To match a specific set of tcp flags, execute:
iptables -A INPUT -p tcp --tcp-flags FIN,PSH,URG FIN,PSH,URG -j DROP
--tcp-flags - Match the specified tcp flags. The first group of flags specifies the tcp flags to examine, in this case, FIN,PSH,URG. The second group of flags specifies which flags must be set, in this case, FIN,PSH,URG. This statement explicitly drops the Xmas tree scan from nmap. If you wanted to make sure a specific flag was unset, you would leave it off of the second set of flags, e.g. --tcp-flags FIN,PSH,URG FIN,PSH. This statement would examine FIN,PSH,URG, and match if FIN and PSH were set, and URG was unset. You can use an exclamation point to reverse the meaning of the match, e.g. ! --tcp-flags FIN,PSH,URG FIN,PSH,URG would match when FIN,PSH,URG are unset.
To limit the number of connections, execute:
iptables -A INPUT -p tcp --tcp-flags SYN SYN -m limit --limit 3/s --limit-burst 5 -j ACCEPT iptables -A INPUT -p tcp --tcp-flags SYN SYN -j LOG --log-prefix SYN-ATTACK: iptables -A INPUT -p tcp --tcp-flags SYN SYN -j DROP
-m limit - use the limit module
--limit - Specifiy the maximum average matching rate. Can also specify /m (minutes), /h(hour), /d(day).
--limit-burst - Specify the maximum initial number of packets to match. This value gets reset every time the --limit that is specified is not reached.
The statements following the limit statement log any packets that go above the threshold and drop them.
No comments:
Post a Comment