From 93899a216f7f03b8e1d5092fdd20afd07b0bedae Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Tue, 29 Jul 2014 21:57:07 +0200 Subject: [PATCH] firewall: add more pscan matches and filter INVALID conntrack packages. --- src/initscripts/init.d/firewall | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 97186c3992..23d0c23ff7 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -64,16 +64,20 @@ iptables_init() { iptables -A BADTCP -i lo -j RETURN # Disallow packets frequently used by port-scanners - # nmap xmas - iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN - # Null - iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN - # FIN + # NMAP FIN/URG/PSH (XMAS scan) + iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN + # SYN/RST/ACK/FIN/URG + iptables -A BADTCP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j PSCAN + # ALL/ALL + iptables -A BADTCP -p tcp --tcp-flags ALL ALL -j PSCAN + # FIN Stealth iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN # SYN/RST (also catches xmas variants that set SYN+RST+...) iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN # SYN/FIN (QueSO or nmap OS probe) iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN + # Null + iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN # NEW TCP without SYN iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN @@ -83,6 +87,7 @@ iptables_init() { # Connection tracking chain iptables -N CONNTRACK iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP # Fix for braindead ISP's iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -- 2.39.2