dpkg --list | grep iptables
returns:
ii iptables 1.6.0-2ubuntu3 amd64 administration tools for packet filtering and NAT
lsmod | grep ip_tables
returns:
ip_tables 24576 4 iptable_filter,iptable_mangle,iptable_nat,iptable_raw
iptables -P INPUT DROP iptables -P OUTPUT DROP # Allowing Loopback Traffic. iptables -I INPUT -i lo -j ACCEPT # Allow established connections. iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Allow SSH access. # iptables -I INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -s 192.168.1.2 -j ACCEPT # Enable Web. # iptables -A INPUT -p tcp --dport 80 -j ACCEPT # iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Enable FTP. # iptables -A INPUT -p tcp --dport 21 -j ACCEPT # iptables -A INPUT -p tcp --dport 20 -j ACCEPT # To block an IP range. iptables -I INPUT 3 -s 192.168.123.0/24 -j DROP
To have FTP work correctly with iptables, ensure that the ip_conntrack_ftp module is loaded.
modprobe ip_conntrack_ftp
Check that the module is loaded
lsmod | grep conntrack
returns:
nf_conntrack_ftp 20480 1 nf_nat_ftp nf_conntrack_ipv4 16384 84 nf_defrag_ipv4 16384 1 nf_conntrack_ipv4 xt_conntrack 16384 81 nf_conntrack 106496 9 nf_nat_ftp,nf_nat,xt_state,xt_connlimit,nf_nat_ipv4,xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ftp,nf_conntrack_ipv4 x_tables 36864 25 xt_pkttype,ip6table_filter,ip6table_mangle,xt_length,xt_comment,xt_CHECKSUM,xt_recent,ip_tables,xt_tcpudp,xt_string,ipt_MASQUERADE,xt_limit,xt_state,xt_connlimit,xt_conntrack,xt_LOG,xt_nat,xt_multiport,iptable_filter,ebtables,ipt_REJECT,iptable_mangle,ip6_tables,xt_addrtype,iptable_raw
#!/bin/bash # # Start and stop the Firewall. # Modify the following settings as required: ### BEGIN INIT INFO # Provides: firewall-sharewiz # Required-Start: $network # Required-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 ### END INIT INFO IPTABLES=/sbin/iptables NAME=firewall-sharewiz opts="start stop restart reload status" #if [[ $1 == start ]] ; then case "$1" in start) /sharewiz/firewall/firewall.sh ;; stop) $IPTABLES --flush $IPTABLES -t nat --flush $IPTABLES -F -t mangle $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT ;; restart|reload) # $0 stop # $0 start $IPTABLES --flush $IPTABLES -t nat --flush $IPTABLES -F -t mangle $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT /sharewiz/firewall/firewall.sh ;; status) $IPTABLES --list $IPTABLES -t nat --list $IPTABLES -t mangle --list ;; *) echo "Usage: /etc/init.d/$NAME {start|stop|restart|reload|status}" >&2 exit 1 ;; esac exit 0·
Set permissions
chmod 755 /etc/init.d/firewall-sharewiz
vi /sharewiz/firewall/firewall.sh
and populate as
#!/bin/bash # # Modify the following settings as required: # # You should check/test that the firewall really works, using # iptables -vnL, nmap, ping, telnet, ... # # TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc... IPTABLES=/sbin/iptables IP6TABLES=/sbin/ip6tables LOAD_MODULES=yes LOAD_MODULES_IPV6=no DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe RMMOD=/sbin/rmmod ARP=/usr/sbin/arp # # REJECT target works basically the same as the DROP target, but it also sends # back an error message to the host sending the packet that was blocked. # # The REJECT target is as of today only valid in the INPUT, FORWARD and OUTPUT # chains or their sub chains. # # REJECT --reject-with tcp-reset # RFC 793. TCP RST packets are used to close open TCP connections gracefully. # REJECT --icmp-net-unreachable # # REJECT --icmp-host-unreachable # # REJECT --icmp-port-unreachable # Default # REJECT --icmp-proto-unreachable # # REJECT --icmp-net-prohibited # # REJECT --icmp-host-prohibited # #********************************************************* # # Interfaces # #SERVER_INTERFACE=`ip addr show | awk '$1 == "inet" && $3 == "brd" { print $7 }'` #SERVER_IP=`ifconfig $SERVER_INTERFACE | grep inet | awk '{ print $2 }'| cut -d : -f2` #tmp=$(/sbin/ifconfig $LANFACE | grep -m 1 inet | tr -d [:alpha:]) #ifconfig em1 | grep -m 1 inet | tr -d [:alpha:] #INET_IP=$(echo $tmp | cut -d : -f2) #INET_BCAST=$(echo $tmp | cut -d : -f3) #INET_MASK=$(echo $tmp | cut -d : -f4) #unset tmp # # Internet Interface # #INET_IFACE="eth0" #INET_IFACE="em1" INET_IFACE="br0" #INET_IFACE=$(/sbin/ifconfig | awk '/Link / { print $1 } ' | head -n 1) INET_GW="192.168.1.1" INET_IP="192.168.1.2" INET_NET="192.168.1.1/24" INET_BCAST="192.168.1.255" # # # Local Interface Information # #LOCAL_IFACE="eth1" LOCAL_IFACE="em2" #LOCAL_IFACE=$(/sbin/ifconfig | awk '/Link / { print $1 } ' | sed -n -e '2{p;q;}') LOCAL_IP="192.168.0.2" LOCAL_NET="192.168.0.1/24" LOCAL_BCAST="192.168.0.255" # # # Localhost Interface # LO_IFACE="lo" LO_IP="127.0.0.1" # # # Standard Definitions # ALL="0/0" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/5" LOOPBACK="127.0.0.0/8" P_PORTS="0:1023" UP_PORTS="1024:65535" # # # DNS servers # DNS_SERVERS="83.137.248.244 93.187.151.197 8.8.8.8 8.8.4.4" # ########################################################################### # # Module loading. # if [ $LOAD_MODULES == "yes" ]; then # # Initially load modules # $DEPMOD -a # # Required modules # $MODPROBE ip_tables # Required; all IPv4 modules depend on this one. $MODPROBE ip_conntrack # Stateful Connections. Allows connection tracking state match, which allows you to write rules matching the state of a connection. $MODPROBE ip_conntrack_ftp # Permits active FTP; requires ip_conntrack. Recognizes connection is related to original port 21. $MODPROBE iptable_filter # Filter Table. $MODPROBE iptable_mangle # Mangle table. $MODPROBE iptable_nat # NAT table. $MODPROBE ip_nat_ftp # $MODPROBE ipt_LOG # $MODPROBE ipt_limit # Allows log limits. $MODPROBE ipt_state # Permits packet state checking (SYN, SYN-ACK, ACK, and so on). # # # To prevent the dmesg command showing errors such as:· # xt_recent: hitcount (25) is larger than packets to be remembered (20) # # The following command shows all the xt_recent parameters: # head /sys/module/xt_recent/parameters/* # # ls -al /proc/net/xt_recent/ # # Use modinfo xt_recent to see the possible parameters. # # ls -1 /sys/module/xt_recent/parameters/ # Any of the parameters can be checked by simply: # cat /sys/module/xt_recent/parameters/ip_pkt_list_tot # #$RMMOD xt_recent $MODPROBE xt_recent ip_list_tot=100000 ip_pkt_list_tot=255 #$MODPROBE ipt_recent ip_list_tot=100000 ip_pkt_list_tot=255 # See also: # xt_length # xt_hl # xt_tcpmss # xt_TCPMSS # xt_multiport # xt_limit # xt_dscp # # Non-Required modules # #$MODPROBE ipt_owner # #$MODPROBE ipt_REJECT # Implement the REJECT target. #$MODPROBE ipt_MASQUERADE # Masquerade Target. #$MODPROBE ip_conntrack_ftp # #$MODPROBE ip_conntrack_irc # #$MODPROBE ip_conntrack_netbios_ns # #$MODPROBE ip_nat_ftp # #$MODPROBE ip_nat_irc # # # # Other modules. # #$MODPROBE ipt_comment # #$MODPROBE ipt_helper # # ipt_length # ipt_limit # ipt_multiport # ipt_REDIRECT # ipt_REJECT # ipt_state # ipt_tcp # ipt_TCPMSS # Used to clamp MSS (Maximum Segment Size) to the PMTU (Path Maximum Transmit Unit). # ipt_tcpmss # Used to clamp MSS (Maximum Segment Size) to the PMTU (Path Maximum Transmit Unit). # ipt_tos # ipt_TOS # ipt_ttl # iptable_filter # iptable_mangle # iptable_nat # # IPv6 modules. # #$MODPROBE ip6_tables # Required; all IPv6 modules depend on this one. #$MODPROBE ip6table_filter # Filter Table. #$MODPROBE ip6table_mangle # Mangle table. fi #********************************************************* # What to allow # # 0=no # 1=yes # ALLOW_APPLESHARE_IN=0 # 500 ALLOW_APPLESHARE_OUT=0 # 500 ALLOW_BITTORRENT_IN=0 # ALLOW_BITTORRENT_OUT=0 # ALLOW_BOOTP_CLIENT_IN=0 # 68 DHCP boot protocol client ALLOW_BOOTP_CLIENT_OUT=0 # 68 DHCP boot protocol client ALLOW_BOOTP_SERVER_IN=0 # 67 DHCP boot protocol server ALLOW_BOOTP_SERVER_OUT=0 # 67 DHCP boot protocol server ALLOW_CHARGEN_IN=0 # 19 ALLOW_CHARGEN_OUT=0 # 19 ALLOW_CORBA_IIOP_IN=0 # 535 ALLOW_CORBA_IIOP_OUT=0 # 535 ALLOW_CUPS_IN=0 # CUPS printer service ALLOW_CUPS_OUT=0 # CUPS printer service ALLOW_CVS_IN=0 # ALLOW_CVS_OUT=0 # ALLOW_DAYTIME_IN=0 # 13 daytime-server ALLOW_DAYTIME_OUT=0 # 13 daytime-server ALLOW_DHCP_BROADCAST_IN=1 # ALLOW_DHCP_BROADCAST_OUT=1 # ALLOW_DISCARD_IN=0 # 9 discard-server ALLOW_DISCARD_OUT=0 # 9 discard-server ALLOW_DNS_IN=1 # 53 ALLOW_DNS_OUT=1 # 53 ALLOW_ECHO_IN=0 # 7 echo-server ALLOW_ECHO_OUT=0 # 7 echo-server ALLOW_FINGER_IN=0 # 79 ALLOW_FINGER_OUT=0 # 79 ALLOW_FTP_IN=1 # 20, 21=ftp-data ALLOW_FTP_OUT=1 # 20, 21=ftp-data ALLOW_HTTP_IN=1 # 80 ALLOW_HTTP_OUT=1 # 80 ALLOW_HTTPS_IN=1 # 443 ALLOW_HTTP_OUT=1 # 80 ALLOW_HTTPS_IN=1 # 443 ALLOW_HTTPS_OUT=1 # 443 ALLOW_ICMP_PARAM_PROBLEM_IN=0 # ALLOW_IDENT_IN=1 # 59??? What about 113? Are these different? ALLOW_IDENT_OUT=1 # 59??? What about 113? Are these different? ALLOW_IMAP_IN=1 # 143 ALLOW_IMAP_OUT=1 # 143 ALLOW_IMAPS_IN=1 # 993 ALLOW_IMAPS_OUT=1 # 993 ALLOW_IRC_IN=0 # ALLOW_IRC_OUT=0 # ALLOW_KAZAA_IN=0 # 1214 ALLOW_KAZAA_OUT=0 # 1214 ALLOW_KPASSWD_IN=0 # 464 ALLOW_KPASSWD_OUT=0 # 464 ALLOW_KRB5_IN=0 # 88 Kerberos ALLOW_KRB5_OUT=0 # 88 Kerberos ALLOW_LDAP_IN=0 # 389 ALLOW_LDAP_OUT=0 # 389 ALLOW_LDAPS_IN=0 # 636 Secure LDAP ALLOW_LDAPS_OUT=0 # 636 Secure LDAP ALLOW_LINUX_CONF_IN=0 # 98 