# Can someone explain the following iptables rule for me

## Keiko

Hia,

I've been googling on and off for a few days now, trying to work out how to limit ssh connection limits, in my ssh script, and havn't found anything usefull... until now.

I've just spotted this rule, the site i found it on seemed to suggest, that this will do what i'm after, but i dont really understand it, and i'm reluctant to implement something in my firewall that i dont understand, so i was wondering if someone could explain it for me.

I could do to now, wether this will do what i'm after, a general, this does that etc on its component parts would also be very appreciated, so i can work with it to make sure its right for me, and understand how this will achieve what i'm after. Theres two sections i dont understand " --state NEW " and " --update --seconds 60--hitcount 5 ".

[edit] for clarification, what i'm after is a way, where i can use iptables to allow an ssh connection (depending on my existing rules), but then not allow another one, for a specified period of time, it would be even better if i can, have a rule to limit one ssh connection attmpt, per IP address, for every 120 seconds, thats what i'd like.

The rule(s) is:

=========================================

iptables -A INPUT -p tcp --dport ssh -i ${WAN} -m state --state NEW -m recent --set

iptables -A INPUT -p tcp --dport ssh -i ${WAN} -m state --state NEW -m recent --update --seconds 60--hitcount 5 -j DROP

iptables -A INPUT -p TCP --dport ssh -i ${WAN} -m state --state NEW -j ACCEPT 

=========================================

Thanks, Keiko.

----------

## jedsen

--state NEW means the packet is starting a new connection or is part of a connection that hasn't yet seen packets in both directions.

--update --seconds 60 --hitcount 5 will update the recent address list's timestamp for the source, matching only if the last-seen timestamp is within the last 60 seconds, and the hit count for the addresses packets is 5 (say, if someone logs in 5 times in 60 seconds).

----------

## Keiko

Hia,

Thanks for your reply, this is my understanding of it now:

The first line of thes rules, will create a tempory list of the IP's that are trying to establish a new connection to my SSHD (is this handled entirely with iptables, or do i have to setup a file myself for this ? ) 

I'm still a little confused on the second line, i think that means, that if an IP address that is already within the tempory list, tries to establish another NEW connection within 60 seconds, then it will be dropped, i understand, that but i'm still uncertain about the hitcount thing, would that mean, that the NEW connection, with that same IP will only be dropped, if the IP was both in the tempory list, and that the IP had tried to logon to my SSHD 5 times (does hitcount, automatically mean logon attemps, or only in this instance ? ) 

Then as i understand it, the final line will allow the new connection, if it isn't dropped by the second line.

Sorry, my heads still a little fuzzy with this, thanks for your help.

Keiko.

----------

## jedsen

It's my understanding that the temp list is created and maintained entirely by the the kernel/iptables (remember, this is for incoming connections, or, more specifically, when it recieves a packet that is starting a new connection or is part of a connection that hasn't yet seen packets in both directions).

hitcount means the number of connection-starting packets recieved from a specific address, but only in this instance does it mean an ssh connection (because of --dport ssh).

Hope this helps.

----------

## Keiko

Hia,

Sure does, i understand its meaning now, however after just testing, my test version of my script, with the new rules, it doesn't work, i can use putty, to fail several connections immediatly after each other, and i'm still allowed to try again, and eventually log in:

I've eddited the rules to fit in with my existing configuration to read:

=================================

# SSH (tcp port 22)

# Specific to SSH we will also protect ourselves from either misguided or unauthorised users, who try to connect too many times.

# Here we will permit a maximum of 3 connection attempts per every 2 minuites, but anymore will be dropped.

	iptables -A THRU -p tcp --dport 22 -i $InFace1 -m state --state NEW -m recent --set

	iptables -A THRU -p tcp --dport 22 -i $InFace1 -m state --state NEW -m recent --update --seconds 120--hitcount 3 -j DROP

	iptables -A THRU -p TCP --dport 22 -i $InFace1 -m state --state NEW -j ACCEPT 

=================================

I can't figure out where i'm goign wrong, do i need to include something else in my kernel, or is it possible, i've placed the rules badly in my script ?

Thanks, and yes you have helped me understand how it works, i just need to figure out why it doesn't seem to work for me now...   :Razz: 

Keiko.

----------

## jedsen

As far as I know, THRU isn't a valid hook point. Shouldn't it be INPUT?

