Sample Firewall Script
Sample Firewall Script
Where can I get a good security measures for linux. I have seen that there are few sample firewall scripts which block spoofed source addresses (private addresses on public interface), blocking SYN,ACK,FIN,RST RST or any other fragmented packets, protecting from DoS attacks etc.
Azfar Hashmi
Email : azfarhashmi@hotmail.com
Email : azfarhashmi@hotmail.com
-
- Battalion Quarter Master Havaldaar
- Posts: 228
- Joined: Fri Jan 28, 2005 6:23 pm
- Location: Karachi
salam
Dear azfar,
This is some littile help
This script using in my linux router.
#defend against port scans and DDOS attacks
#dealing with packets w/o syn flags when they are new
iptables -A FORWARD -i ppp0 -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "new no-SYN: "
iptables -A FORWARD -i ppp0 -p tcp ! --syn -m state --state NEW -j DROP
iptables -A FORWARD -i ppp0 -p tcp --tcp-flags ACK ACK -m state --state NEW -j LOG --log-prefix "New ACK: "
And also block all non standard tcp/ip packet , may be it can help
Regards,
M Asad Rasheed
This is some littile help
This script using in my linux router.
#defend against port scans and DDOS attacks
#dealing with packets w/o syn flags when they are new
iptables -A FORWARD -i ppp0 -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "new no-SYN: "
iptables -A FORWARD -i ppp0 -p tcp ! --syn -m state --state NEW -j DROP
iptables -A FORWARD -i ppp0 -p tcp --tcp-flags ACK ACK -m state --state NEW -j LOG --log-prefix "New ACK: "
And also block all non standard tcp/ip packet , may be it can help
Regards,
M Asad Rasheed
registered linux user #394856
http://www.bsdpakistan.org
http://www.bsdpakistan.org
Thanks buddy I will ty it but I am looking for any advanced script.
Azfar Hashmi
Email : azfarhashmi@hotmail.com
Email : azfarhashmi@hotmail.com
-
- Battalion Quarter Master Havaldaar
- Posts: 228
- Joined: Fri Jan 28, 2005 6:23 pm
- Location: Karachi
salam
What you mean about more advanced ?
I think try shorewall if you realy want to mess with it .
Regards,
M Asad Rasheed
I think try shorewall if you realy want to mess with it .
Regards,
M Asad Rasheed
registered linux user #394856
http://www.bsdpakistan.org
http://www.bsdpakistan.org
-
- Site Admin
- Posts: 5132
- Joined: Fri May 02, 2003 10:24 am
- Location: Karachi
- Contact:
Re:
Dear azfar,
Salam,
You can use http://firewall-jay.sourceforge.net/ and http://rfxnetworks.com/apf.php
FYI, http://the-devil.dnsalias.net/home/extremist
Best Regards.
Salam,
You can use http://firewall-jay.sourceforge.net/ and http://rfxnetworks.com/apf.php
FYI, http://the-devil.dnsalias.net/home/extremist
Best Regards.
Farrukh Ahmed