API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 21st, 2019
121
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.17 KB | None | 0 0
raw download clone embed print report
  1. ######
  2. ## 1.b
  3. ######
  4.  
  5. # drop ALL input and output connections. Note that this also drops loopback connections
  6. sudo iptables -P INPUT DROP
  7. # sudo iptables -P OUTPUT DROP
  8.  
  9. # accept incoming and outgoing connections on loopback to allow ping to work
  10. # Neccessary to provide full functionality to most services
  11. # sudo iptables -A INPUT -i lo -j ACCEPT
  12. # sudo iptables -A OUTPUT -o lo -j ACCEPT
  13.  
  14. # accept incoming connections on the SSH port of 22
  15. sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
  16. # accept incoming connections on the HTTP port of 80
  17. sudo iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
  18.  
  19. # in order to get SSH service working correctly the following output connections would need to be allowed on state ESTABLISHED
  20. # sudo iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
  21. # in order to get HTTP service working correctly the following output connections would need to be allowed on state ESTABLISHED
  22. # sudo iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
  23.  
  24. ######
  25. ## 1.c
  26. ######
  27.  
  28. # create a new iptable chain called LOGGING
  29. iptables -N LOGGING
  30.  
  31. # direct all remaining incomming packets to the LOGGING chain
  32. iptables -A INPUT -j LOGGING
  33.  
  34. # create the log, on the LOGGING chain, with prefix, and logging level 4 (warning)
  35. # logs are written to /var/log/messages
  36. iptables -A LOGGING -j LOG --log-prefix "IPTABLES mark" --log-level 4
  37.  
  38. # drop all remaining packets still in chain
  39. # iptables -A LOGGING -j DROP
  40.  
  41. ######
  42. ## 1.d
  43. ######
  44.  
  45. iptables -A LOGGING -p tcp --tcp-flag ALL SYN -m limit --limit 10/m -j LOG --log-prefix "IPTABLES PORTSCAN mark" --log-level 4
  46.  
  47. # drop all remaining packets still in chain
  48. iptables -A LOGGING -j DROP
  49.  
  50. # iptables -A INPUT -p tcp -i eth1 -m state --state NEW -m recent --set
  51. # iptables -A INPUT -p tcp -i eth1 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j LOG --log-prefix " " --log-level 4
  52.  
  53. # iptables -A FORWARD -p tcp -i eth1 -m state --state NEW -m recent --set
  54. # iptables -A FORWARD -p tcp -i eth1 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j LOG --log-prefix "IPTABLES portscan mark " --log-level 4
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!