----------

## Keiko

HIa,

THRU is a custom chain i'm using, used to explitley allow connections in, my full script is bellow (with the new rules i'm trying to implement), perhaps it should be input, but i'm not sure..

Thanks, Keiko

=========================================================

#!/bin/bash

IPTABLES=/sbin/iptables

# Constant Declarations

InFace1='eth0'

ExIP='10.0.0.8'

	echo "Starting firewall ... "

#----------------------------------- This Script -----------------------------------------------------#

#

# This is my iptables firewall script, it contains the rules that will correctly configure iptables.

#

# This script was created from a very good guide on " http://www.pettingers.org/code/firewall.html " and with

# support and help from various people within the linux community, Thanks must go to those who helped me a

# great deal on the Gentoo forums," https://forums.gentoo.org/ ".

#

# Originally Created on 06/03/2006 by Keiko. Updated on 10/03/06 by Keiko.

#

#

# If you want this script to automatically setup iptables when you boot your computer (Gentoo), ensure it is

# named firewall and place it into your /etc/init.d/ directory. 

# Now using your preffered editor open /etc/conf.d/local.start and add the following line (without quotes)

# "/etc/init.d/firewall" these rules will then be passed to iptables upon boot.

# To test that the rules have been passed to iptables correctly as super user (root) type the following in a

# terminal (without quotes) "iptables -L" this will list the rules and chains that iptables is using.

#

#------------------------------------------------------------------------------------------------------#

# The defaul policy of the INPUT chain is now changed, to allow all packets to enter, this is only temporary

# however and will be changed later.

	iptables -P INPUT ACCEPT 

# We will now flush (delete) any rules for the existing chains, which could affect the new rules we are going to implement.

	iptables -F

# And delete any existing custom chains.

	iptables -X

# We are going to create five custom chains. We will use these as targets for our new rules.

	iptables -N SPAM

	iptables -N WEB

	iptables -N BLACKLIST

	iptables -N THRU

	iptables -N LOGDROP

echo " Error Marker-1 = Passed "

#---------------------------------------- The Rules-----------------------------------------------------#

# The first rule bellow, will allow parckets through if they are part of an established connection, and the

# second rule will allow packets through if they are part of a related connection, such as a program like

# bittorrent openning up new ports. However we will only permit related connections to open related ports

# between port numbers 1025 and 65535.

	iptables -A INPUT -i $InFace1 -m state --state ESTABLISHED -j ACCEPT

	iptables -t filter -A INPUT -p tcp --dport 1025:65535 -m state --state RELATED -j ACCEPT  

# This rule allows in all packets from the localhost interface.

	iptables -A INPUT -i lo -j ACCEPT

# The next rule will send any packets coming in from port 25 to our SPAM custom chain, to be checked, if

# the originating ip address is one known to the system as a spammer's address.

	iptables -A INPUT -i $InFace1 -p tcp -m tcp --dport 25 -j SPAM

# The following rule does the same thing but checks for wbe hackers instead of spammers via the WEB custom chain,

# the "tcp-flags" are optional, in this case, they are set to look for new connections with "SYN,RST,ACK SYN".

	iptables -A INPUT -i $InFace1 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j WEB

# The next rule, ensures that any packets that have gotten through the above rules will be jumped to our 

# "general blacklist" the BLACKLIST custom chain.

	iptables -A INPUT -j BLACKLIST

echo " Error Marker-2 = Passed "

# Some IP addresses that we require to block, due to recent ssh breakin attemptsl, from these addresses.

	iptables -A BLACKLIST -s 81.56.126.41 -j LOGDROP

	iptables -A BLACKLIST -s 213.145.191.238 -j LOGDROP

	iptables -A BLACKLIST -s 69.93.81.10 -j LOGDROP

	iptables -A BLACKLIST -s 165.228.11.218 -j LOGDROP

	iptables -A BLACKLIST -s 216.118.117.112 -j LOGDROP

	iptables -A BLACKLIST -s 210.188.207.233 -j LOGDROP	

# Simirly this rule will jump any packets that have gotten through the BLACKLIST chain to our THRU custom chain.

# The THRU custom chain, is used to allow packets in if they are explictley allowed, such as form trusted hosts.

	iptables -A INPUT -j THRU

# Next we will create a log entry for the logging daemon each time we drop a packet, however to reduce the riks of

# denial-of-service attacks this logging will be restricted to one entry per second. The log level 7, means that,

# the priority will be set to debug, so these log entries can be exported to a file with syslog / syslog-ng by

# matching "facility(kernel) and level(debug).

	iptables -A INPUT -m limit --limit 30/min -j LOG --log-prefix "drop_packet" --log-level 7

echo " Error Marker-3 = Passed "

# We are now going to setup some rules, that will explictley allow packets into particular ports to ensure

# the services we run (i.e webserver, mail server, ssh server) will continue to fuction.

# - NOTE - By default only port 22 will be open for ssh, other populor service ports are included bellow for

# 	   completness and will need to be un-commented  (remove the preceding #) if you require them open.

# FTP (tcp port 21)

#	

#	iptables -A THRU -i $InFace1 -p tcp --dport 21 -j ACCEPT

# SSH (tcp port 22)

# Specific to SSH we will also protect ourselves from either misguided or unauthorised users, who try to connect too many times.

# Here we will permit a maximum of 3 connection attempts per every 2 minuites, but anymore will be dropped.

	iptables -A THRU -p tcp --dport 22 -i $InFace1 -m state --state NEW -m recent --set

	iptables -A THRU -p tcp --dport 22 -i $InFace1 -m state --state NEW -m recent --update --seconds 120--hitcount 3 -j DROP

	iptables -A THRU -p TCP --dport 22 -i $InFace1 -m state --state NEW -j ACCEPT 

# SMTP (tcp port 25)

#

#	iptables -A THRU -i $InFace1 -p tcp -m tcp --dport 25 -j ACCEPT

# HTTP (tcp port 80)

#

#	iptables -A THRU -i $InFace1 -p tcp -m tcp --dport 80 -j ACCEPT

# POP3 (tcp port 110)

#

#	iptables -A THRU -i $InFace1 -p tcp -m tcp --dport 110 -j ACCEPT

# If you require to find out what port number your particular service uses, a complete listing of ports and services

# can be found here:  http://www.iana.org/assignments/port-numbers

echo " Error Marker-4 = Passed "

# We will dissable echo-requets and and outgoing echo-reply pings (ICMP type  :Cool: .

	iptables -A INPUT -p icmp --icmp-type echo-request -d $ExIP -j DROP

	iptables -A OUTPUT -p icmp --icmp-type echo-reply -s $ExIP -j DROP

# We will also disable incoming redirect (icmp type 5) and outgoing destingation unreachable pings (icmp type 3)

# This will further protect use from dos (denial of service) attacks.

	iptables -A INPUT -p icmp --icmp-type redirect -d $ExIP -j DROP

	iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -s $ExIP -j DROP

# We will now explicitley disable outgoing X-sessions, to protect our machine from the vulnerabilities with forwarding X11.

# REJECT is used here, so that the connecting user is made efficiently aware that this service is not offered, following advise,

# on Drop vs Reject, found here : " http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject ".

	iptables -A OUTPUT -p tcp -s $ExIP -o eth0 --dport 6000:6010 -j REJECT		

	iptables -A OUTPUT -p udp -s $ExIP -o eth0 --dport 6000:6010 -j REJECT

# We will now add our final rule to the INPUT chain, which will drop all packets, that havn't been accepted

# via any of the previous rules, we will also now change the default policy for INPUT to DROP.

	iptables -A INPUT -j DROP

	iptables -P INPUT DROP

# We will alos set the default policy for the FORWARD chain to DROP, as it should not be used, in this configuration.

	iptables -P FORWARD DROP

echo " Error Marker-5 = Passed "	

# The following rules are for our final custom chain LOGDROP. These will place descriptive annotations

# on the log entries, to aid with log analysis later on.

	iptables -A LOGDROP -p tcp -m tcp --dport 22 -m limit --limit 1/sec -j LOG --log-prefix "ssh_blacklist" --log-level 7

	iptables -A LOGDROP -p tcp -m tcp --dport 25 -m limit --limit 1/sec -j LOG --log-prefix "spam_blacklist" --log-level 7

	iptables -A LOGDROP -p tcp -m tcp --dport 80 -m limit --limit 1/sec -j LOG --log-prefix "ssh_blacklist" --log-level 7

# The following line specifies how we will respond to packets that have gone through the LOGDROP custom chain.

	iptables -A LOGDROP -j REJECT --reject-with icmp-host-prohibited

#

# - NOTE -  To make use of our various blacklists, you can manually add rules to the respective chain, such

# as the following examples:

#

#	iptables -A BLACKLIST -s 192.168.254.5 -j LOGDROP

#	iptables -A BLACKLIST -s 192.168.220.9/24 -p tcp --dport 22 -j LOGDROP

#	iptables -A SPAM -s scum.spammers.org -j LOGDROP

#	iptables -A WEB -s script.kiddies.com -j LOGDROP

#

# - NOTE - the " -s " flag indicates a source.

#	

#--------------------------------------- End of Configuration----------------------------------------------#

echo " Error Marker-6 = Passed "

	echo "Firewall started and configured"

exit

----------

## jedsen

I'm sorry, but I have no idea why youre setup's not working, but would like to know for my own use. Anyone have any ideas?

----------

## pteppic

Bad syntax, should be *Quote:*   

> iptables -A THRU -p tcp -m tcp --dport 22 -i $InFace1 -m state --state NEW -m recent --set
> 
> iptables -A THRU -p tcp -m tcp --dport 22 -i $InFace1 -m state --state NEW -m recent --update --seconds 120--hitcount 3 -j DROP
> 
> iptables -A THRU -p tcp -m tcp --dport 22 -i $InFace1 -m state --state NEW -j ACCEPT 

 

I have a filter setup in syslog-ng sepcifically for testing this kind of thing, then you can test that the iptables filters are catching the packets they are supposed to with *Quote:*   

>  -I MYCHAIN (index above drop line) -m (same ipfilters as drop line) -j LOG --log-prefix "IPTablesTestLog: " --log-level 6

 

Syslog-ng config sections 

```
destination iptabtest { file("/var/log/iptabtest.log"); };

filter f_iptabtest { match("IPTablesTestLog:"); };

log { source(kernsrc); filter(f_iptabtest); destination(iptabtest); };
```

----------

## Keiko

Hia,

Its been awhile, but i think i should have added solved up there  :Smile:  i'll do that now.

Actually i have no idea why it wouldn't work still, its been awhile since i've looked at those lines, but to the best of my knowledge its working now, or seems to be anyways, been a few days since i tested that function. But what i can do is post my current script, its undergone several changes, nothing major i dont think. The only thing i've been thinking about recently with it, is wether i have some uneeded rules, becuase originally i implemented rules to try and prevent pings and such, but since i have done this with a kernel parameter as you'll see, i'm just wondering wether i still require my original ping blocking / limiting rules. The biggest change i want to ecomplish, though i'm still unsure how to do it, despite looking at several pieces of source code, is the ability to have my list of IP's i want blocking stored in a seperate file, which is refrenced by an iptables rule or similar. This is becuase, every other day, i log an attack, though my script seems to be doing its thing, instead of seeing ten or more attempts, i see one or two from the same IP, only once as someone bothered to wait for a period and then come back, and each IP address i've manually added to my blacklist section, hasn't showed up in my logs again, so i'm really pleased. Though i must admit to likeing to agree the moment i see activity in my logs, reminds me my script at least works on some, and gives me a few moments of action...

Anyways, before i rabit on indefinatley, heres my latest version - if you have any suggestions for improovements, more then glad to hear them...

