random- collection of un-sorted bollocks |
git clone git://git.acid.vegas/random.git |
Log | Files | Refs | Archive |
iptables.sh (2440B)
1 ### 1: Drop invalid packets ### 2 /sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP 3 4 ### 2: Drop TCP packets that are new and are not SYN ### 5 /sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP 6 7 ### 3: Drop SYN packets with suspicious MSS value ### 8 /sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP 9 10 ### 4: Block packets with bogus TCP flags ### 11 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 12 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 13 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP 14 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP 15 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP 16 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP 17 /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP 18 19 ### 5: Block spoofed packets ### 20 /sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP 21 /sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP 22 /sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP 23 /sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP 24 /sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP 25 /sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP 26 /sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP 27 /sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP 28 /sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP 29 30 ### 6: Drop ICMP (you usually don't need this protocol) ### 31 /sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP 32 33 ### 7: Drop fragments in all chains ### 34 /sbin/iptables -t mangle -A PREROUTING -f -j DROP 35 36 ### 8: Limit connections per source IP ### 37 /sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset 38 39 ### 9: Limit RST packets ### 40 /sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT 41 /sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP 42 43 ### 10: Limit new TCP connections per second per source IP ### 44 /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT 45 /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP