Fred87's Script

From SlackWiki
Jump to: navigation, search
  • Allows incoming SSH
  • Detects and blocks syn floods
  • Detects spoofed local packets
  • Makes sure "NEW" tcp packets have the syn flag set
  • Drops packets with both syn and fin set
  • Generated with KIptablesGenerator
#!/bin/sh
# Generated by KIptablesGenerator
# Copyright (c) 2004 Fred Emmott <mail@fredemmott.co.uk>
# See KIptablesGenerator for license information.
# You probably want to make this a startup script, eg on
# slackware you probably want to save this as /etc/rc.d/rc.firewall
IPTABLES=/usr/sbin/iptables
$IPTABLES -P INPUT DROP
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
$IPTABLES -N Flood-Scan
$IPTABLES -A INPUT -p tcp -m tcp --syn -j Flood-Scan
$IPTABLES -A Flood-Scan -m limit --limit 1/s --limit-burst 20 -j RETURN
$IPTABLES -A Flood-Scan -j LOG --log-prefix "OVER-LIMIT: "
$IPTABLES -A Flood-Scan -j DROP
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate RELATED -j ACCEPT
$IPTABLES -A INPUT -p udp -m conntrack --ctstate ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT