After a LOT of studying iptables, one thing I'm not quite certain about is suitable limit rates for SYN, LOG & ping flood prevention. I suppose it depends a bit on traffic, as well as bandwidth. However, I don't want to limit the former. FWIW, I expect about as much traffic as a country road in the middle of nowhere, and my bandwidth for requests is 15 Mbps (Don't laugh. Content delivery is a pathetic 2 Mbps.
That's a residential cable connection for ya...)
Of all the tutorials/examples, I chose to go with Rusty Russel's limits
, though they're dated 2002. Thus an excerpt of my firewall "script":
# Saved in /etc/init.d, runlevels 2 3 4 5
# Set default (OPEN) chain policies to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
... <- ESTABLISHED,RELATED :)
# Prevent NEW packets without SYN set
iptables -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 1/s -j LOG --log-prefix "iptables: NEW not SYN "
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Prevent SYN floods
iptables -N normal
iptables -A INPUT -p tcp --syn -m state --state NEW -m limit --limit 1/s -j normal
# Allow inbound session requests
iptables -A normal -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A normal -p tcp --dport 443 -m state --state NEW -j ACCEPT
# Allow helpful ICMP messages
iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -m limit --limit 1/s -j ACCEPT
# Log everything else inbound before DROP default
iptables -A INPUT -m limit --limit 1/s -j --log-prefix "iptables: DROP "
Thoughts? I will say that it really puts the brakes on Nmap. I am
a bit concerned, though, that someone from Canada keeps sniffing my ports, eh.