ssh overflow blacklisting not working properly

ssh overflow blacklisting not working properly

[J. Bakshi]

Dear list,

Could some one please help me to identify the problem in my ssh overflow
blacklisting rule sets ? I already have these rule sets to prevent ssh
overflow. Please note my firewall is default DROP policy.


#---------------- ssh incoming----------------#


# NB: Block the overflow ip for 3 min
# max 3 connection per min per ip

iptables -A INPUT -p tcp -m state --state NEW --dport $SSH_PORT -m
hashlimit \
--hashlimit 3/min --hashlimit-burst 1 --hashlimit-htable-expire 180000 \
--hashlimit-mode srcip --hashlimit-name sshlimit -j ACCEPT

#----------------------------------------#

As expected connection attempt more than 3 in a min is dropped and
ensure only 3 connection per minute. But It should also block the source
IP for 3 min and this part is not working here. Could any one kindly
suggest any clue or reason behind this ?

Thanks

-- 
জয়দীপ বক্সী

Re: ssh overflow blacklisting not working properly

[Richard Horton]

On 29 March 2010 08:31, J. Bakshi <joydeep@infoservices.in> wrote:
>
> iptables -A INPUT -p tcp -m state --state NEW --dport $SSH_PORT -m
> hashlimit \
> --hashlimit 3/min --hashlimit-burst 1 --hashlimit-htable-expire 180000 \
> --hashlimit-mode srcip --hashlimit-name sshlimit -j ACCEPT
>
> #----------------------------------------#
>
> As expected connection attempt more than 3 in a min is dropped and
> ensure only 3 connection per minute. But It should also block the source
> IP for 3 min and this part is not working here. Could any one kindly
> suggest any clue or reason behind this ?


Unless you have other rules floating around all the rule does is allow
upto 3 connections per minute to ssh based on source-ip. It won't
block other connections from that source ip, just the ssh ones which
exceed your defined limit (3/min).

I'd guess from your comments there are additional rules, without
seeing them though very hard to work out what is wrong as all I can
say is that rule does its job... blocking ssh > 3 connection attempts
per min per soucre ip.

R.

Re: ssh overflow blacklisting not working properly

[J. Bakshi]

On 03/29/2010 01:48 PM, Richard Horton wrote:
> On 29 March 2010 08:31, J. Bakshi <joydeep@infoservices.in> wrote:
>   
>> iptables -A INPUT -p tcp -m state --state NEW --dport $SSH_PORT -m
>> hashlimit \
>> --hashlimit 3/min --hashlimit-burst 1 --hashlimit-htable-expire 180000 \
>> --hashlimit-mode srcip --hashlimit-name sshlimit -j ACCEPT
>>
>> #----------------------------------------#
>>
>> As expected connection attempt more than 3 in a min is dropped and
>> ensure only 3 connection per minute. But It should also block the source
>> IP for 3 min and this part is not working here. Could any one kindly
>> suggest any clue or reason behind this ?
>>     
>
> Unless you have other rules floating around all the rule does is allow
> upto 3 connections per minute to ssh based on source-ip. It won't
> block other connections from that source ip, just the ssh ones which
> exceed your defined limit (3/min).
>
> I'd guess from your comments there are additional rules, without
> seeing them though very hard to work out what is wrong as all I can
> say is that rule does its job... blocking ssh > 3 connection attempts
> per min per soucre ip.
>
>   

Thanks for your attention. Yes, I have already mentioned that it does
the overflow restriction i.e. 3 connection/per min/per src ip

But additionally it should block that ip for 3 min as

```````````
--hashlimit-htable-expire 180000

```````````

Unfortunately it is not doing that.


-- 
জয়দীপ বক্সী

Re: ssh overflow blacklisting not working properly

[Jan Engelhardt]

On Monday 2010-03-29 12:51, J. Bakshi wrote:
>On 03/29/2010 01:48 PM, Richard Horton wrote:
>> On 29 March 2010 08:31, J. Bakshi <joydeep@infoservices.in> wrote:
>>   
>>> iptables -A INPUT -p tcp -m state --state NEW --dport $SSH_PORT -m
>>> hashlimit \
>>> --hashlimit 3/min --hashlimit-burst 1 --hashlimit-htable-expire 180000 \
>>> --hashlimit-mode srcip --hashlimit-name sshlimit -j ACCEPT
>>>
>>> #----------------------------------------#
>>>
>>> As expected connection attempt more than 3 in a min is dropped and
>>> ensure only 3 connection per minute. But It should also block the source
>>> IP for 3 min and this part is not working here.

It should not block it, it's not part of the definition of the
S-TBF (or any other) limiter. You have to use -m recent as a list
to store entries once they have gone over their limit.

Re: ssh overflow blacklisting not working properly

[J. Bakshi]

On 03/29/2010 04:35 PM, Jan Engelhardt wrote:
> On Monday 2010-03-29 12:51, J. Bakshi wrote:
>   
>> On 03/29/2010 01:48 PM, Richard Horton wrote:
>>     
>>> On 29 March 2010 08:31, J. Bakshi <joydeep@infoservices.in> wrote:
>>>   
>>>       
>>>> iptables -A INPUT -p tcp -m state --state NEW --dport $SSH_PORT -m
>>>> hashlimit \
>>>> --hashlimit 3/min --hashlimit-burst 1 --hashlimit-htable-expire 180000 \
>>>> --hashlimit-mode srcip --hashlimit-name sshlimit -j ACCEPT
>>>>
>>>> #----------------------------------------#
>>>>
>>>> As expected connection attempt more than 3 in a min is dropped and
>>>> ensure only 3 connection per minute. But It should also block the source
>>>> IP for 3 min and this part is not working here.
>>>>         
> It should not block it, it's not part of the definition of the
> S-TBF (or any other) limiter. You have to use -m recent as a list
> to store entries once they have gone over their limit.
>
>   


Could you kindly enlighten me in that direcxtion with possibly little
examples.

thanks

-- 
জয়দীপ বক্সী

Re: ssh overflow blacklisting not working properly

[J. Bakshi]

On 03/29/2010 04:35 PM, Jan Engelhardt wrote:
> On Monday 2010-03-29 12:51, J. Bakshi wrote:
>   
>> On 03/29/2010 01:48 PM, Richard Horton wrote:
>>     
>>> On 29 March 2010 08:31, J. Bakshi <joydeep@infoservices.in> wrote:
>>>   
>>>       
>>>> iptables -A INPUT -p tcp -m state --state NEW --dport $SSH_PORT -m
>>>> hashlimit \
>>>> --hashlimit 3/min --hashlimit-burst 1 --hashlimit-htable-expire 180000 \
>>>> --hashlimit-mode srcip --hashlimit-name sshlimit -j ACCEPT
>>>>
>>>> #----------------------------------------#
>>>>
>>>> As expected connection attempt more than 3 in a min is dropped and
>>>> ensure only 3 connection per minute. But It should also block the source
>>>> IP for 3 min and this part is not working here.
>>>>         
> It should not block it, it's not part of the definition of the
> S-TBF (or any other) limiter. You have to use -m recent as a list
> to store entries once they have gone over their limit.
>
>   


Could you kindly enlighten me in that direction with possibly little
examples.

thanks

-- 
জয়দীপ বক্সী

Re: ssh overflow blacklisting not working properly

[Richard Horton]

> Could you kindly enlighten me in that direction with possibly little
> examples.
>

# Generated by iptables-save v1.4.5 on Mon Mar 29 12:04:05 2010
*filter
:INPUT ACCEPT [1:68]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:68]
-A INPUT -p tcp -m hashlimit --hashlimit-above 3/min --hashlimit-burst
1 --hashlimit-name hashlimit -m state --state NEW -m tcp --dport 22 -j
MARK --set-xmark 0x1/0xffffffff
-A INPUT -m recent --rcheck --seconds 600 --name DEFAULT --rsource -j DROP
-A INPUT -m mark --mark 0x1 -m recent --set --name DEFAULT --rsource -j DROP
COMMIT
# Completed on Mon Mar 29 12:04:05 2010

Should do what you're looking for...

Rule 1: Check the hashlimit and if more than 3/min then mark the packets.

Rule 2: Check the recent table to see if the address is in it and has
been seen in the last 10 mins and drop if it has

Rule 3: If the packet has been marked by rule 1 (actually could be
combined with rule one just gets to a long line and a mess to explain)
add the source address (the --set option of recent) and drop.

