Differences

This shows you the differences between two versions of the page.

--- iptables [2009/07/02 18:46] – created k2patel
+++ iptables [2020/08/10 02:35] (current) – external edit 127.0.0.1
@@ Line 10: / Line 10: @@
 <code bash>
 iptables -N BRTBLK
-iptables -A INPUT -p tcp --dport 22 -m state –state NEW -j BRTBLK
+iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j BRTBLK
-iptables -A BRTBLK -m recent –set –name SSH
+iptables -A BRTBLK -m recent --set --name SSH
-iptables -A BRTBLK -m recent –update –seconds 45 –hitcount 5 –name SSH -j DROP
+iptables -A BRTBLK -m recent --update --seconds 45 --hitcount 5 --name SSH -j DROP
 </code>
@@ Line 21: / Line 21: @@
 <code bash>
 iptables -N BRTBLK
-iptables -A INPUT -p tcp –dport 22 -s <Exception> -j ACCEPT
+iptables -A INPUT -p tcp --dport 22 -s <Exception> -j ACCEPT
-iptables -A INPUT -p tcp --dport 22 -m state –state NEW -j BRTBLK
+iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j BRTBLK
-iptables -A BRTBLK -m recent –set –name SSH
+iptables -A BRTBLK -m recent --set --name SSH
-iptables -A BRTBLK -m recent –update –seconds 45 –hitcount 5 –name SSH -j DROP
+iptables -A BRTBLK -m recent --update --seconds 45 --hitcount 5 --name SSH -j DROP
 </code>
@@ Line 31: / Line 31: @@
 <code bash>
 iptables -N BRTBLK
-iptables -A INPUT -p tcp --dport 22 -m state –state NEW -j BRTBLK
+iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j BRTBLK
-iptables -A BRTBLK -m recent –set –name SSH
+iptables -A BRTBLK -m recent --set --name SSH
-iptables -A BRTBLK -m recent –update –seconds 45 –hitcount 5 –name SSH -j LOG --log-level info --log-prefix "Bad IP : "
+iptables -A BRTBLK -m recent --update --seconds 45 --hitcount 5 --name SSH -j LOG --log-level info --log-prefix "Bad IP : "
-iptables -A BRTBLK -m recent –update –seconds 45 –hitcount 5 –name SSH -j DROP
+iptables -A BRTBLK -m recent --update --seconds 45 --hitcount 5 --name SSH -j DROP
 </code>
+==== Force SYN packets check ====
+Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:
+<code bash>
+iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
+</code>
+==== Force Fragments packets check ====
+Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.
+<code bash>
+iptables -A INPUT -f -j DROP
+</code>
+==== XMAS packets ====
+Incoming malformed XMAS packets drop them:
+<code bash>
+iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
+</code>
+==== Drop all NULL packets ====
+Incoming malformed NULL packets:
+<code bash>
+iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
+</code>
+==== xt_recent ====
+In latest version ipt_recent replaced by xt_recent.\\
+there is few change which could break your iptables rules.\\
+In order to make ssh bruteforce protection working please use following rules.\\
+this also effect Fedora 15 and latest iptables / kernel
+<code bash>
+:SSH - [0:0]
+:BRTBLK - [0:0]
+-A INPUT -p tcp -m multiport --dports 21,22 -m recent --update --seconds 8600 --name SSH_BAN --rsource -j DROP
+-A INPUT -p tcp -m multiport --dports 21,22 -m state --state NEW -j BRTBLK
+-A SSH -m limit --limit 5/min -j LOG --log-prefix "BAD IP: " --log-level 4
+-A SSH -m recent --set --name SSH_BAN --rsource -j DROP
+-A BRTBLK -m recent --set --name BRT --rsource
+-A BRTBLK -m recent --update --seconds 600 --hitcount 16 --name BRT --rsource -j SSH
+-A BRTBLK -m recent --update --seconds 60 --hitcount 4 --name BRT --rsource -j SSH
+-A BRTBLK -j ACCEPT
+</code>
+Now try to login to box 4 times quickly to test.\\
+For more advanced Options please visit [[http://www.thatsgeeky.com/2011/02/escalating-consequences-with-iptables/ | Th4tsG33ky]]