Thank you - Keiko.

```
#!/bin/bash

#----------------------------------- This Script -----------------------------------------------------#

#

# This is my iptables firewall script, it contains the rules that will correctly configure iptables.

#

# This script was created from a very good guide on " http://www.pettingers.org/code/firewall.html " and with

# support and help from various people within the linux community, Thanks must go to those who helped me a

# great deal on the Gentoo forums," http://forums.gentoo.org/ ".

#

#        Date: Description

#  --|--|----: ---------------------------------------------

#  06/03/2006: Initital write of script, by Keiko.

#  --|--|----: ---------------------------------------------

#  --|--|----: ---------------------------------------------

#  18/03/2006: This version, version number : 15

#  --|--|----: ---------------------------------------------

#

# If you want this script to automatically setup iptables when you boot your computer (Gentoo), ensure it is

# named firewall and place it into your /etc/init.d/ directory. 

# Now using your preffered editor open /etc/conf.d/local.start and add the following line (without quotes)

# "/etc/init.d/firewall" these rules will then be passed to iptables upon boot.

# To test that the rules have been passed to iptables correctly as super user (root) type the following in a

# terminal (without quotes) "iptables -L" this will list the rules and chains that iptables is using.

#

#------------------------------------------------------------------------------------------------------#

   echo "Starting firewall ... "

IPTABLES=/sbin/iptables

# Constant Declarations

   InFace1='eth0'

   ExIP='10.0.0.8'

   ssh='22'

#---------------------------------- Kernel Security ---------------------------------------------------#

# By enabling SYN Cookies, with the following command, the OS will wait until the 3 way TCP hand shake has

# finished before handing the connection over to the daemon, most SYN attacks judt do the first part of the

# handshake, so enabling this can increase the systems security.

# see " http://forums.gentoo.org/viewtopic-t-352610-highlight-tcpsyncookies.html " and " http://cr.yp.to/syncookies.html "

   echo 1 >/proc/sys/net/ipv4/tcp_syncookies 

   

# Don't respond to broadcast pings - protects agains smruf attacks.

   echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 

   

# Enable bad error message protection, will alert you when bad error messages enter local network.

   echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

   

# Make sure that IP forwarding is turned off. We only want this for a multi-homed host.

   echo "0" > /proc/sys/net/ipv4/ip_forward

   

# Prevent system from responding to pings.

# See this: " http://www.jalix.org/ressources/miscellaneous/security/_SOLRHE/html/chap5sec53.html "

   

   echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

#---------------------------------- Flush, Delete and Custom Chain Creation -----------------------------#

# The defaul policy of the INPUT chain is now changed, to allow all packets to enter, this is only temporary

# however and will be changed later.

   iptables -P INPUT ACCEPT 

   

# We will now flush (delete) any rules for the existing chains, which could affect the new rules we are going to implement.

   iptables -F

   

# And delete any existing custom chains.

   iptables -X

# We are going to create five custom chains. We will use these as targets for our new rules.

   iptables -N SPAM

   iptables -N WEB

   iptables -N BLACKLIST

   iptables -N THRU

   iptables -N LOGDROP

   

#echo " Error Marker-1 = Passed "

#---------------------------------------- The Rules-----------------------------------------------------#

# The first rule bellow, will allow parckets through if they are part of an established connection, and the

# second rule will allow packets through if they are part of a related connection, such as a program like

# bittorrent openning up new ports. However we will only permit related connections to open related ports

# between port numbers 1025 and 65535.

   iptables -A INPUT -i $InFace1 -m state --state ESTABLISHED -j ACCEPT

   

   iptables -t filter -A INPUT -p tcp --dport 1025:65535 -m state --state RELATED -j ACCEPT  

   

# This rule allows in all packets from the localhost interface.

   iptables -A INPUT -i lo -j ACCEPT

   

#Kill connections to the local interface from the outside world.

   iptables -A INPUT -d 127.0.0.0/8 -j REJECT

   

# Allow SMB traffic through from the local LAN.

   iptables -A INPUT -i $InFace1 -s 10.0.0.0/24 -p udp --dport 137:138 -j ACCEPT

   

   iptables -A INPUT -i $InFace1 -s 10.0.0.0/24 -p tcp --dport 139 -j ACCEPT

   

   iptables -A INPUT -i $InFace1 -s 10.0.0.0/24 -p tcp --dport 445 -j ACCEPT

   

# The next rule will send any packets coming in from port 25 to our SPAM custom chain, to be checked, if

# the originating ip address is one known to the system as a spammer's address.

   iptables -A INPUT -i $InFace1 -p tcp -m tcp --dport 25 -j SPAM

# The following rule does the same thing but checks for wbe hackers instead of spammers via the WEB custom chain,

# the "tcp-flags" are optional, in this case, they are set to look for new connections with "SYN,RST,ACK SYN".

   iptables -A INPUT -i $InFace1 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j WEB

# The next rule, ensures that any packets that have gotten through the above rules will be jumped to our 

# "general blacklist" the BLACKLIST custom chain.

   iptables -A INPUT -j BLACKLIST

#echo " Error Marker-2 = Passed "

# Some IP addresses that we require to block, due to recent ssh breakin attemptsl, from these addresses.

   iptables -A BLACKLIST -s 59.120.2.157 -j LOGDROP

   iptables -A BLACKLIST -s 61.144.230.185 -j LOGDROP

   iptables -A BLACKLIST -s 61.178.127.182 -j LOGDROP

   iptables -A BLACKLIST -s 62.2.130.138 -j LOGDROP

   iptables -A BLACKLIST -s 62.112.213.233 -j LOGDROP

   iptables -A BLACKLIST -s 69.93.81.10 -j LOGDROP   

   iptables -A BLACKLIST -s 81.56.126.41 -j LOGDROP

   iptables -A BLACKLIST -s 82.127.116.147 -j LOGDROP

   iptables -A BLACKLIST -s 83.68.233.20 -j LOGDROP   

   iptables -A BLACKLIST -s 86.34.142.155 -j LOGDROP

   iptables -A BLACKLIST -s 86.55.5.250 -j LOGDROP

   iptables -A BLACKLIST -s 165.228.11.218 -j LOGDROP

   iptables -A BLACKLIST -s 201.12.140.30 -j LOGDROP

   iptables -A BLACKLIST -s 201.20.202.202 -j LOGDROP

   iptables -A BLACKLIST -s 210.127.235.156 -j LOGDROP

   iptables -A BLACKLIST -s 210.188.207.233 -j LOGDROP            

   iptables -A BLACKLIST -s 213.145.191.238 -j LOGDROP

   iptables -A BLACKLIST -s 213.190.10.91 -j LOGDROP

   iptables -A BLACKLIST -s 216.118.117.112 -j LOGDROP

   iptables -A BLACKLIST -s 218.108.44.107 -j LOGDROP

   iptables -A BLACKLIST -s 220.119.33.251 -j LOGDROP

   iptables -A BLACKLIST -s 222.134.46.124 -j LOGDROP

   

# Simirly this rule will jump any packets that have gotten through the BLACKLIST chain to our THRU custom chain.

# The THRU custom chain, is used to allow packets in if they are explictley allowed, such as form trusted hosts.

   iptables -A INPUT -j THRU

   

# Next we will create a log entry for the logging daemon each time we drop a packet, however to reduce the riks of

# denial-of-service attacks this logging will be restricted to one entry per second. The log level 7, means that,

# the priority will be set to debug, so these log entries can be exported to a file with syslog / syslog-ng by

# matching "facility(kernel) and level(debug).

   iptables -A INPUT -m limit --limit 30/min -j LOG --log-prefix "drop_packet" --log-level 7

      

#echo " Error Marker-3 = Passed "

   

# We are now going to setup some rules, that will explictley allow packets into particular ports to ensure

# the services we run (i.e webserver, mail server, ssh server) will continue to fuction.

# - NOTE - By default only port 22 will be open for ssh, other populor service ports are included bellow for

#       completness and will need to be un-commented  (remove the preceding #) if you require them open.

# FTP (tcp port 21)

#   

#   iptables -A THRU -i $InFace1 -p tcp --dport 21 -j ACCEPT

# SSH (tcp port 22)

# Specific to SSH we will also protect ourselves from either misguided or unauthorised users, who try to connect too many times.

# Here we will permit a maximum of 3 connection attempts per every 2 minuites, but anymore will be dropped.

   iptables -A THRU -p tcp --dport $ssh -i $InFace1 -m state --state NEW -m recent --set

   

   iptables -A THRU -p tcp --dport $ssh -i $InFace1 -m state --state NEW -m recent --update --seconds 120 --hitcount 3 -j DROP

   

   iptables -A THRU -p tcp --dport $ssh -i $InFace1 -m state --state NEW -j ACCEPT 

   

# SMTP (tcp port 25)

#

#   iptables -A THRU -i $InFace1 -p tcp -m tcp --dport 25 -j ACCEPT

# HTTP (tcp port 80)

#

#   iptables -A THRU -i $InFace1 -p tcp -m tcp --dport 80 -j ACCEPT

# POP3 (tcp port 110)

#

#   iptables -A THRU -i $InFace1 -p tcp -m tcp --dport 110 -j ACCEPT

# If you require to find out what port number your particular service uses, a complete listing of ports and services

# can be found here:  http://www.iana.org/assignments/port-numbers

#echo " Error Marker-4 = Passed "

# Any invalid packets will be dropped.

   iptables -A INPUT -m state --state INVALID -j DROP

# We will dissable echo-requets and and outgoing echo-reply pings (ICMP type 8).

   iptables -A INPUT -p icmp --icmp-type echo-request -d $ExIP -j DROP

   

   iptables -A OUTPUT -p icmp --icmp-type echo-reply -s $ExIP -j DROP

         

# We will also disable incoming redirect (icmp type 5) and outgoing destingation unreachable pings (icmp type 3)

# This will further protect use from dos (denial of service) attacks.

   iptables -A INPUT -p icmp --icmp-type redirect -d $ExIP -j DROP

   

   iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -s $ExIP -j DROP

# We will now explicitley disable outgoing X-sessions, to protect our machine from the vulnerabilities with forwarding X11.

# REJECT is used here, so that the connecting user is made efficiently aware that this service is not offered, following advise,

# on Drop vs Reject, found here : " http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject ".

   iptables -A OUTPUT -p tcp -s $ExIP -o eth0 --dport 6000:6010 -j REJECT      

   

   iptables -A OUTPUT -p udp -s $ExIP -o eth0 --dport 6000:6010 -j REJECT

   

# We will now add our final rule to the INPUT chain, which will drop all packets, that havn't been accepted

# via any of the previous rules, we will also now change the default policy for INPUT to DROP.

   iptables -A INPUT -j DROP

   

   iptables -P INPUT DROP

# We will alos set the default policy for the FORWARD chain to DROP, as it should not be used, in this configuration.

   iptables -P FORWARD DROP

   

#echo " Error Marker-5 = Passed "   

   

# The following rules are for our final custom chain LOGDROP. These will place descriptive annotations

# on the log entries, to aid with log analysis later on.

   iptables -A LOGDROP -p tcp -m tcp --dport $ssh -m limit --limit 1/sec -j LOG --log-prefix "ssh_blacklist" --log-level 7

   

   iptables -A LOGDROP -p tcp -m tcp --dport 25 -m limit --limit 1/sec -j LOG --log-prefix "spam_blacklist" --log-level 7

   

   iptables -A LOGDROP -p tcp -m tcp --dport 80 -m limit --limit 1/sec -j LOG --log-prefix "web_blacklist" --log-level 7

   

# The following line specifies how we will respond to packets that have gone through the LOGDROP custom chain.

   iptables -A LOGDROP -j REJECT --reject-with icmp-host-prohibited

#

# - NOTE -  To make use of our various blacklists, you can manually add rules to the respective chain, such

# as the following examples:

#

#   iptables -A BLACKLIST -s 192.168.254.5 -j LOGDROP

#   iptables -A BLACKLIST -s 192.168.220.9/24 -p tcp --dport 22 -j LOGDROP

#   iptables -A SPAM -s scum.spammers.org -j LOGDROP

#   iptables -A WEB -s script.kiddies.com -j LOGDROP

#

# - NOTE - the " -s " flag indicates a source.

#   

   

#--------------------------------------- End of Configuration----------------------------------------------#

#echo " Error Marker-6 = Passed "

   

      echo "Firewall started and configured"

   

exit

      

