Dear all:

I have make iptables in my server like this...

#!/bin/sh

# Kernel monitoring support
# More information:
# /usr/src/linux-`uname -r`/Documentation/networking/ip-sysctl.txt
# http://www.linuxgazette.com/book/view/1645
# http://www.spirit.com/Network/net0300.html

# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Flush all chains
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


iptables -A INPUT -p tcp -m multiport --dport 20,21,22,25,53,110,143,80,5222,9090,10000 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT

#iptables -A INPUT -p icmp --icmp-type echo-request -s 192.168.1.102 -d 192.168.1.10 -m limit --limit 1/m --limit-burst 10 -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type echo-request -s 192.168.1.102 -d 192.168.1.10 -m limit --limit 1/m --limit-burst 10 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -s 192.168.1.102 -d 192.168.1.10 -m limit --limit 1/m --limit-burst 10 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -s 192.168.1.10 -d 192.168.1.102 -j ACCEPT


#iptables -A INPUT -p icmp -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


#LOG
iptables -A FORWARD -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** FORWARD DROP**' --log-level debug
iptables -A INPUT -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** INPUT DROP**' --log-level debug
iptables -A OUTPUT -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** OUTPUT DROP**' --log-level debug


iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP


HOw about your opinion, is good configuration??

If port 10000 is open for the webmin service, I would seriously consider removing that port from the list. If you need access to that port through an untrusted network, then I would use ssh port forwarding to attach to it through the localhost interface. If any vulnerabilities are ever uncovered in the webmin httpd service, you're protecting it from unauthorized access with only a minor inconvenience of having to ssh to the box first.

What is 5222,9090 for?

Personally I don't like using DROP as a policy for the default chains.
Dropping packets makes it too obvious that you're filtering.

It doesn't add any security but it follows the RFCs for "proper network communication" to use REJECT with the proper options.

Thus, I reject TCP-packets with a tcp-reset, UDP-packets with an icmp-port-unreachable and everything else with icmp-proto-unreachable.
That's the way an unfiltered box will react if packets are received on closed ports/unavailable protocols.

As said, it doesn't add to the security, but it also doesn't lessen it.

Edit: Why do you add any rules to the FORWARD-chain? Do you route anything through that box? If not, which I suspect, these rules are useless.

thanks for all contribution
Now I have change like this..

I create two files ddos.sh to protect form DDOS
this is the script

#!/bin/bash
FILE="/tmp/drop.lasso"
URL="http://www.spamhaus.org/drop/drop.lasso"
cd /tmp
wget $URL
#iptables policy di hapus
iptables -F
#jalankan policy yang sudah ada
/root/iptables/netfilter.sh
blocks=$(cat $FILE | egrep -v '^;' | awk '{ print $1}')
iptables -N droplist
for ipblock in $blocks
do
iptables -A droplist -s $ipblock -j LOG --log-prefix "DROP List Block"
iptables -A droplist -s $ipblock -j DROP
done
iptables -I INPUT -j droplist
iptables -I OUTPUT -j droplist
iptables -I FORWARD -j droplist
echo "...Done"
/bin/rm -f $FILE


And netfilter.sh like this

# Flush all chains
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT



iptables -A INPUT -p tcp -m multiport --dport 25,53,110,143,80 -m state --state NEW -j ACCEPT

iptables -A INPUT -p tcp -m multiport -s 119.235.20.42 -d 119.235.20.119 --dport 20,21,22,9090,10000 -m state --state NEW -j ACCEPT

iptables -A INPUT -p udp --dport 53 -j ACCEPT

#iptables -A INPUT -p icmp --icmp-type echo-request -s 192.168.1.102 -d 192.168.1.10 -m limit --limit 1/m --limit-burst 10 -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type echo-request -s 192.168.1.102 -d 192.168.1.10 -m limit --limit 1/m --limit-burst 10 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -s 0/0 -d 119.235.20.242 -m limit --limit 1/m --limit-burst 10 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -s 0/0 -d 119.235.20.242 -j ACCEPT


#iptables -A INPUT -p icmp -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


#LOG
iptables -A FORWARD -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** FORWARD DROP**' --log-level debug
iptables -A INPUT -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** INPUT DROP**' --log-level debug
iptables -A OUTPUT -m limit --limit 2/m --limit-burst 2 -j LOG --log-prefix '** OUTPUT DROP**' --log-level debug


iptables -P INPUT REJECT
iptables -P OUTPUT REJECT
iptables -P FORWARD REJECT


# not port 9090 for wildfire

is it secure if I implemented in my server???