Re: ssh overflow blacklisting not working properly

[J. Bakshi]

On Mon, 29 Mar 2010 12:54:53 +0100
Richard Horton <arimus.uk@googlemail.com> wrote:

> > Could you kindly enlighten me in that direction with possibly little
> > examples.
> >
> 
> # Generated by iptables-save v1.4.5 on Mon Mar 29 12:04:05 2010
> *filter
> :INPUT ACCEPT [1:68]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1:68]
> -A INPUT -p tcp -m hashlimit --hashlimit-above 3/min --hashlimit-burst
> 1 --hashlimit-name hashlimit -m state --state NEW -m tcp --dport 22 -j
> MARK --set-xmark 0x1/0xffffffff
> -A INPUT -m recent --rcheck --seconds 600 --name DEFAULT --rsource -j
> DROP -A INPUT -m mark --mark 0x1 -m recent --set --name DEFAULT
> --rsource -j DROP COMMIT
> # Completed on Mon Mar 29 12:04:05 2010
> 
> Should do what you're looking for...
> 
> Rule 1: Check the hashlimit and if more than 3/min then mark the
> packets.
> 
> Rule 2: Check the recent table to see if the address is in it and has
> been seen in the last 10 mins and drop if it has
> 
> Rule 3: If the packet has been marked by rule 1 (actually could be
> combined with rule one just gets to a long line and a mess to explain)
> add the source address (the --set option of recent) and drop.


many many thanks for the example and clarification. I must give it a try, though my firewall is default DROP, but I am eager to see the result.

with regards

Re: ssh overflow blacklisting not working properly

[J. Bakshi]

On 03/29/2010 05:24 PM, Richard Horton wrote:
>> Could you kindly enlighten me in that direction with possibly little
>> examples.
>>
>>     
> # Generated by iptables-save v1.4.5 on Mon Mar 29 12:04:05 2010
> *filter
> :INPUT ACCEPT [1:68]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1:68]
> -A INPUT -p tcp -m hashlimit --hashlimit-above 3/min --hashlimit-burst
> 1 --hashlimit-name hashlimit -m state --state NEW -m tcp --dport 22 -j
> MARK --set-xmark 0x1/0xffffffff
> -A INPUT -m recent --rcheck --seconds 600 --name DEFAULT --rsource -j DROP
> -A INPUT -m mark --mark 0x1 -m recent --set --name DEFAULT --rsource -j DROP
> COMMIT
> # Completed on Mon Mar 29 12:04:05 2010
>
> Should do what you're looking for...
>
> Rule 1: Check the hashlimit and if more than 3/min then mark the packets.
>
> Rule 2: Check the recent table to see if the address is in it and has
> been seen in the last 10 mins and drop if it has
>
> Rule 3: If the packet has been marked by rule 1 (actually could be
> combined with rule one just gets to a long line and a mess to explain)
> add the source address (the --set option of recent) and drop.
>
>   

Unfortunately the rules are not working with default DROP iptables :-(



-- 
জয়দীপ বক্সী

Re: ssh overflow blacklisting not working properly

[Richard Horton]

My bad... you still need a rule to accept ssh traffic...

so add a fourth rule

-A INPUT -p tcp --dport ssh -m state NEW -j ACCEPT

and a fifth
-A INPUT -p tcp -m state ESTABLISHED,RELATED -j ACCEPT

The fourth rule accepts SSH which hasn't been dropped by the first 3
rules, the fifth just allows established sessions and related.

You'll need to tighten the fourth rule as appropriate but you don't
need to add the rate limiting stuff as that's delt with so just
tighten allowed addresses,ports etc.

(Tip: unless you've moved a service from its usual port you can use
the name from /etc/services for the port number, and for the -p
<protoocl> you can use the names from /etc/protocols)


-- 
Richard Horton
Users are like a virus: Each causing a thousand tiny crises until the
host finally dies.
http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats
http://www.pbase.com/arimus - My online photogallery

Re: ssh overflow blacklisting not working properly

[J. Bakshi]

On 03/30/2010 01:53 PM, Richard Horton wrote:
> My bad... you still need a rule to accept ssh traffic...
>
> so add a fourth rule
>
> -A INPUT -p tcp --dport ssh -m state NEW -j ACCEPT
>
> and a fifth
> -A INPUT -p tcp -m state ESTABLISHED,RELATED -j ACCEPT
>
> The fourth rule accepts SSH which hasn't been dropped by the first 3
> rules, the fifth just allows established sessions and related.
>
> You'll need to tighten the fourth rule as appropriate but you don't
> need to add the rate limiting stuff as that's delt with so just
> tighten allowed addresses,ports etc.
>
> (Tip: unless you've moved a service from its usual port you can use
> the name from /etc/services for the port number, and for the -p
> <protoocl> you can use the names from /etc/protocols)
>
>
>   

Hello Richard,

many many thanks for your help, clarification and tips, but this time
with all the five rule sets it is no more possible to login through ssh
any more. Hence I ahve kept my earlies one i.e.

