[ create a new paste ] login | about

Link: http://codepad.org/iXa1Mmp1    [ raw code | fork ]

Plain Text, pasted on Feb 9: 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

IPT="/sbin/iptables"
IFOUT="em1"

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# Block Fragments
$IPT -A INPUT -i $IFOUT -f  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
$IPT -A INPUT -i $IFOUT -f -j DROP

# Block bad stuff
$IPT  -A INPUT -i $IFOUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT  -A INPUT -i $IFOUT -p tcp --tcp-flags ALL ALL -j DROP

$IPT  -A INPUT -i $IFOUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
$IPT  -A INPUT -i $IFOUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets

$IPT  -A INPUT -i $IFOUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPT  -A INPUT -i $IFOUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
$IPT  -A INPUT -i $IFOUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS

$IPT  -A INPUT -i $IFOUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
$IPT  -A INPUT -i $IFOUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans

$IPT  -A INPUT -i $IFOUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# Allow full outgoing connection but no incomming stuff
$IPT -A INPUT -i $IFOUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o $IFOUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -i $IFOUT -p tcp --dport 22 -j ACCEPT


Create a new paste based on this one


Comments: