====== IPTABLES ======

Statefull and Powerfull Firewall.\\

==== Enable for SSH Bruteforce Prevention ====
This is not a 100% proof setup as it does not block based on the result of authentication.\\
It just work based on connection.\\

=== Simple Rules ===
<code bash>
iptables -N BRTBLK
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j BRTBLK
iptables -A BRTBLK -m recent --set --name SSH
iptables -A BRTBLK -m recent --update --seconds 45 --hitcount 5 --name SSH -j DROP
</code>

=== Rules With Exceptions ===
Replace <Exception> with your IP.\\
You can use multiple rules with diff. IP to allow exceptions.

<code bash>
iptables -N BRTBLK
iptables -A INPUT -p tcp --dport 22 -s <Exception> -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j BRTBLK
iptables -A BRTBLK -m recent --set --name SSH
iptables -A BRTBLK -m recent --update --seconds 45 --hitcount 5 --name SSH -j DROP
</code>

=== Rules to Log Bloked IP ===

<code bash>
iptables -N BRTBLK
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j BRTBLK
iptables -A BRTBLK -m recent --set --name SSH
iptables -A BRTBLK -m recent --update --seconds 45 --hitcount 5 --name SSH -j LOG --log-level info --log-prefix "Bad IP : "
iptables -A BRTBLK -m recent --update --seconds 45 --hitcount 5 --name SSH -j DROP
</code>

==== Force SYN packets check ====
Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:

<code bash>
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
</code>

==== Force Fragments packets check ====
Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.

<code bash>
iptables -A INPUT -f -j DROP
</code>

==== XMAS packets ====
Incoming malformed XMAS packets drop them:

<code bash>
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
</code>

==== Drop all NULL packets ====
Incoming malformed NULL packets:

<code bash>
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
</code>


==== xt_recent ====

In latest version ipt_recent replaced by xt_recent.\\
there is few change which could break your iptables rules.\\
In order to make ssh bruteforce protection working please use following rules.\\
this also effect Fedora 15 and latest iptables / kernel

<code bash>
:SSH - [0:0]
:BRTBLK - [0:0]


-A INPUT -p tcp -m multiport --dports 21,22 -m recent --update --seconds 8600 --name SSH_BAN --rsource -j DROP 
-A INPUT -p tcp -m multiport --dports 21,22 -m state --state NEW -j BRTBLK 

-A SSH -m limit --limit 5/min -j LOG --log-prefix "BAD IP: " --log-level 4 
-A SSH -m recent --set --name SSH_BAN --rsource -j DROP 

-A BRTBLK -m recent --set --name BRT --rsource 
-A BRTBLK -m recent --update --seconds 600 --hitcount 16 --name BRT --rsource -j SSH 
-A BRTBLK -m recent --update --seconds 60 --hitcount 4 --name BRT --rsource -j SSH 
-A BRTBLK -j ACCEPT 
</code>

Now try to login to box 4 times quickly to test.\\
For more advanced Options please visit [[http://www.thatsgeeky.com/2011/02/escalating-consequences-with-iptables/ | Th4tsG33ky]]