[svlug] iptables syn flood etc

George Georgalis georgw at galis.org
Mon Jan 13 09:47:23 PST 2003


I'm updating my iptable rulesets to include scan detection
and syn flood blocking, working from examples in this archive
http://galis.org/scripts/fwrules.tgz (first posted on a securityfocus
list) these rules are based on what would be extracted as
firewall-rulesets/ruleset5.txt ( Contributed by vogt at hansenet.com )

    $IPTABLES -N in_icmp
    $IPTABLES -N in_tcp
    $IPTABLES -N in_udp
    $IPTABLES -A INPUT -p tcp -j in_tcp
    $IPTABLES -A INPUT -p udp -j in_udp
    $IPTABLES -A INPUT -p icmp -j in_icmp

    $IPTABLES -A INPUT -p icmp --icmp-type "echo-request" -m limit --limit 5/minute \
        -j LOG --log-prefix '#### Ping Scan ####'
    # high rate for stealth scans, since they could be legitimate connection
    # attempts as well
    $IPTABLES -A in_tcp -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 5 \
        -j LOG --log-level info --log-prefix '#### Stealth Scan ####'
    $IPTABLES -A in_tcp -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/m \
        -j LOG --log-level info --log-prefix '#### XMAS Scan ####'
    $IPTABLES -A in_tcp -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m \
        -j LOG --log-level info --log-prefix '#### SYN/RST Scan ####'
    $IPTABLES -A in_tcp -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m \
        -j LOG --log-level info --log-prefix '#### SYN/FIN Scan ####'

    # we allow 4 TCP connects per second, no more
    $IPTABLES -N syn-flood
    $IPTABLES -A INPUT -p tcp --syn -j syn-flood
    $IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
    $IPTABLES -A syn-flood -j DROP

    # new connections that have no syn set are most probably evil
    $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

    # invalid packets 
    $IPTABLES -A INPUT -p tcp -m state --state INVALID -m limit --limit 10/m \
        -j LOG --log-level info --log-prefix "### Invalid Packet ###"
    $IPTABLES -A INPUT -p tcp --tcp-option 64 -m limit --limit 5/m \
        -j LOG --log-level info --log-prefix "### Bad TCP FLAG(64) ###"
    $IPTABLES -A INPUT -p tcp --tcp-option 128 -m limit --limit 5/m \
        -j LOG --log-level info --log-prefix "### Bad TCP FLAG(128) ###"
    echo "done"

    echo -n "setting up ICMP: "
    # we allow echo requests and replies
    # could limit replies to related, but since we 
    # answer ping requests, where would be the point in that?
    $IPTABLES -A in_icmp -p icmp --icmp-type  0 -j ACCEPT
    $IPTABLES -A in_icmp -p icmp --icmp-type  8 -j ACCEPT
    # we need destination unreachable 
    $IPTABLES -A in_icmp -p icmp --icmp-type  3 -j ACCEPT
    # we are nice and allow traceroute, though it is not required
    $IPTABLES -A in_icmp -p icmp --icmp-type 11 -j ACCEPT
    $IPTABLES -A in_icmp -p icmp --icmp-type 30 -j ACCEPT
    echo "done"


Of course I've left out lots (including setting the kernel parameters),
but as far as invalid packets, ICMP and syn flooding, do these look like
reasonable rules? anything I should add?

// George

-- 
GEORGE GEORGALIS, System Admin/Architect    cell: 347-451-8229 
Security Services, Web, Mail,            mailto:george at galis.org 
Multimedia, DB, DNS and Metrics.       http://www.galis.org/george 




More information about the svlug mailing list