Advertising
- Someone
- Friday, November 2nd, 2012 at 9:45:25am UTC
- ##Probar iptables con nmap
- #nmap -v -f ipptables-IP
- #CONEXION
- IFACE="eth0"
- #Borramos las reglas que pudiera haber, las cadenas y los contadores
- iptables -F
- iptables -X
- iptables -Z
- iptables -t nat -F
- ## Establecemos politica por defecto: DROP
- iptables -P INPUT DROP
- iptables -P OUTPUT DROP
- iptables -P FORWARD DROP
- # Aceptamos todo de localhost
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A OUTPUT -o lo -j ACCEPT
- #PERMITIR CONEXIONES
- #previamente establecida en reglas posteriores.
- iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -t filter -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
- #Robot chupabanda.
- iptables -I INPUT -s 208.115.111.64/28 -j DROP
- #HTTP-HTTPS
- iptables -A INPUT -p tcp --dport 80 -j ACCEPT
- iptables -A INPUT -p tcp --dport 443 -j ACCEPT
- # impedimos iniciar conexion los puertos altos
- #iptables -A INPUT -p tcp --syn --dport 1025:65535 -j DROP
- # Cerramos el rango de puerto bien conocido
- iptables -A INPUT -i eth0 -p tcp --dport 1:1024 --j DROP
- iptables -A INPUT -i eth0 -p udp --dport 1:1024 --j DROP
- # Deshabilitar broadcast
- /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- # Deshabilitar el ping… quizá discutible.
- /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
- # Deshabilitar la redirección del ping
- /bin/echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
- # Registrar los accesos extraños, paquetes falseados, etc..
- /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
- # Anti nmap :)
- iptables -N PORTSCAN
- iptables -A INPUT -i all -p tcp --tcp-flags ALL FIN,URG,PSH -m recent --set -j PORTSCAN
- iptables -A FORWARD -i all -p tcp --tcp-flags ALL FIN,URG,PSH -m recent --set -j PORTSCAN
- # SYN/RST
- iptables -A INPUT -i all -p tcp --tcp-flags SYN,RST SYN,RST -m recent --set -j PORTSCAN
- iptables -A FORWARD -i all -p tcp --tcp-flags SYN,RST SYN,RST -m recent --set -j PORTSCAN
- # SYN/FIN -- Scan(probably)
- iptables -A INPUT -i all -p tcp --tcp-flags SYN,FIN SYN,FIN -m recent --set -j PORTSCAN
- iptables -A FORWARD -i all -p tcp --tcp-flags SYN,FIN SYN,FIN -m recent --set -j PORTSCAN
- # NMAP FIN Stealth
- iptables -A INPUT -i all -p tcp --tcp-flags ALL FIN -m recent --set -j PORTSCAN
- iptables -A FORWARD -i all -p tcp --tcp-flags ALL FIN -m recent --set -j PORTSCAN
- # ALL/ALL Scan
- iptables -A INPUT -i all -p tcp --tcp-flags ALL ALL -m recent --set -j PORTSCAN
- iptables -A FORWARD -i all -p tcp --tcp-flags ALL ALL -m recent --set -j PORTSCAN
- # NMAP Null Scan
- iptables -A INPUT -i all -p tcp --tcp-flags ALL NONE -m recent --set -j PORTSCAN
- iptables -A FORWARD -i all -p tcp --tcp-flags ALL NONE -m recent --set -j PORTSCAN
- #XMAS
- iptables -A INPUT -i all -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -m recent --set -j PORTSCAN
- iptables -A FORWARD -i all -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -m recent --set -j PORTSCAN
- iptables -A PORTSCAN -m limit --limit 1/second -j LOG --log-level info --log-prefix "PORTSCAN -- SHUN " --log-tcp-sequence --log-tcp-options --log-ip-options
- # Drop this packet !!
- iptables -A PORTSCAN -j DROP
- # permitir al server hacer ping a cualquier lado
- iptables -t filter -A OUTPUT -p icmp -j ACCEPT
- #REGLAS
- iptables -L
- exit
advertising
Update the Post
Either update this post and resubmit it with changes, or make a new post.
You may also comment on this post.
Please note that information posted here will not expire by default. If you do not want it to expire, please set the expiry time above. If it is set to expire, web search engines will not be allowed to index it prior to it expiring. Items that are not marked to expire will be indexable by search engines. Be careful with your passwords. All illegal activities will be reported and any information will be handed over to the authorities, so be good.