Fred87's Script
Jump to navigation
Jump to search
- Allows incoming SSH
- Detects and blocks syn floods
- Detects spoofed local packets
- Makes sure "NEW" tcp packets have the syn flag set
- Drops packets with both syn and fin set
- Generated with KIptablesGenerator
#!/bin/sh # Generated by KIptablesGenerator # Copyright (c) 2004 Fred Emmott <mail@fredemmott.co.uk> # See KIptablesGenerator for license information. # You probably want to make this a startup script, eg on # slackware you probably want to save this as /etc/rc.d/rc.firewall IPTABLES=/usr/sbin/iptables $IPTABLES -P INPUT DROP $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP $IPTABLES -N Flood-Scan $IPTABLES -A INPUT -p tcp -m tcp --syn -j Flood-Scan $IPTABLES -A Flood-Scan -m limit --limit 1/s --limit-burst 20 -j RETURN $IPTABLES -A Flood-Scan -j LOG --log-prefix "OVER-LIMIT: " $IPTABLES -A Flood-Scan -j DROP $IPTABLES -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $IPTABLES -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p tcp -m conntrack --ctstate RELATED -j ACCEPT $IPTABLES -A INPUT -p udp -m conntrack --ctstate ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT