LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-12-2006, 08:22 PM   #1
Blackout_08
Member
 
Registered: Jan 2004
Posts: 35

Rep: Reputation: 15
IPtables help


i need to create a script that implements iptables for the INPUT chain for host 142.204.2.2 (the source) that prevents the follwing scans:

a) TCP SYN scan
b) TCP UDP scan
c) TCP FIN scan
d) TCP Xmas Tree scan
e) TCP null scan

I also need the nmap commands that perform the scans and save the results to syn.scan, udp.scan, fin.scan, xmas.scan, and null.scan respectively.

Help would be greatly appreciated
 
Old 12-12-2006, 08:49 PM   #2
Brian1
LQ Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 65
Pulled this from my firewall script.
Code:
###############################################################################
## Special chain CHECK_FLAGS that will DROP and log TCP packets with certain
## TCP flags set.

  ## We set some limits here to limit the amount of crap that gets sent to the logs.
  ## Keep in mind that these rules should never match normal traffic, they
  ## are designed to capture obviously messed up packets... but there's alot of
  ## wierd shit out there, so who knows.

	$IPTABLES -N CHECK_FLAGS
	$IPTABLES -F CHECK_FLAGS

   ##------------------------------------------------------------------------##
   ## NMAP FIN/URG/PSH
	$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
		--limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "NMAP-XMAS:"
	$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
   ##------------------------------------------------------------------------##

   ##------------------------------------------------------------------------##
   ## SYN/RST
	$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
		--limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/RST:"
	$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
   ##------------------------------------------------------------------------##

   ##------------------------------------------------------------------------##
   ## SYN/FIN -- Scan(probably)
	$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
		--limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/FIN:"
	$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
   ##------------------------------------------------------------------------##

   ##------------------------------------------------------------------------##
   ## Make some types of port scans annoyingly slow, also provides some
   ## protection against certain DoS attacks. The rule in chain KEEP_STATE
   ## referring to the INVALID state should catch most TCP packets with the
   ## RST or FIN bits set that aren't associate with an established connection.
   ## Still, these will limit the amount of stuff that is accepted through our
   ## open ports(if any).  I suggest you test these for your configuration before
   ## you uncomment them, as they could cause problems.

#	$IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p tcp --tcp-flags ALL RST -j ACCEPT
#	$IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p tcp --tcp-flags ALL FIN -j ACCEPT
#	$IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p tcp --tcp-flags ALL SYN -j ACCEPT
   ##------------------------------------------------------------------------##
Many of these answers can be found search the links here and looking at the firewall scripts. http://www.linuxguruz.com/iptables/

Other links I found from a quick search on google. Many listed there.
http://www.linuxjournal.com/article/4876
http://www.linuxforums.org/forum/lin...iguration.html
http://www.linuxguruz.com/iptables/s...rewall_023.txt

Check out this link to build your own firewall script based on info you provide. Not sure if defaults have scan blocking. If not refer to other links here to add and fine tune. http://easyfwgen.morizot.net/gen/

Brian

Last edited by Brian1; 12-12-2006 at 08:51 PM.
 
Old 12-12-2006, 09:04 PM   #3
Blackout_08
Member
 
Registered: Jan 2004
Posts: 35

Original Poster
Rep: Reputation: 15
ok so my rules would be?

#Prevent TCP FIN scan
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -j DROP

#Prevent TCP SYN scan
$IPTABLES -A INPUT -p tcp --tcp-flags SYN -j DROP

#Prevent UDP scan
$IPTABLES -A INPUT -p udp -j DROP

??? is that correct
 
Old 12-13-2006, 04:09 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
no, they would go something like this IIRC:
Code:
# TCP FIN Scan:
$IPT -I INPUT -p TCP --tcp-flags ALL FIN -j DROP

# TCP XMAS Scan:
$IPT -I INPUT -p TCP --tcp-flags ALL FIN,URG,PSH -j DROP

# TCP NULL Scan:
$IPT -I INPUT -p TCP --tcp-flags ALL NONE -j DROP
i'm not sure how one would filter a TCP SYN scan, and i'm not sure what you mean by "TCP UDP" scan, so i can't help you with those...

as for performing these scans from nmap:

SYN is like "nmap -sS [...]"

FIN is like "nmap -sF [...]"

XMAS is like "nmap -sX [...]"

NULL is like "nmap -sN [...]"

check the nmap manpage to make sure (and to learn other scans)...

just my ...


PS: keep in mind that you'll need to add a "-s 142.204.2.2" to the rules if you want them to apply only to packets with that source address...

Last edited by win32sux; 12-13-2006 at 06:40 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
An error occured getting IPtables status from the command /etc/rc.d/init.d/iptables s CrazyMAzeY Linux - Newbie 10 08-12-2010 06:25 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
Iptables - Couldn't load target `ACCPET':/lib/iptables/libipt_ACCPET.so: z00t Linux - Security 3 01-26-2004 03:24 AM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 07:08 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:03 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration