# iptables Firewall

## royger

Hi,

Im trying to set up a simple iptables firewall that logs and avoids portscanners, i have compiled my kernel with iptables support, but when i try to run the gentoo security Guide firewall script, (only the "Catch portscanners" section, not all the script) i get this error:

```
 

Bad argument ` '

Try `iptables -h' or 'iptables --help' for more information.

./iptables: --limit: command not found

iptables v1.2.6a: bad rate ` '

Try `iptables -h' or 'iptables --help' for more information.

./iptables: 5/minute: No such file or directory

Bad argument ` '

Try `iptables -h' or 'iptables --help' for more information.

./iptables: -m: command not found

Bad argument ` '

Try `iptables -h' or 'iptables --help' for more information.

./iptables: --limit: command not found

Bad argument ` '

Try `iptables -h' or 'iptables --help' for more information.

./iptables: --limit: command not found

Bad argument ` '

Try `iptables -h' or 'iptables --help' for more information.

./iptables: --limit: command not found

```

My script is:

```

  iptables -N check-flags

  iptables -F check-flags

  iptables -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \

      --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"

  iptables -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

  iptables -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit \

      5/minute -j LOG --log-level 1 --log-prefix "XMAS:"

  iptables -A check-flags -p tcp --tcp-flags ALL ALL -j DROP

  iptables -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \

      -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"

  iptables -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

  iptables -A check-flags -p tcp --tcp-flags ALL NONE -m limit \

      --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"

  iptables -A check-flags -p tcp --tcp-flags ALL NONE -j DROP

  iptables -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit \

      --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"

  iptables -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

  iptables -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \

      --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"

  iptables -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

```

Anyone knows how to solve this?

Or a better Firewall script  :Smile: 

(This maybe a very easy question)

------------------------------------------------------------------------------------

[img:a10fe255b3]http://www.arkania.org/~royger/gentoo2.jpg[/img:a10fe255b3]

[royger]

----------

## Qubax

just have a look at my post "test firewall - scan for security holes"

i switched from fwbuilder (seems no everything is working for me, but i get no errormessage) to [url]projectfiles.com/firewall[/url] , but have a look at my post ...

----------

## royger

Im using this firewall too now, i want to know how can i make it sends me alerts to the console, when someone is scanning me. Im using syslog-ng, with the default Gentoo security guide configuration, can someone say me how to make it send alerts to me?

I have enabled logging in rc.firewall too.

Thk's

[royger]

----------

## royger

I finally make syslog-ng send the firewall information to the console, but it sends to the tty console, not aterm or anything like this, how can i make syslog-ng send the log to aterm or whatever graphical console im using?

Thk's

[royger]

----------

## splooge

tail -f /var/log/messages

?

----------

## paul138

 *royger wrote:*   

> I finally make syslog-ng send the firewall information to the console, but it sends to the tty console, not aterm or anything like this, how can i make syslog-ng send the log to aterm or whatever graphical console im using?
> 
> Thk's
> 
> [royger]

 

destination xconsole { pipe("/dev/xconsole"); };

----------

