Default Rules Script
# drop port scan
...
# NMAP
FIN/URG/PSH
$IPTABLES -A INPUT
-p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# Xmas Tree
$IPTABLES -A INPUT
-p tcp --tcp-flags ALL ALL -j DROP
# Another Xmas
Tree
$IPTABLES -A INPUT
-p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Null
Scan(possibly)
$IPTABLES -A INPUT
-p tcp --tcp-flags ALL NONE -j DROP
# SYN/RST
$IPTABLES -A INPUT
-p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# SYN/FIN --
Scan(possibly)
$IPTABLES -A INPUT
-p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A INPUT
-i lo -j ACCEPT
$IPTABLES -A INPUT
-m state --state ESTABLISHED,RELATED -j ACCEPT
# Web server is
running on port 80,443,6001,6002,7070
PORTS=`echo
$SERVER_TCP_PORTS|sed "s/,/ /g"`
for port in $PORTS
;
do
$IPTABLES -A INPUT -p tcp --dport $port -j RATE_LIMIT
done
$IPTABLES
-A INPUT -p tcp --dport 20 -j RATE_LIMIT
$IPTABLES
-A INPUT -p tcp --dport 21 -j RATE_LIMIT
PORTS=`echo
$SERVER_UDP_PORTS|sed "s/,/ /g"`
for port in $PORTS
;
do
$IPTABLES -A INPUT -p udp --dport $port -j RATE_LIMIT
done
# Being specific
about who we allow to use ssh from the local subnet
LOCAL_SUBNET=`ip
addr show eth0|grep "inet "|sed "s/ */ /g"|cut -d ' ' -f 3`
$IPTABLES -A INPUT
-m state --state NEW -s $LOCAL_SUBNET
-p tcp --dport 22 -j RATE_LIMIT
Based on FTP_SERVER URL Command