ALLOW_LINUX_CONF_OUT=0 # 98 ALLOW_LINUX_MOUNTD_BUG_IN=0 # 635 ALLOW_LINUX_MOUNTD_BUG_OUT=0 # 635 ALLOW_MS_EXCHANGE_IN=0 # 691 ALLOW_MS_EXCHANGE_OUT=0 # 691 ALLOW_MS_FILE_SERVER_FOR_MACINTOSH_IN=0 # 548 Enables Macintosh computer users to store and access files on a computer running Windows Server 2003. ALLOW_MS_FILE_SERVER_FOR_MACINTOSH_OUT=0 # 548 Enables Macintosh computer users to store and access files on a computer running Windows Server 2003 ALLOW_MS_FT_DS_IN=0 # 445 ALLOW_MS_FT_DS_OUT=0 # 445 ALLOW_MS_RPC_IN=0 # 135 ALLOW_MS_RPC_OUT=0 # 135 ALLOW_MS_RPC_OVER_HTTP_IN=0 # 593 ALLOW_MS_RPC_OVER_HTTP_OUT=0 # 593 ALLOW_MSSQL_IN=0 # 1433 MSSQL database ALLOW_MSSQL_OUT=0 # 1433 MSSQL database ALLOW_MSSQL_MONITOR_IN=0 # 1434 MSSQL monitor ALLOW_MSSQL_MONITOR_OUT=0 # 1434 MSSQL monitor ALLOW_MYSQL_IN=0 # 3306 MySQL database ALLOW_MYSQL_OUT=0 # 3306 MySQL database ALLOW_NC_IN=0 # 2030 ALLOW_NC_OUT=0 # 2030 ALLOW_NCP_IN=0 # 524 ALLOW_NCP_OUT=0 # 524 ALLOW_NETWORK_LOG_CLIENT_IN=0 # 1394 ALLOW_NETWORK_LOG_CLIENT_OUT=0 # 1394 ALLOW_NFS_IN=0 # 1025 ALLOW_NFS_OUT=0 # 1025 ALLOW_NNTP_IN=0 # 119 NNTP news ALLOW_NNTP_OUT=0 # 119 NNTP news ALLOW_NTP_IN=1 # 123 ALLOW_NTP_OUT=1 # 123 ALLOW_OPENVPN_IN=0 # ALLOW_OPENVPN_OUT=0 # ALLOW_PCANYWHERE_IN=0 # 5623 ALLOW_PCANYWHERE_OUT=0 # 5623 ALLOW_PC_SERVER_BACKDOOR_IN=0 # 600 ALLOW_PC_SERVER_BACKDOOR_OUT=0 # 600 ALLOW_PHASE_ZERO_IN=0 # 555 ALLOW_PHASE_ZERO_OUT=0 # 555 ALLOW_PING_IN=0 # ALLOW_PING_OUT=1 # ALLOW_PLESK_IN=0 # PLESK desktop ALLOW_PLESK_OUT=0 # PLESK desktop ALLOW_POP2_IN=0 # 109 ALLOW_POP2_OUT=0 # 109 ALLOW_POP3_IN=1 # 110 ALLOW_POP3_OUT=1 # 110 ALLOW_POP3S_IN=1 # 995 ALLOW_POP3S_OUT=1 # 995 ALLOW_POSTGRESQL_IN=0 # ALLOW_POSTGRESQL_OUT=0 # ALLOW_PRINT_IN=0 »»·»· # 515 Allow printer port ALLOW_PRINT_OUT=0 »·»·»· # 515 Allow printer port ALLOW_REAL_SERVER_IN=0 # 554 ALLOW_REAL_SERVER_OUT=0 # 554 ALLOW_ROUTE_IN=0 # 520 ALLOW_ROUTE_OUT=0 # 520 ALLOW_RWHO_IN=0 # 513 ALLOW_RWHO_OUT=0 # 513 ALLOW_RWHOIS_IN=1 # 4321 ALLOW_RWHOIS_OUT=1 # 4321 ALLOW_SAMBA_IN=1 # 137=SMB Name, 138=SMB Data, 139=SMB Session ALLOW_SAMBA_OUT=1 # 137=SMB Name, 138=SMB Data, 139=SMB Session ALLOW_SGI_IRIX_TCPMUX_IN=0 # 1 ALLOW_SGI_IRIX_TCPMUX_OUT=0 # 1 ALLOW_SMTP_IN=1 »·»·»· # 25 Do NOT allow unencrypted SMTP! Use SMTPS instead. ALLOW_SMTP_OUT=1 »»·»· # 25 Do NOT allow unencrypted SMTP! Use SMTPS instead. ALLOW_SMTPS_IN=0 # 465 ALLOW_SMTPS_OUT=0 # 465 ALLOW_SNMP_IN=0 # 161 ALLOW_SNMP_OUT=0 # 161 ALLOW_SOCKS5_IN=0 # 1080 ALLOW_SOCKS5_OUT=0 # 1080 ALLOW_SSH_IN=1 # 22 ALLOW_SSH_OUT=1 # 22 ALLOW_SQL_IN=0 # 1114 ALLOW_SQL_OUT=0 # 1114 ALLOW_SQUID_IN=0 »»·»· # 3128 SQUID proxy ALLOW_SQUID_OUT=0 »·»·»· # 3128 SQUID proxy ALLOW_SUB7_IN=0 # 1243 ALLOW_SUB7_OUT=0 # 1243 ALLOW_SUBMISSION_IN=1 # 587 ALLOW_SUBMISSION_OUT=1 # 587 ALLOW_SUNRPC_IN=0 # 111 Also RPCbind ALLOW_SUNRPC_OUT=0 # 111 Also RPCbind ALLOW_SVN_IN=0 # ALLOW_SVN_OUT=0 # ALLOW_TELNET_IN=0 # 23 ALLOW_TELNET_OUT=0 # 23 ALLOW_TFTP_IN=0 # 69 Trivial FTP ALLOW_TFTP_OUT=0 # 69 Trivial FTP ALLOW_TIME_IN=0 # 37 ALLOW_TIME_OUT=0 # 37 ALLOW_TIME_SERVER_IN=0 # 525 ALLOW_TIME_SERVER_OUT=0 # 525 ALLOW_TOMCAT_IN=0 »·»·»· # 9080 ALLOW_TOMCAT_OUT=0»·»·»· # 9080 ALLOW_TOR_OUT=0 # ALLOW_TRACEROUTE_IN=0 # ALLOW_TRACEROUTE_OUT=1 # ALLOW_UNIX_SYSSTAT_IN=0 # 11 ALLOW_UNIX_SYSSTAT_OUT=0 # 11 ALLOW_UPNP_IN=0 # 2869 Universal Plug and Play ALLOW_UPNP_OUT=0 # 2869 Universal Plug and Play ALLOW_WEBLOGIN_IN=1 # 2054 Needed for sharing ALLOW_WEBLOGIN_OUT=0 # 2054 Needed for sharing ALLOW_WHOIS_IN=1 »»·»· # 43 See also RWHOIS ALLOW_WHOIS_OUT=1 »·»·»· # 43 See also RWHOIS ALLOW_WINDOWS_MESSAGE_IN=0 # 1026, 1027 ALLOW_WINDOWS_MESSAGE_IN=0 # 1026, 1027 ALLOW_TRACEROUTE_IN=1 # ALLOW_TRACEROUTE_OUT=1 # ALLOW_XDMCP_IN=0 # 177 ALLOW_XDMCP_OUT=0 # 177 ALLOW_XWINDOWS_IN=0 # ALLOW_XWINDOWS_OUT=0 # ALLOW_XWINDOWS_FONTSERVER_IN=0 # ALLOW_XWINDOWS_FONTSERVER_OUT=0 # BLOCK_AKAMAI=1 # BLOCK_BROADCASTS=1 # BLOCK_BRUTE_FORCE_ATTACKS=1 # BLOCK_CONNECTIONS_COUNT=1 # BLOCK_DROPBOX_LAN_SYNC_BROADCASTS=1 # BLOCK_FACEBOOK=0 # BLOCK_FLOODS=1 # BLOCK_SAMBA_WITHOUT_LOGGING=0 # BLOCK_OVERSIZE_ICMP_PACKETS=1 # BLOCK_VIRUSES=1 #· DO_BAD_PACKETS_LAST=0 »·»·»· # Less logging DO_KERNEL_SECURE=1 »»·»· # Set various kernel network protection on DO_LOG_SCANS=1 »»·»·»· # if 1 will log well known scans whilst dropping them DO_MASQUERADE=0 »·»·»· # if 0 will use SNAT / DNAT DO_PORT_KNOCKING=0 »»·»· # if 1 will allow Port Knocking DO_QUICK_NTP=0 »»·»·»· # if 1 will allow NTP in without any checks DO_QUOTA=0 # If 1 then will switch on quota checking DO_REJECT_INSTEAD_OF_DROP=0 # Reject instead