Mailinglist Archive: opensuse-security (556 mails)
| < Previous | Next > |
Re: [suse-security] filtering ports
- From: Togan Muftuoglu <toganm@xxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 26 Sep 2001 22:48:38 +0300
- Message-id: <20010926224838.A9813@xxxxxxxx>
* Michael Neumann; <mn@xxxxxx> on 26 Sep, 2001 wrote:
> Hi all,
>
> I use iptables as a firewall on my local machine to filter any incoming
^^^^^^^^^^^
> filtered. I have tried with DENY and REJECT but got the same report.
>
DENY is now DROP
the below is from the SENTRY Firewall CD
$IPTABLES -N CHECK_FLAGS
$IPTABLES -F CHECK_FLAGS
##------------------------------------------------------------------------##
## NMAP FIN/URG/PSH
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
--limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "NMAP-XMAS:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## SYN/RST
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
--limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/RST:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## SYN/FIN -- Scan(probably)
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
--limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/FIN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Make some types of port scans annoyingly slow, also provides some
## protection against certain DoS attacks. The rule in chain KEEP_STATE
## referring to the INVALID state should catch most TCP packets with the
## RST or FIN bits set that aren't associate with an established connection.
## Still, these will limit the amount of stuff that is accepted through our
## open ports(if any). I suggest you test these for your configuration before
## you uncomment them, as they could cause problems.
# $IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p tcp --tcp-flags ALL RST -j ACCEPT
# $IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p tcp --tcp-flags ALL FIN -j ACCEPT
# $IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p tcp --tcp-flags ALL SYN -j ACCEPT
##------------------------------------------------------------------------##
--
Togan Muftuoglu
> Hi all,
>
> I use iptables as a firewall on my local machine to filter any incoming
^^^^^^^^^^^
> filtered. I have tried with DENY and REJECT but got the same report.
>
DENY is now DROP
the below is from the SENTRY Firewall CD
$IPTABLES -N CHECK_FLAGS
$IPTABLES -F CHECK_FLAGS
##------------------------------------------------------------------------##
## NMAP FIN/URG/PSH
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
--limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "NMAP-XMAS:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## SYN/RST
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
--limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/RST:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## SYN/FIN -- Scan(probably)
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
--limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/FIN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Make some types of port scans annoyingly slow, also provides some
## protection against certain DoS attacks. The rule in chain KEEP_STATE
## referring to the INVALID state should catch most TCP packets with the
## RST or FIN bits set that aren't associate with an established connection.
## Still, these will limit the amount of stuff that is accepted through our
## open ports(if any). I suggest you test these for your configuration before
## you uncomment them, as they could cause problems.
# $IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p tcp --tcp-flags ALL RST -j ACCEPT
# $IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p tcp --tcp-flags ALL FIN -j ACCEPT
# $IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p tcp --tcp-flags ALL SYN -j ACCEPT
##------------------------------------------------------------------------##
--
Togan Muftuoglu
| < Previous | Next > |