted at 2007年02月03日 00:35

トラックバックURL

このエントリーのトラックバックURL:
http://www.fatcat-hosting.net/mt-tb.cgi/64