Bad Packet Chain (iptables) Feedback / Suggestions

win32sux · 09-16-2005, 06:51 PM

Hi guys! This is what my bad packet chain has been looking like lately. I'd really appreciate any feedback/suggestions you could give me on ways to improve it and stuff. I'd also love to see your own bad packet chains if you feel like sharing them.

TIA!

Code:

$IPT -A BAD_TCP_PACKETS -p TCP ! --syn -m state --state NEW -j DROP

$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags ALL NONE -j DROP
$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags ALL ALL -j DROP
$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags SYN,ACK NONE -j DROP
$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags RST,FIN RST,FIN -j DROP
$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags SYN,URG SYN,URG -j DROP
$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags ALL SYN,PSH -j DROP
$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags ALL SYN,ACK,PSH -j DROP
$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags ACK,FIN FIN -j DROP
$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags ACK,PSH PSH -j DROP
$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags ACK,URG URG -j DROP

$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags ALL ACK \
-m state --state NEW,RELATED -j DROP

$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags ALL PSH,ACK \
-m state --state RELATED -j DROP

$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags ALL RST \
-m state --state NEW,RELATED -j DROP

$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags ALL SYN \
-m state --state ESTABLISHED -j DROP

$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags ALL SYN,ACK \
-m state --state NEW,RELATED -j DROP

$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags ALL FIN,ACK \
-m state --state NEW,RELATED -j DROP

$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags ALL RST,ACK \
-m state --state RELATED -j DROP

$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags ALL ACK,PSH,RST \
-m state --state NEW,RELATED -j DROP

$IPT -A BAD_TCP_PACKETS -p TCP --tcp-flags ALL FIN,PSH,ACK \
-m state --state NEW,RELATED -j DROP

$IPT -A BAD_TCP_PACKETS -j RETURN

$IPT -A BAD_ICMP_PACKETS -p ICMP --fragment -j DROP
$IPT -A BAD_ICMP_PACKETS -j RETURN

fotoguy · 09-17-2005, 07:32 AM

Here is what i grab from a script on the net has some good logging chains as well

## Flood Variables
##
##
## Overall Limit for TCP-SYN-Flood detection

TCPSYNLIMIT="5/s"

## Burst Limit for TCP-SYN-Flood detection

TCPSYNLIMITBURST="10"

## Overall Limit for Loggging in Logging-Chains

LOGLIMIT="2/s"

## Burst Limit for Logging in Logging-Chains

LOGLIMITBURST="10"

## Overall Limit for Ping-Flood-Detection

PINGLIMIT="5/s"

## Burst Limit for Ping-Flood-Detection

PINGLIMITBURST="10"

## Invalid packets (not ESTABLISHED,RELATED or NEW)

$IPTABLES -N LOGINVALID
$IPTABLES -A LOGINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=INVALID:1 a=DROP "
$IPTABLES -A LOGINVALID -j DROP

## TCP-Packets with one ore more bad flags

$IPTABLES -N LOGBADFLAG
$IPTABLES -A LOGBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP "
$IPTABLES -A LOGBADFLAG -j DROP

## Logging of possible TCP-SYN-Floods

$IPTABLES -N LOGSYNFLOOD
$IPTABLES -A LOGSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP "
$IPTABLES -A LOGSYNFLOOD -j DROP

## Logging of possible Ping-Floods

$IPTABLES -N LOGPINGFLOOD
$IPTABLES -A LOGPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP "
$IPTABLES -A LOGPINGFLOOD -j DROP

## All other dropped packets

$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP "
$IPTABLES -A LOGDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP "
$IPTABLES -A LOGDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP "
$IPTABLES -A LOGDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=DROP "
$IPTABLES -A LOGDROP -j DROP

## TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in

$IPTABLES -N TCPACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -j LOGSYNFLOOD
$IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT

## CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)

$IPTABLES -N CHECKBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LOGBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LOGBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LOGBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOGBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LOGBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOGBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags FIN,RST FIN,RST -j LOGBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ACK,FIN FIN -j LOGBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ACK,PSH PSH -j LOGBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ACK,URG URG -j LOGBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp -j TCPACCEPT

# Inbound ICMP/Traceroute

$IPTABLES -N ICMPINBOUND
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -j LOGPINGFLOOD
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type host-precedence-violation -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type precedence-cutoff -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type source-quench -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type network-redirect -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type host-redirect -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type TOS-network-redirect -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type TOS-host-redirect -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type fragmentation-needed -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type router-advertisement -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type router-solicitation -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT

#Outbound ICMP/Traceroute

$IPTABLES -N ICMPOUTBOUND
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LOGDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LOGDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LOGDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LOGDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LOGDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LOGDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LOGDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LOGDROP
$IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT