Linux 相關 Aaron on 27 六月 2007 11:59 下午
有用的IPTABLE語法,可擋住一些基本攻擊
#PREVENT PORT SCAN
# NMAP FIN/URG/PSH
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL FIN,URG,PSH -j LOG –log-level warn
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
# Xmas Tree
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL ALL -j LOG –log-level warn
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL ALL -j DROP
# Another Xmas Tree
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG –log-level warn
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Null Scan(possibly)
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL NONE -j LOG –log-level warn
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL NONE -j DROP
# SYN/RST
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags SYN,RST SYN,RST -j LOG –log-level warn
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
# SYN/FIN — Scan(possibly)
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags SYN,FIN SYN,FIN -j LOG –log-level warn
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
#PREVENT SYNC FLOOD
/sbin/iptables -N SYNFLOOD
/sbin/iptables -A SYNFLOOD -p tcp –syn -m limit –limit 1/s -j RETURN
/sbin/iptables -A SYNFLOOD -p tcp -j LOG –log-level alert
/sbin/iptables -A SYNFLOOD -p tcp -j REJECT –reject-with tcp-reset
/sbin/iptables -A INPUT -p tcp -m state –state NEW -j SYNFLOOD
#PREVENT PING FLOOD ATTACK
/sbin/iptables -N PING
/sbin/iptables -A PING -p icmp –icmp-type echo-request -m limit –limit 1/second -j RETURN
/sbin/iptables -A PING -p icmp -j LOG –log-level alert
/sbin/iptables -A PING -p icmp -j REJECT
/sbin/iptables -I INPUT -p icmp –icmp-type echo-request -m state –state NEW -j PING
