Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ######
- ## 1.b
- ######
- # drop ALL input and output connections. Note that this also drops loopback connections
- sudo iptables -P INPUT DROP
- # sudo iptables -P OUTPUT DROP
- # accept incoming and outgoing connections on loopback to allow ping to work
- # Neccessary to provide full functionality to most services
- # sudo iptables -A INPUT -i lo -j ACCEPT
- # sudo iptables -A OUTPUT -o lo -j ACCEPT
- # accept incoming connections on the SSH port of 22
- sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
- # accept incoming connections on the HTTP port of 80
- sudo iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
- # in order to get SSH service working correctly the following output connections would need to be allowed on state ESTABLISHED
- # sudo iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
- # in order to get HTTP service working correctly the following output connections would need to be allowed on state ESTABLISHED
- # sudo iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
- ######
- ## 1.c
- ######
- # create a new iptable chain called LOGGING
- iptables -N LOGGING
- # direct all remaining incomming packets to the LOGGING chain
- iptables -A INPUT -j LOGGING
- # create the log, on the LOGGING chain, with prefix, and logging level 4 (warning)
- # logs are written to /var/log/messages
- iptables -A LOGGING -j LOG --log-prefix "IPTABLES mark" --log-level 4
- # drop all remaining packets still in chain
- # iptables -A LOGGING -j DROP
- ######
- ## 1.d
- ######
- iptables -A LOGGING -p tcp --tcp-flag ALL SYN -m limit --limit 10/m -j LOG --log-prefix "IPTABLES PORTSCAN mark" --log-level 4
- # drop all remaining packets still in chain
- iptables -A LOGGING -j DROP
- # iptables -A INPUT -p tcp -i eth1 -m state --state NEW -m recent --set
- # iptables -A INPUT -p tcp -i eth1 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j LOG --log-prefix " " --log-level 4
- # iptables -A FORWARD -p tcp -i eth1 -m state --state NEW -m recent --set
- # iptables -A FORWARD -p tcp -i eth1 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j LOG --log-prefix "IPTABLES portscan mark " --log-level 4
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement