Below Rules will block few of the Nmap Scans on ur linux server
The default config files of IPtables for RHEL / CentOS / Fedora Linux are located here
- /etc/sysconfig/iptables –
iptables -A INPUT -p tcp –tcp-flags ALL FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL FIN,PSH,URG -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
#=====================
# Flush semua rules
#———————
/sbin/iptables -F
/sbin/iptables -t nat -F
#=====================
# Block
#———————
/sbin/iptables -t filter -A INPUT -p TCP -m state –state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A INPUT -p UDP -m state –state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A INPUT -p ICMP -m state –state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A INPUT -m state –state INVALID -j DROP
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j LOG –log-prefix “FIN: ”
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags ACK,PSH PSH -j LOG –log-prefix “PSH: ”
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags ACK,PSH PSH -j DROP
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags ACK,URG URG -j LOG –log-prefix “URG: ”
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags ACK,URG URG -j DROP
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags ALL ALL -j LOG –log-prefix “XMAS scan: ”
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags ALL NONE -j LOG –log-prefix “NULL scan: ”
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG –log-prefix “pscan: ”
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j LOG –log-prefix “pscan 2: ”
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j LOG –log-prefix “pscan 2: ”
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags ALL SYN,FIN -j LOG –log-prefix “SYNFIN-SCAN: ”
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags ALL SYN,FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags ALL URG,PSH,FIN -j LOG –log-prefix “NMAP-XMAS-SCAN: ”
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags ALL URG,PSH,FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags ALL FIN -j LOG –log-prefix “FIN-SCAN: ”
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags ALL FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags ALL URG,PSH,SYN,FIN -j LOG –log-prefix “NMAP-ID: ”
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags ALL URG,PSH,SYN,FIN -j DROP
/sbin/iptables -t filter -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j LOG –log-prefix “SYN-RST: ”
Syn-flood protection
In this attack system is floods with a series of SYN packets. Each packets causes system to issue a SYN-ACK responses. Then system waits for ACK that follows the SYN+ACK (3 way handshake). Since attack never sends back ACK again entire system resources get fulled aka backlog queue. Once the queue is full system will ignored incoming request from legitimate users for services (http/mail etc). Hence it is necessary to stop this attack with iptables.
Force SYN packets check
Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Force Fragments packets check
Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.
iptables -A INPUT -f -j DROP
XMAS packets
Incoming malformed XMAS packets drop them:
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
Drop all NULL packets
Incoming malformed NULL packets:
iptables -A INPIT -p tcp --tcp-flags ALL NONE -j DROP
Block Spoofing and bad addresses
Using iptables you can filter to drop suspicious source address. Network server should not accept packets claiming from the Internet that claim to originate from inside your network. Spoofing can be classified as:
a) IP spoofing – Disable the source address of authentication, for example rhosts based authentication. Filter RPC based services such as portmap and NFS,
b) DNS spoofing
Please see Iptables: How to avoid Spoofing and bad addresses attack tip for more information.
Also use NAT for your internal network. This makes difficult for attacker to spoof IP address from outside.
Filter incoming ICMP, PING traffic
It includes the ping of death attack and ICMP floods. You should block all ICMP and PING traffic for outside except for your own internal network (so that you can ping to see status of your own server) . See Linux : Iptables Allow or block ICMP ping request article.
Once system is secured, test your firewall with nmap or hping2 command:
# nmap -v -f FIREWALL-IP
# nmap -v -sX FIREWALL-IP
# nmap -v -sN FIREWALL-IP
# hping2 -X FIREWALL-IP
Recent Comments