```

----------

## dpetka2001

 *pteppic wrote:*   

> Bad syntax, should be *Quote:*   iptables -A THRU -p tcp -m tcp --dport 22 -i $InFace1 -m state --state NEW -m recent --set
> 
> iptables -A THRU -p tcp -m tcp --dport 22 -i $InFace1 -m state --state NEW -m recent --update --seconds 120--hitcount 3 -j DROP
> 
> iptables -A THRU -p tcp -m tcp --dport 22 -i $InFace1 -m state --state NEW -j ACCEPT  
> ...

 what exactly does the "-m tcp" option do?? i have never seen it before?? as i am having a look at several guides about iptables i couldn't find any relevant...could someone explain please?? thaks in advance...

----------

## Keiko

Hia,

Also struggling with " -m tcp " could you clarify its meaning and function please, i've tested the rule previously and i recall it fuctioning okay, but more then happy to try it with this extra flag, if you could explain it to me.

This is the first script i've ever wrote, and i'm new to iptables too, so i've kinda learnt as i've gone along, a tiny bit at a time, as you can see above, my script produces log entries, via syslog-ng, though i'm unsure of its use so far, i just get a log full of mac addresses and drop packets, which is how its setup, but dont know what use this is.

I think your logging idea is good, its been a pain to test my setup at times, but i'm unsure what you mean with the index position, can i simpy write a modified version of that above the line in my script i plan to test ?

Thanks, Keiko.

----------

## jedsen

"-p <protocol>" includes an implicit "-m <protocol>" when when protocol is one of icmp, tcp or udp. So it's redundant, in this case.

----------