Note: I am not running ssh at default port, hence $SSH_PORT is there to
define it at the begging .

```````````````````
iptables -A INPUT -p tcp -m state --state NEW --dport $SSH_PORT -m
hashlimit \
--hashlimit 3/min --hashlimit-burst 1 --hashlimit-htable-expire 180000 \
--hashlimit-mode srcip --hashlimit-name sshlimit -j ACCEPT
`````````````````````````

and here is the iptables-save

`````````````````
# Completed on Tue Mar 30 14:06:11 2010
# Generated by iptables-save v1.4.2 on Tue Mar 30 14:06:11 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [1:40]
:OUTPUT DROP [2:544]
:syn-flood - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
state --state NEW -j DROP
-A INPUT -i eth1 -m recent --rcheck --seconds 60 --name blacklist
--rsource -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 60650 -j ACCEPT
-A INPUT -s 122.160.37.80/32 -i eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s 122.160.37.80/32 -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 122.176.30.116/32 -i eth1 -j DROP
-A INPUT -s 10.0.0.0/8 -i eth1 -j DROP
-A INPUT -s 172.16.0.0/12 -i eth1 -j DROP
-A INPUT -s 192.168.0.0/16 -i eth1 -j DROP
-A INPUT -s 224.0.0.0/4 -i eth1 -j DROP
-A INPUT -s 240.0.0.0/5 -i eth1 -j DROP
-A INPUT -d 127.0.0.0/8 -i eth1 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 0 -m limit --limit 6/hour
--limit-burst 1 -j LOG --log-prefix "TCP Port 0 OS fingerprint: "
-A INPUT -i eth1 -p udp -m udp --dport 0 -m limit --limit 6/hour
--limit-burst 1 -j LOG --log-prefix "UDP Port 0 OS fingerprint: "
-A INPUT -i eth1 -p tcp -m tcp --dport 0 -j DROP
-A INPUT -i eth1 -p udp -m udp --dport 0 -j DROP
-A INPUT -i eth1 -p tcp -m tcp ! --dport 2049 -m multiport --sports
20,21,22,23,80,110,143,443,993,995 -m limit --limit 6/hour --limit-burst
1 -j LOG --log-prefix "AIF:Possible DRDOS abuse: "
-A INPUT -i eth1 -p udp -m udp ! --dport 2049 -m multiport --sports
20,21,22,23,80,110,143,443,993,995 -m limit --limit 6/hour --limit-burst
1 -j LOG --log-prefix "AIF:Possible DRDOS abuse: "
-A INPUT -i eth1 -p tcp -m tcp ! --dport 2049 -m multiport --sports
20,21,22,23,80,110,143,443,993,995 -j DROP
-A INPUT -i eth1 -p udp -m udp ! --dport 2049 -m multiport --sports
20,21,22,23,80,110,143,443,993,995 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS scan: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -m recent --set --name blacklist --rsource -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth
XMAS-PSH scan: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,ACK,URG -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min -j LOG --log-prefix
"Stealth XMAS-ALL scan: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN
-m limit --limit 3/min -j LOG --log-prefix "Stealth FIN scan: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN
-m recent --set --name blacklist --rsource -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit
--limit 3/min -j LOG --log-prefix "Stealth SYN/RST scan: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit
--limit 3/min -j LOG --log-prefix "Stealth SYN/FIN scan?: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
-m limit --limit 3/min -j LOG --log-prefix "Stealth Null scan: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
-m recent --set --name blacklist --rsource -j DROP
-A INPUT -i eth1 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 1024 ! --tcp-flags
FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "Stealth
scan (UNPRIV)?: "
-A INPUT -i eth1 -p tcp -m tcp --dport 1024 ! --tcp-flags
FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 1023 ! --tcp-flags
FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "Stealth
scan (PRIV)?: "
-A INPUT -i eth1 -p tcp -m tcp --dport 1023 ! --tcp-flags
FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
-j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 1023 -m limit --limit 6/min
--limit-burst 2 -j LOG --log-prefix "AIF:PRIV connect attempt: "
-A INPUT -i eth1 -p tcp -m tcp --dport 1023 -j DROP
-A INPUT -i eth1 -p udp -m udp --dport 1023 -m limit --limit 6/min
--limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV connect attempt: "
-A INPUT -i eth1 -p udp -m udp --dport 1023 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 1024 -m limit --limit 6/min
--limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV connect attempt: "
-A INPUT -i eth1 -p udp -m udp --dport 1024 -m limit --limit 6/min
--limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV connect attempt: "
-A INPUT -i eth1 -p tcp -m tcp --tcp-option 64 -m limit --limit 3/min
--limit-burst 1 -j LOG --log-prefix "Bad TCP flag(64): "
-A INPUT -i eth1 -p tcp -m tcp --tcp-option 64 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-option 128 -m limit --limit 3/min
--limit-burst 1 -j LOG --log-prefix "Bad TCP flag(128): "
-A INPUT -i eth1 -p tcp -m tcp --tcp-option 128 -j DROP
-A INPUT -i eth1 -p tcp -m state --state INVALID -m limit --limit 1/min
--limit-burst 2 -j LOG --log-prefix "AIF:INVALID TCP: "
-A INPUT -i eth1 -p udp -m state --state INVALID -m limit --limit 1/min
--limit-burst 2 -j LOG --log-prefix "AIF:INVALID UDP: "
-A INPUT -i eth1 -m state --state INVALID -j DROP
-A INPUT -s 4.2.2.2/32 -i eth1 -p udp -m udp --sport 53 -m state --state
ESTABLISHED -j ACCEPT
-A INPUT -s 208.67.222.222/32 -i eth1 -p udp -m udp --sport 53 -m state
--state ESTABLISHED -j ACCEPT
-A INPUT -s 208.67.220.220/32 -i eth1 -p udp -m udp --sport 53 -m state
--state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m hashlimit
--hashlimit-upto 3/min --hashlimit-burst 1 --hashlimit-mode srcip
--hashlimit-name sshlimit --hashlimit-htable-expire 180000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 60021 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 62222:63333 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood
-A INPUT -i eth1 -j syn-flood
-A INPUT -i eth1 -p udp -m limit --limit 3/min -j LOG --log-prefix
"UDP-IN-Notallowed: " --log-level 7
-A INPUT -i eth1 -p udp -j DROP
-A INPUT -i eth1 -p icmp -m limit --limit 3/min -j LOG --log-prefix
"ICMP-IN-Notallowed: "
-A INPUT -i eth1 -p icmp -j DROP
-A INPUT -i eth1 -p tcp -m limit --limit 3/min -j LOG --log-prefix
"TCP-IN-Notallowed: " --log-level 7
-A INPUT -i eth1 -p tcp -j DROP
-A INPUT -i eth1 -m limit --limit 3/min -j LOG --log-prefix
"PROTOCOL-X-IN-Notallowed: " --log-level 7
-A INPUT -i eth1 -j DROP
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -i eth1 -o eth0 -m conntrack --ctstate NEW
-j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth1 -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 4.2.2.2/32 -o eth1 -p udp -m udp --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 208.67.222.222/32 -o eth1 -p udp -m udp --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 208.67.220.220/32 -o eth1 -p udp -m udp --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -o eth1 -p udp -m udp --sport 32769:65535 --dport 33434:33523
-m state --state NEW -j ACCEPT
-A OUTPUT -d 66.35.250.209/32 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -d 213.133.106.107/32 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -d 80.237.136.138/32 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -d 204.174.223.204/32 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth1 -p udp -m limit --limit 3/min -j LOG --log-prefix
"UDP-OUT-Notallowed: " --log-level 7
-A OUTPUT -o eth1 -p udp -j DROP
-A OUTPUT -o eth1 -p icmp -m limit --limit 3/min -j LOG --log-prefix
"ICMP-OUT-Notallowed: "
-A OUTPUT -o eth1 -p icmp -j DROP
-A OUTPUT -o eth1 -p tcp -m limit --limit 3/min -j LOG --log-prefix
"TCP-OUT-Notallowed: " --log-level 7
-A OUTPUT -o eth1 -p tcp -j DROP
-A OUTPUT -o eth1 -p tcp -m limit --limit 3/min -j LOG --log-prefix
"TCP-OUT-Notallowed: " --log-level 7
-A OUTPUT -o eth1 -p tcp -j DROP
-A OUTPUT -o eth1 -m limit --limit 3/min -j LOG --log-prefix
"PROTOCOL-X-OUT-Notallowed: " --log-level 7
-A OUTPUT -o eth1 -j DROP
-A syn-flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m hashlimit
--hashlimit-upto 4/sec --hashlimit-burst 4 --hashlimit-mode srcip
--hashlimit-name testlimit --hashlimit-htable-expire 300000 -j RETURN
-A syn-flood -m recent --set --name blacklist --rsource -j DROP
COMMIT
# Completed on Tue Mar 30 14:06:11 2010

-- 
জয়দীপ বক্সী