站長手扎~SayCoo!

有用的IPTABLE語法,可擋住一些基本攻擊

#PREVENT PORT SCAN
# NMAP FIN/URG/PSH
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level warn
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# Xmas Tree
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j LOG --log-level warn
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
# Another Xmas Tree
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-level warn
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Null Scan(possibly)
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j LOG --log-level warn
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
# SYN/RST
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level warn
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# SYN/FIN -- Scan(possibly)
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level warn
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#PREVENT SYNC FLOOD
/sbin/iptables -N SYNFLOOD
/sbin/iptables -A SYNFLOOD -p tcp --syn -m limit --limit 1/s -j RETURN
/sbin/iptables -A SYNFLOOD -p tcp -j LOG --log-level alert
/sbin/iptables -A SYNFLOOD -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p tcp -m state --state NEW -j SYNFLOOD
#PREVENT PING FLOOD ATTACK
/sbin/iptables -N PING
/sbin/iptables -A PING -p icmp --icmp-type echo-request -m limit --limit 1/second -j RETURN
/sbin/iptables -A PING -p icmp -j LOG --log-level alert
/sbin/iptables -A PING -p icmp -j REJECT
/sbin/iptables -I INPUT -p icmp --icmp-type echo-request -m state --state NEW -j PING
Exit mobile version