In this post I will share the iptable script in which we will learn How to protect from port scanning and smurf attack in Linux Server.

Features Of Script :

(1) When a attacker try to port scan your server, first because of iptable attacker will not get any information which port is open. Second the Attacking IP address will be blacklisted for 24 Hour (You can change it in script) . Third , after that attacker will not able to open access anything for eg. even attacker will not see any website running on server via web browser, not able to ssh,telnet also. Means completely restricted.

(2) Protects from smurf attack

(3) Written with the help of IPTABLE hence no System Performance issue like CPU high,Memory usage etc. No third party tool is used

Note: You can add or remove port no. as per your requirement.

Description about Server where we will implement IPTABLE script:

Operating Syetem : CentOS 6.4 (applicable to Red hat and CentOS servers)
IP Address: 192.168.1.4

Now we will create the script

Step 1: Create a bash script with the name of iptablescript.sh

vi /root/iptablescript.sh

Step 2: Now paste the below given script contents in your bash script file iptablescript.sh

#!/bin/sh
#
#
# Script is for stoping Portscan and smurf attack

### first flush all the iptables Rules
iptables -F


# INPUT iptables Rules
# Accept loopback input
iptables -A INPUT -i lo -p all -j ACCEPT

# allow 3 way handshake
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### DROPspoofing packets
iptables -A INPUT -s 10.0.0.0/8 -j DROP 
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -j DROP

iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP

#for SMURF attack protection
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT

# Droping all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

# flooding of RST packets, smurf attack Rejection
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

# Protecting portscans
# Attacking IP will be locked for 24 hours (3600 x 24 = 86400 Seconds)
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Remove attacking IP after 24 hours
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

# Allow the following ports through from outside
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Allow ping means ICMP port is open (If you do not want ping replace ACCEPT with REJECT)
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Lastly reject All INPUT traffic
iptables -A INPUT -j REJECT


################# Below are for OUTPUT iptables rules #############################################

## Allow loopback OUTPUT 
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow the following ports through from outside 
# SMTP = 25
# DNS =53
# HTTP = 80
# HTTPS = 443
# SSH = 22
### You can also add or remove port no. as per your requirement

iptables -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Allow pings
iptables -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Lastly Reject all Output traffic
iptables -A OUTPUT -j REJECT

## Reject Forwarding  traffic
iptables -A FORWARD -j REJECT

Step 3: Make the Read Write Execute permission only to root user. (For security) 

 chmod 700 /root/iptablescript.sh
  chown root:root /root/iptablescript.sh

Step 4 : Now run the script

sh /root/iptablescript.sh 

or 

./root/iptablescript.sh

Step 6: Now check the IPTABLES rule with following command


iptables -nL

Now we will do testing from remote server to our server where we have implemented the iptable

Step 7: login into any system and try to do port scanning

nmap -sT Server-ip-address

eg.

nmap -sT 192.168.1.4

Step 8: The result should be now from your system like following types

(a) Not getting any output from nmap
(b) Not able to do telnet to any port for eg. telnet Server-ip-address 22

After running nmap means port scan your ip-address is blacklisted.

You can find your system ip address in message logs in Server with the keyword called portscan.
So login back to your server and check the messages log in /var/log

Note : how to install nmap

In Red Hat and CentOS 

yum install nmap

In Debian and Ubuntu

apt-get install nmap

Articles

Find installed and enabled apache module in Debian/Ubuntu
ss command : alternate of netstat
Install and configure Varnish Cache server on CentOS/RHEL 6.x
Install and configure transparent squid proxy server : RHEL/CentOS 6.x
How to install nginx webserver from source on CentOS and RHEL
How to install nginx from source on CentOS 7
How to install and configure samba server in CentOS 6.3
How to configure FTP server in CentOS 6.3 – vsftpd server
How to backup and restore iptables on CentOS 7 / RHEL 7
Save iptables permanently on Ubuntu
CentOS 7 / RHEL 7 : change OpenSSH port number ( SELINUX enabled )
Install and configure rsyslog Centralized logging server in CentOS 6.5
How to install apache webserver in CentOS and Red Hat
How to start / stop / restart / reload iptables on CentOS 7 / RHEL 7
How to backup and restore iptables on Linux systems

Sharad Chhetri is an experienced Linux, DevOps, Cloud Engineer & Freelancer. Working on various technologies since RHEL 4 era. He loves sharing the knowledge which he has earned from his experience.
You can contact him on email for freelance projects at admin@sharadchhetri.com.

Read Some More Articles

Linux: Set user password by using encrypted password in command
|

Linux: Set user password by using encrypted password in command

BySharad Chhetri

In this tutorial we will learn about how to set user password by using encrypted password in command line.We assume you already know about how to simply set/reset password of user by using command (passwd username). In this tutorial,first we will encrypt the password in python interpreter then we use the output in one liner…

REMOTE HOST IDENTIFICATION HAS CHANGED
| |

SSH WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED

BySharad Chhetri

When you try to ssh the another remote Linux/Unix machine , you might have encountered with the WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! . This message we have often seen when we work in Linux machines. In this post we have provided the Reason and Solution on this Warning. root@tuxworld:/tmp# ssh 10.10.0.16 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING:…

Cassandra backup script on linux system

Cassandra backup script on linux system

BySharad Chhetri

In this post we are sharing the Cassandra backup script on linux system. Backup is always important part of any system. Backup will help you to get the data back in case data is removed due to some reason. The script includes two section as per the Cassandra backup requirement. These are given below 1….

blockquote in style.css applicable to wordpress and blogger sites

blockquote in style.css applicable to wordpress and blogger sites

BySharad Chhetri

blockquote for style.css applicable to wordpress and blogger sites Blockquotes are useful in blogging or any website because with the help of blockquote you can highlight the text in box with border or borderless as per your choice. Many readers of my blog have asked the question about how to have a common blockquote which…

How to list all installed python modules

How to list all installed python modules

BySharad Chhetri

How to list all installed python modules To know what are the python modules installed in system.Use the given below command. Login into system. Type the command python to get the python prompt # python Now you will get the python prompt like this >>>, type the command help(“modules”) and press enter key >>> help(“modules”)…

21 Comments

  1. i am running Debian 10 and i am getting the following errors:
    – icmp: option “–icmp-type” must be specified

    Try `iptables -h’ or ‘iptables –help’ for more information.

    -Also, i do not have access to Internet (dns requests) while ping to 8.8.8.8 works fine. As a consequence no apt-get update/upgrade/install

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.