Comments on: How to: Linux Iptables block common attacks

By: JB

JB — Fri, 29 Jul 2011 20:28:59 +0000

I am still able to get pinged using another computer running Ubuntu 11.04 and using nmap with those commands.

By: scott

scott — Sat, 09 Apr 2011 17:05:52 +0000

i was wondering if there is a way you can do this in windows as well. i get alot of these attacks and i tried the blocking the ICMP rule in my firewall. it worked for a few days but the attacks continued.

By: Anonymous

Anonymous — Sat, 01 May 2010 20:52:48 +0000

Completely blocking ICMP may result in a Black Hole situation (RFC 2923) since ICMP is vital to the PMTUD process. This may lock out clients coming over a congested link with MTU sizes below 1500 (e.g. tunnels).

By: kunoichi

kunoichi — Wed, 31 Mar 2010 10:17:57 +0000

I would like to share with you my iptables rules… I am not gonna explain it in details.
They are ready to be used with the iptables-restore command, Just check your ports and substitute xx.xx.xx.xx with your IP… If you have more IPs just add more IP chains. customise to your requirments.

*filter

#clear -F

#clear custom -X

#default rules -P INPUT DROP -P OUTPUT DROP -P FORWARD DROP

#allow localhost -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT

#allow output for new, related and established connections -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

# # PACKETS chain # -N PACKET -A PACKET -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT -A PACKET -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT #limit ping to 1 per second -A PACKET -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT

# # STATE_TRACK chain (connection tracking) # -N STATE_TRACK -A STATE_TRACK -m state --state RELATED,ESTABLISHED -j ACCEPT -A STATE_TRACK -m state --state INVALID -j DROP

# # PORTSCAN chain (drop common attacks) # -N PORTSCAN -A PORTSCAN -p tcp --tcp-flags ACK,FIN FIN -j DROP -A PORTSCAN -p tcp --tcp-flags ACK,PSH PSH -j DROP -A PORTSCAN -p tcp --tcp-flags ACK,URG URG -j DROP -A PORTSCAN -p tcp --tcp-flags FIN,RST FIN,RST -j DROP -A PORTSCAN -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -A PORTSCAN -p tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PORTSCAN -p tcp --tcp-flags ALL ALL -j DROP -A PORTSCAN -p tcp --tcp-flags ALL NONE -j DROP -A PORTSCAN -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP -A PORTSCAN -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP -A PORTSCAN -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# # COMMON chain (everything passes through here) # -N COMMON -A COMMON -j STATE_TRACK -A COMMON -j PORTSCAN

# # chains relations # -A INPUT -j COMMON -A OUTPUT -j COMMON -A FORWARD -j COMMON -A FORWARD -j PACKET # # IP chain # -N IP1 -A INPUT -d xx.xx.xx.xx -j IP1 -A OUTPUT -d xx.xx.xx.xx -j IP1 -A FORWARD -d xx.xx.xx.xx -j IP1 #SSH On standard port -A IP1 -p tcp --dport 22 -j ACCEPT #HTTP HTTPS -A IP1 -p tcp --dport 80 -j ACCEPT -A IP1 -p tcp --dport 443 -j ACCEPT #DNS -A IP1 -p tcp --dport 53 -j ACCEPT -A IP1 -p udp --dport 53 -j ACCEPT Admin Panel (Webmin) -A IP1 -p tcp --dport 10000 -j ACCEPT

# MORE IP CHAINS #-N IP2 #-A INPUT -d xx.xx.xx.yy -j IP2 #-A OUTPUT -d xx.xx.xx.yy -j IP2 #-A FORWARD -d xx.xx.xx.yy -j IP2 #SSH #-A IP2 -p tcp --dport 22 -j ACCEPT #HTTP HTTPS #-A IP2 -p tcp --dport 80 -j ACCEPT #-A IP2 -p tcp --dport 443 -j ACCEPT #DNS #-A IP2 -p tcp --dport 53 -j ACCEPT #-A IP2 -p udp --dport 53 -j ACCEPT

COMMIT

By: name

name — Sat, 31 Oct 2009 13:38:39 +0000

A better way of doing this would be to just use connection tracking:

-A INPUT -m conntrack –ctstate INVALID -j DROP
-A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

And instead of blocking ICMP limiting is IMO a better way, -m limit.

By: Hamza Sani

Hamza Sani — Fri, 23 Oct 2009 09:31:14 +0000

Cyberciti is really very knowledgeable website i would like to say thank you for this.

By: ak

ak — Mon, 03 Nov 2008 03:10:19 +0000

In Drop all NULL packets,

Please correct spelling.
Change INPIT to INPUT

By: Ryan Rodriguez

Ryan Rodriguez — Thu, 14 Aug 2008 18:12:17 +0000

This would block the more common XMAS packets.

iptables -A INPUT -p tcp –tcp-flags ALL FIN,PSH,URG -j DROP

By: Matt Newcombe

Matt Newcombe — Wed, 02 Apr 2008 17:40:30 +0000

Many thanks – just what I was looking for.

Matt

By: Jlmiller

Jlmiller — Sat, 01 Mar 2008 04:51:56 +0000

Cyberciti had the answers I was looking for and the information is quite easy.

By: dhaval

dhaval — Tue, 05 Feb 2008 07:07:56 +0000

Cyberciti is the great.