of drop DO_STEALTH_ALL_IN=0 # Stealth all incoming DO_WHITELISTING=0 »·»·»· # Dangerous if made a 1 # #********************************************************* # # /proc sysctl settings # PROC_SYSCTL_IP_FORWARD=1»·»· # To enable ipforward, VERY important PROC_SYSCTL_BLOCK_ALL_PINGS_IN=1 # Block ALL the pings from everywhere· PROC_SYSCTL_BLOCK_BROADCAST_PINGS_IN=1 # Don't respond to broadcast pings (smurf) PROC_SYSCTL_ICMP_ERROR_MESG=1»»· # Protect against bogus error messages PROC_SYSCTL_LOG_MARTIANS=1»·»· # Log packets with impossible addresses PROC_SYSCTL_IP_SPOOFING=1»»· # Disable spoofing attacks on ALL interfaces PROC_SYSCTL_REDUCE_DOS=1»·»· # Reduces the timeouts and the posibility of a DOS PROC_SYSCTL_SYN_COOKIES=1»»· # Enable tcp syn cookies protection PROC_SYSCTL_TIME_STAMPS=1»»· # Enable tcp timestamps protection PROC_SYSCTL_SOURCE_ROUTED=1»»· # Ignore source routed packets PROC_SYSCTL_ACCEPT_REDIRECTS=1»·»· # Ignore accepted redirected packets PROC_SYSCTL_SEND_REDIRECTS=1»·»· # Ignore send redirected packets PROC_SYSCTL_SECURE_REDIRECTS=1»·»· # Enable secure redirects PROC_SYSCTL_DISABLE_BOOTP_RELAY=1 # Disable BootP relays PROC_SYSCTL_DISABLE_PROXY_ARP=1 # Disable Proxy ARP # #********************************************************* # Trusted hosts # # Hosts that are auto allowed into the system if WhiteListing # is allowed. # TRUSTED_HOSTS="192.168.0.10" UNTRUSTED_HOSTS="123.123.123.123,134.134.134.134" #UNTRUSTED_HOSTS="123.123.123.123,www.facebook.com" # #********************************************************* # Port Knocking # # Port knocking is a method of externally opening ports on a firewall by· # generating a connection attempt on a set of prespecified closed ports. # # Once a correct sequence of connection attempts is received, the firewall· # rules are dynamically modified to allow the host which sent the connection· # attempts to connect over specific port(s). # PORT_KNOCK_1="3456" PORT_KNOCK_2="4567" PORT_KNOCK_3="1234" PORT_KNOCK_ALLOW="22" # #********************************************************* # Websites to stop # #WEB_FACEBOOK="facebook.com" # #********************************************************* # Connection limits # # Against brute-force attacks. # # 4 connect/min 5 connects/3 mins 10 connects/10 mins 25 connects/20 mins 50 connects/40 mins ... # Offense #1 10 min 30 min 1 hour 2 hours 3 hours # Offense #2 30 min 1 hour 2 hours 3 hours 6 hours·· # Offense #3 1 hour 2 hours 3 hours 6 hours 1 day· # Offense #4 2 hours 3 hours 6 hours 1 day 1 week # Offense #5 3 hours 6 hours 1 day 1 week 1 month # Offense #6 6 hours 1 day 1 week 1 month 1 month· # Offense #7 1 day 1 week 1 month 1 month 1 month # Offense #8 1 week 1 month 1 month 1 month 1 month # Offense #9 1 month 1 month 1 month 1 month 1 month # CONNECTION_MAX_1=4 # 4 Connections CONNECTION_MAX_2=5 # 5 Connections CONNECTION_MAX_3=10 # 10 Connections CONNECTION_MAX_4=25 # 25 Connections CONNECTION_MAX_5=50 # 50 Connections CONNECTION_MAX_6=75 # 75 Connections CONNECTION_MAX_7=100 # 100 Connections CONNECTION_MAX_8=200 # 200 Connections CONNECTION_MAX_9=255 # 255 Connections # CONNECTION_LIMIT_1=60 # 1 Minute CONNECTION_LIMIT_2=180 # 3 Minutes CONNECTION_LIMIT_3=600 # 10 Minutes CONNECTION_LIMIT_4=1200 # 20 Minutes CONNECTION_LIMIT_5=2400 # 40 Minutes CONNECTION_LIMIT_6=3600 # 60 Minutes (1 hour) CONNECTION_LIMIT_7=7200 # 120 Minutes (2 hours) CONNECTION_LIMIT_8=10800 # 180 Minutes (3 hours) CONNECTION_LIMIT_9=21600 # 360 minutes (6 hours) # # Offence timeouts CONNECTION_TIMEOUT_1=600 # 10 Minute CONNECTION_TIMEOUT_2=1800 # 30 Minutes CONNECTION_TIMEOUT_3=3600 # 60 Minutes (1 hour) CONNECTION_TIMEOUT_4=7200 # 120 Minutes (2 hours) CONNECTION_TIMEOUT_5=10800 # 180 Minutes (3 hours) CONNECTION_TIMEOUT_6=21600 # 360 Minutes (6 hours) CONNECTION_TIMEOUT_7=86400 # 24 hours (1 day) CONNECTION_TIMEOUT_8=604800 # 168 hours (1 week) CONNECTION_TIMEOUT_9=2635200 # 732 hours (1 month) #********************************************************* # Log limit # LOG_LEVEL=7 #LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options" #LOG="$LOG --log-ip-options" #LOG="--log-ip-options --log-tcp-options # #********************************************************* # String Search Algorith # STRING_ALGO="bm" STRING_ALGO2="kmp" # #********************************************************* # Quota limits # QUOTA_LIMIT_TCP="2147483648" # 2 GB Quota limit QUOTA_LIMIT_UDP="2147483648" # 2 GB Quota limit QUOTA_LIMIT_ICMP="2147483648" # 2 GB Quota limit # #********************************************************* # DNS limits # # Limits the number of DNS queries per second to 5/s # with a burst rate of 15/s and does not require buffer space changes. # # Limit the requests per second to 5, which leads to 35 requests in 7 seconds. # To solve the first-second burst, allow for 15 requests to happen in each of· # the seven seconds. # DNS open time. DNS_TIMEOUT="7" # DNS Requests per second DNS_BURST="15" # DNS Requests per 7 seconds DNS_TOTAL_REQUESTS="35" # #********************************************************* # Flooding limits # # # Limit per second LIMIT_PER_SECOND="4" # # Limit for SYN connections LIMIT_SYN_MAX="9" # # Limit for SYN-Flood detection LIMIT_SYN="5/s" # # # Burst Limit for SYN-Flood detection LIMIT_SYN_BURST="10" # # # Overall Limit for Logging in Logging-Chains LIMIT_LOG="2/s" # # # Burst Limit for Logging in Logging-Chains LIMIT_LOG_BURST="10" # # # Overall Limit for TCP-Flood-Detection LIMIT_TCP="5/s" # # # Burst Limit for TCP-Flood-Detection LIMIT_TCP_BURST="10" # # # Overall Limit for UDP-Flood-Detection LIMIT_UDP="5/s" # # # Burst Limit for TCP-Flood-Detection LIMIT_UDP_BURST="10" # # # Overall Limit for Ping-Flood-Detection LIMIT_PING="5/s" # # # Burst Limit for Ping-Flood-Detection LIMIT_PING_BURST="10" # #************************************************** #********** Do not edit beyond this line ********** #************************************************** # # IP Mask for all IP addresses PORTS_UNIVERSE="0.0.0.0/0" PORTS_BROADCAST="255.255.255.255" # # # Ports for Dropbox Lan Sync Broadcasts PORTS_DROPBOX_LAN_SYNC_BROADCASTS="17500" # # # Ports for IRC-Connection-Tracking PORTS_IRC="6665,6666,6667,6668,6669,7000" # # # Ports for TOR # (http://tor.eff.org) PORTS_TOR="9001,9002,9030,9031,9090,9091" # # # Ports for traceroute PORTS_TRACEROUTE_SRC="32769:65535" PORTS_TRACEROUTE_DEST="33434:33523" # # # Specification of the high unprivileged IP ports. PORTS_UNPRIV="1024:65535" PORTS_PSSH="1000:1023" # # # Specification of X Window System (TCP) PORTS_XWIN="6000:6063" # #********************************************************* # AKAMAI· # # http://www.matveev.se/net/akamai.htm # RANGE_AKAMAI="2.16.0.0/13,2.23.144.0/20,23.0.0.0/12,23.32.0.0/11,23.64.0.0/14,62.115.0.0/16,72.246.0.0/15,80.239.128.0/19" RANGE_AKAMAI="$RANGE_AKAMAI,80.239.160.0/19,80.239.192.0/19,80.239.224.0/19,84.53.168.0/22,88.221.176.0/21,96.6.0.0/15" RANGE_AKAMAI="$RANGE_AKAMAI,96.16.0.0/15,217.208.0.0/13,74.125.0.0/16,173.194.0.0/16,209.85.128.0/17" #********************************************************* # IANA RESERVED· # RANGE_IANA_RESERVED="0.0.0.0/7,2.0.0.0/8,5.0.0.0/8,7.0.0.0/8,10.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/8,36.0.0.0/7,39.0.0.0/8" RANGE_IANA_RESERVED="$RANGE_IANA_RESERVED,42.0.0.0/8,49.0.0.0/8,50.0.0.0/8,77.0.0.0/8,78.0.0.0/7,92.0.0.0/6,96.0.0.0/4,112.0.0.0/5" RANGE_IANA_RESERVED="$RANGE_IANA_RESERVED,120.0.0.0/8,169.254.0.0/16,172.16.0.0/12,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6" RANGE_IANA_RESERVED="$RANGE_IANA_RESERVED,192.0.2.0/24,197.0.0.0/8,198.18.0.0/15,223.0.0.0/8,224.0.0.0/3" # #********************************************************* # Mitigate ARP spoofing/poisoning and similar attacks. #------------------------------------------------------------------------------ # Hardcode static ARP cache entries here # $ARP -s IP-ADDRESS MAC-ADDRESS # #********************************************************* # Delete all existing rules # $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X # # # Zero all packets and counters. # $IPTABLES -Z $IPTABLES -t nat -Z $IPTABLES -t mangle -Z # # Set Policies # By default, drop everything except outgoing traffic # $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP # # Set the nat/mangle/raw tables' chains to ACCEPT $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P INPUT ACCEPT $IPTABLES -t mangle -P FORWARD ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT $IPTABLES -t mangle -P POSTROUTING ACCEPT #if [ $BLOCK_BROADCASTS -eq 1 ] #then #$IPTABLES -A INPUT DROP #$IPTABLES -A INPUT -d $INET_BCAST -i INET_IFACE -j DROP #$IPTABLES -A INPUT -d 192.168.255.255 -i INET_IFACE -j DROP #$IPTABLES -A INPUT -d 255.255.255.255 -i INET_IFACE -j DROP #$IPTABLES -A INPUT -m pkttype --pkt-type broadcast -j DROP #fi #********************************************************* # # Kernel configuration. # For details see: # * http://www.securityfocus.com/infocus/1711 # * http://www.linuxgazette.com/issue77/lechnyr.html # * http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html # * /usr/src/linux/Documentation/filesystems/proc.txt # * /usr/src/linux/Documentation/networking/ip-sysctl.txt # # Save these settings in the /etc/sysctl.conf file to make it permanent # #------------------------------------------ if [ $DO_KERNEL_SECURE -eq 1 ] then #------------------------------------------ # Allow port forwarding - Enable IP NAT in the Linux kernel # #echo 1 > /proc/sys/net/ipv4/ip_forward if [ $PROC_SYSCTL_IP_FORWARD -eq 1 ] ; then if [ -f /proc/sys/net/ipv4/ip_forward ] ; then echo 1 > /proc/sys/net/ipv4/ip_forward echo " ip_forward activated" fi fi # #------------------------------------------ # Disabling IP Spoofing # #echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter if [ $PROC_SYSCTL_IP_SPOOFING -eq 1 ] ; then if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ] ; then echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter echo " .....Blocking IP spoofing attacks" fi # #------------------------------------------ # Enable IP spoofing protection (i.e. source address verification). # Note: This is special, as it seems to only be enabled if you set # */all/rp_filter AND */eth0/rp_filter (for example) to 1! Setting only # */all/rp_filter alone does _not_ suffice, which is pretty counter-intuitive. # # Turn on reverse path filtering. This helps make sure that packets use· # legitimate source addresses, by automatically rejecting incoming packets· # if the routing table entry for their source address doesn't match the· # network interface they're arriving on. This has security advantages because # it prevents so-called IP spoofing, however it can pose problems if you use· # asymmetric routing (packets from you to a host take a different path than· # packets from that host to you) or if you operate a non-routing host which· # has several IP addresses on different interfaces.· # (Note - If you turn on IP forwarding, you will also get this). # for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done # fi # #------------------------------------------ # Ignore all incoming ICMP echo requests (i.e. disable ping). # Usually not a good idea, as some protocols and users need/want this. # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all # if [ $PROC_SYSCTL_BLOCK_ALL_PINGS_IN -eq 1 ] then #echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_all ] ; then echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all echo " .....Blocking all incoming pings from everywhere" fi else #echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_all ] ; then echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all echo " .....Allowing all incoming pings from everywhere" fi fi # #------------------------------------------ # Don't respond to broadcast pings # Ignore ICMP echo requests to broadcast/multicast addresses. We do not # want to participate in smurf (and similar) DoS attacks. # For details see: http://en.wikipedia.org/wiki/Smurf_attack. # if [ $PROC_SYSCTL_BLOCK_BROADCAST_PINGS_IN -eq 1 ] then #echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo " .....Blocking all broadcast pings" fi else #echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo " .....Allowing all broadcast pings" fi fi # #------------------------------------------ # Disable multicast routing. Should not be needed, usually. # TODO: This throws an "Operation not permitted" error. Why? # # The proc entry containing that value is read-only, and cannot be made writable easily. # #for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done # #------------------------------------------ # Protect against SYN flood attacks (see http://cr.yp.to/syncookies.html). # #echo 1 > /proc/sys/net/ipv4/tcp_syncookies if [ $PROC_SYSCTL_SYN_COOKIES -eq 1 ] ; then if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then echo "1" > /proc/sys/net/ipv4/tcp_syncookies echo " .....TCP syn cookies protection enabled" fi fi # #------------------------------------------ # Kill timestamps # #echo 0 > /proc/sys/net/ipv4/tcp_timestamps if [ $PROC_SYSCTL_TIME_STAMPS -eq 1 ] ; then if [ -e /proc/sys/net/ipv4/tcp_timestamps ] ; then echo "0" > /proc/sys/net/ipv4/tcp_timestamps echo " .....TCP timestamps protection enabled" fi fi # #------------------------------------------ # Block source routing # # Don't accept source routed packets. Attackers can use source routing· # to generate traffic pretending to be from inside your network, but· # which is routed back along the path from which it came, namely outside,· # so attackers can compromise your network. Source routing is rarely· # used for legitimate purposes. # #echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route if [ $PROC_SYSCTL_SOURCE_ROUTED -eq 1 ] ; then if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ] ; then echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route echo " .....Ignore source routed packets" fi # #------------------------------------------ # Don't accept source routed packets. # for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done # fi # #------------------------------------------ # Kill redirects # # Disable ICMP redirect acceptance. ICMP redirects can be used to alter· # your routing tables, possibly to a bad end. # #echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects #echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects if [ $PROC_SYSCTL_ACCEPT_REDIRECTS -eq 1 ] ; then if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects echo " .....Ignore accept redirected packets" fi for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done fi # if [ $PROC_SYSCTL_SEND_REDIRECTS -eq 1 ] ; then if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects echo " .....Ignore send redirected packets" fi for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done fi # #------------------------------------------ # Don't accept or send ICMP redirects. # #for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done #for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done # #------------------------------------------ # Enable secure redirects, i.e. only accept ICMP redirects for gateways # listed in the default gateway list. Helps against MITM attacks. # #for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done if [ $PROC_SYSCTL_SECURE_REDIRECTS -eq 1 ] ; then for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done fi # # #------------------------------------------ # Enable bad error message protection # Don't log invalid responses to broadcast frames, they just clutter the logs. # #echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses if [ $PROC_SYSCTL_ICMP_ERROR_MESG -eq 1 ] ; then if [ -f /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo " .....Enable error message protection" fi fi # #------------------------------------------ # Log martians # # Log packets with impossible addresses # Log spoofed packets, source routed packets, redirect packets. # #echo 1 > /proc/sys/net/ipv4/conf/all/log_martians if [ $PROC_SYSCTL_LOG_MARTIANS -eq 1 ] ; then if [ -f /proc/sys/net/ipv4/conf/all/log_martians ] ; then echo "1" > /proc/sys/net/ipv4/conf/all/log_martians echo " .....Logging packets with impossible addresses" fi # #------------------------------------------ # Log packets with impossible addresses. # for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done # fi # #------------------------------------------ # Disable bootp_relay. Should not be needed, usually. # if [ $PROC_SYSCTL_DISABLE_BOOTP_RELAY -eq 1 ] ; then for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done fi # #------------------------------------------ # Disable proxy_arp. Should not be needed, usually. # if [ $PROC_SYSCTL_DISABLE_PROXY_ARP -eq 1 ] ; then for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done fi # #------------------------------------------ # TODO: These may mitigate ARP poisoning attacks? # /proc/sys/net/ipv4/neigh/*/locktime # /proc/sys/net/ipv4/neigh/*/gc_stale_time # TODO: Check rest of /usr/src/linux/Documentation/networking/ip-sysctl.txt. # Are there any security-relevant options I missed? Check especially: # icmp_ratelimit, icmp_ratemask, icmp_errors_use_inbound_ifaddr, arp_*. # #------------------------------------------ # Set out local port range # #echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range # #------------------------------------------ # Reduce timeouts for DoS protection # #echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout # #------------------------------------------ # Other # #echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time #echo 0 > /proc/sys/net/ipv4/tcp_window_scaling #echo 0 > /proc/sys/net/ipv4/tcp_sack # if [ $PROC_SYSCTL_REDUCE_DOS -eq 1 ] ; then echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time echo "0" > /proc/sys/net/ipv4/tcp_window_scaling echo "0" > /proc/sys/net/ipv4/tcp_sack echo " .....Denial of Service Reduction Measures" fi # fi # #********************************************************* # # Completely disable IPv6. # # Block all IPv6 traffic # #------------------------------------------ # If the ip6tables command is available, try to block all IPv6 traffic. # if test -x $IP6TABLES; then #------------------------------------------ # Set the default policies. # Drop everything. $IP6TABLES -P INPUT DROP 2>/dev/null $IP6TABLES -P FORWARD DROP 2>/dev/null $IP6TABLES -P OUTPUT DROP 2>/dev/null #------------------------------------------ # The mangle table can pass everything. $IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null $IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null $IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null $IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null $IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null #------------------------------------------ # Delete all rules. $IP6TABLES -F 2>/dev/null $IP6TABLES -t mangle -F 2>/dev/null #------------------------------------------ # Delete all chains. $IP6TABLES -X 2>/dev/null $IP6TABLES -t mangle -X 2>/dev/null #------------------------------------------ # Zero all packets and counters. $IP6TABLES -Z 2>/dev/null $IP6TABLES -t mangle -Z 2>/dev/null fi #------------------------------------------ # Shellshock $IP6TABLES -A INPUT -m string --algo bm --hex-string '|28 29 20 7B|' -j DROP $IP6TABLES -A INPUT -m string --algo bm --hex-string '|28 29 20 7B|' -j DROP #********************************************************* # # Create the chains # $IPTABLES -N IANA_RESERVED $IPTABLES -N BAD_PACKETS $IPTABLES -N BAD_TCP_PACKETS if [ $DO_WHITELISTING -eq 1 ] then $IPTABLES -N WHITELIST fi if [ $DO_PORT_KNOCKING -eq 1 ] then $IPTABLES -N PORT_KNOCK $IPTABLES -N PORT_KNOCK_STAGE1 $IPTABLES -N PORT_KNOCK_STAGE2 $IPTABLES -N PORT_KNOCK_STAGE3 fi $IPTABLES -N PRIVATE_PACKETS $IPTABLES -N BLACKLIST if [ $BLOCK_BRUTE_FORCE_ATTACKS -eq 1 ] then $IPTABLES -N ATTACK $IPTABLES -N ATTACK2 $IPTABLES -N ATTACK_CHECK $IPTABLES -N ATTACKED1 $IPTABLES -N ATTACKED2 $IPTABLES -N ATTACKED3 $IPTABLES -N ATTACKED4 $IPTABLES -N ATTACKED5 $IPTABLES -N ATTACKED6 $IPTABLES -N ATTACKED7 $IPTABLES -N ATTACKED8 $IPTABLES -N ATTACKED9 $IPTABLES -N BAN1 $IPTABLES -N BAN2 $IPTABLES -N BAN3 $IPTABLES -N BAN4 $IPTABLES -N BAN5 $IPTABLES -N BAN6 $IPTABLES -N BAN7 $IPTABLES -N BAN8 $IPTABLES -N BAN9 fi if [ $BLOCK_FLOODS -eq 1 ] then $IPTABLES -N FLOODS fi if [ $BLOCK_VIRUSES -eq 1 ] then $IPTABLES -N VIRUS fi if [ $DO_LOG_SCANS -eq 1 ] then $IPTABLES -N SCANS fi $IPTABLES -N ICMP_IN $IPTABLES -N ICMP_OUT $IPTABLES -N TCP_IN $IPTABLES -N TCP_OUT $IPTABLES -N UDP_IN $IPTABLES -N UDP_OUT $IPTABLES -N NO_LOGGING if [ $DO_QUOTA -eq 1 ] then $IPTABLES -N QUOTA fi # #********************************************************* # Check Quotas # if [ $DO_QUOTA -eq 1 ] then $IPTABLES -A QUOTA -p tcp -m quota --quota $QUOTA_LIMIT_TCP -j RETURN $IPTABLES -A QUOTA -p udp -m quota --quota $QUOTA_LIMIT_UDP -j RETURN $IPTABLES -A QUOTA -p icmp -m quota --quota $QUOTA_LIMIT_ICMP -j RETURN $IPTABLES -A QUOTA -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=QUOTA a=DROP " $IPTABLES -A QUOTA -j DROP fi # #********************************************************* # Filter IANA RESERVED # $IPTABLES -A IANA_RESERVED -s $RANGE_IANA_RESERVED -m limit --limit $LIMIT_LOG --limit-burst $LIMIT_LOG_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "IPT=IANA_RESERVED a=DROP " $IPTABLES -A IANA_RESERVED -s $RANGE_IANA_RESERVED -j DROP #$IPTABLES -A IANA_RESERVED -s 0.0.0.0/7 -j DROP #$IPTABLES -A IANA_RESERVED -s 2.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 5.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 7.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 10.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 23.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 27.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 31.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 36.0.0.0/7 -j DROP #$IPTABLES -A IANA_RESERVED -s 39.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 42.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 49.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 50.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 77.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 78.0.0.0/7 -j DROP #$IPTABLES -A IANA_RESERVED -s 92.0.0.0/6 -j DROP #$IPTABLES -A IANA_RESERVED -s 96.0.0.0/4 -j DROP #$IPTABLES -A IANA_RESERVED -s 112.0.0.0/5 -j DROP #$IPTABLES -A IANA_RESERVED -s 120.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 169.254.0.0/16 -j DROP #$IPTABLES -A IANA_RESERVED -s 172.16.0.0/12 -j DROP #$IPTABLES -A IANA_RESERVED -s 173.0.0.0/8 -j DROP #$IPTABLES -A IANA_RESERVED -s 174.0.0.0/7 -j DROP #$IPTABLES -A IANA_RESERVED -s 176.0.0.0/5 -j DROP #$IPTABLES -A IANA_RESERVED -s 184.0.0.0/6 -j DROP