random

- collection of un-sorted bollocks
git clone git://git.acid.vegas/random.git
iptables.sh (2440B)
      1 ### 1: Drop invalid packets ### 
      2 /sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP  
      3 
      4 ### 2: Drop TCP packets that are new and are not SYN ### 
      5 /sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP 
      6  
      7 ### 3: Drop SYN packets with suspicious MSS value ### 
      8 /sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP  
      9 
     10 ### 4: Block packets with bogus TCP flags ### 
     11 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
     12 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
     13 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
     14 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
     15 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
     16 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
     17 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
     18 
     19 ### 5: Block spoofed packets ### 
     20 /sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP 
     21 /sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP 
     22 /sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP 
     23 /sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP 
     24 /sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP 
     25 /sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP 
     26 /sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP 
     27 /sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP 
     28 /sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP  
     29 
     30 ### 6: Drop ICMP (you usually don't need this protocol) ### 
     31 /sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP  
     32 
     33 ### 7: Drop fragments in all chains ### 
     34 /sbin/iptables -t mangle -A PREROUTING -f -j DROP  
     35 
     36 ### 8: Limit connections per source IP ### 
     37 /sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset  
     38 
     39 ### 9: Limit RST packets ### 
     40 /sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT 
     41 /sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP  
     42 
     43 ### 10: Limit new TCP connections per second per source IP ### 
     44 /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT 
     45 /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP