Disable the forwarding:
echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -F INPUT /sbin/iptables -F OUTPUT /sbin/iptables -F FORWARD
/sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -P FORWARD DROP
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -m state --state NEW -j ACCEPT /sbin/iptables -A INPUT -p tcp ! --syn -j ACCEPT /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -i eth0 -j ACCEPT # or more stronger /sbin/iptables -A INPUT -i eth0 -s 127.0.0.1 -j ACCEPT /sbin/iptables -A INPUT -i eth0 -s 192.168.0.1 -j ACCEPT /sbin/iptables -A INPUT -i eth0 -s 192.168.0.2 -j ACCEPT # else drop package /sbin/iptables -A INPUT -j DROP
/sbin/iptables -A OUTPUT -j ACCEPT
/sbin/iptables -A FORWARD -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m recent --update -j DROP iptables -A FORWARD -i externinterface -p tcp --dport 135 -m recent --set -j DROP
iptables -A FORWARD -j DROP
If the same host tries again a connect within an interval of 60 seconds the firewall will block this host. Additionally the timestamp will be set up again because of the option "--update".
To use different lists use option "--name identifier". User tools can reach the lists at "/proc/net/ipt_recent/list". A new entry will be made by:
echo address > /proc/net/ipt_recent/DEFAULT
delete address:
echo -address > /proc/net/ipt_recent/DEFAULT
Generally the list consist of 100 entries. You can change that with
modprobe ipt_recent ip_list_tot=1000
To prevent portscan you can setup two hosts with addresses at the beginning and the end of your address space. Every communication with this two hosts are illegal. So you can set rules for these two hosts and block each host that try to connect to these hosts.
A useful sample to use this module with snort, syslog-ng and a pearl block script can be found at "Linux Magazin - 04/07 page 68 Hausverbot".