- Blacklist (drop packets from) any host that performs a port scan
Iptables has no concept of what is a "port scan". Use for instance Snort (IDS) with the Guardian add-on. If you want to blacklist IP addresses or ranges from a static list without criteria you can do something like "cat list | while read ip; do iptables -s $address -j DROP; done". If you want dynamic blocking you can define criteria with Iptables rules and then let those packets flow through iptables "recent" or "hashlimit" module rules.
- Blacklist any host attempting to use an illegal HTTP method (such as PUT or Delete)
Iptables has no concept of what is a "HTTP method". Block these in your webservers configuration file. Also check out "mod_evasive" and "mod_security2".
- Limit packets to ne1 host to a max of 10% of the available bandwidth
Bandwidth management or shaping is the domain of "tc" from the "iproute2" package. Searching LQ for "bandwidth shaping" should turn up a lot of helpful threads.
- Log information about any host which transfers more than 100kb in one connection (don't block just log)
LQ should already have some threads on bandwidth accounting. Try searching please. For this and shaping: if you do not want to build rulesets by hand yourself search Freshmeat and Sourceforge for tools for doing this for you.
- Fingerprint and log the machine type of any host sending a packet to a port on which services aren't run on.
Invoking active fingerprint of a remote system is a nice way for others to actually make your machine DoS itself to death. Nice ;-p And what good is remote system information? Not a lot. Defaulting to a "deny" policy, not forwarding traffic if not necessary and only opening up necessary ports is the best (less exposure) way to start.
Please check out the
LQ FAQ: Security references post #2 "Netfilter, firewall, Iptables, Ipchains, DoS, DDoS" for generic Iptables tutorials, script repo's and more.
. Like i said im using iptables (netfilter).
