You know it say that the child of a shoemaker don'...
You know it say that the child of a shoemaker don't have shoes. So it seams that the my computer at home don't have a firewall even if I am a firewall expert. That's relay lame i know but yesterday I have decided to make the smallest firewall I can and put it there because i had a lot of packets in my network, that didn't belong there so here is a snap from what I made ... the part for filtering out known viruses.
This is filleting out dubious connections and also use the recent module to ban the infected host for 60 seconds.
The idea is that when a rule is matched the ip of the host generating the trouble (source ip) is inserted in to a table named virus by the command -m recent --name virus --set
The first line it say to drop all the connections from the host that is in the list if 60 second has not elapsed from the time of the insertion. If the time has elapsed the host is removed from the list. And if it is still causing problem it start over again baning the host.
Also I log all packets that cause the banning of the IP so I get a general idea what happening
iptables -A FORWARD -m recent --name virus --rcheck --seconds 60 -j DROP
iptables -A FORWARD -p udp -m multiport --dports 135,445 -j LOG --log-prefix "FW:DROP:VIR" --log-level 6
iptables -A FORWARD -p udp -m multiport --dports 135,445 -m recent --name virus --set -j DROP
iptables -A FORWARD -p udp -m udp --dport 137:139 -j LOG --log-prefix "FW:DROP:VIR" --log-level 6
iptables -A FORWARD -p udp -m udp --dport 137:139 -m recent --name virus --set -j DROP
iptables -A FORWARD -p udp -m udp --sport 137 --dport 1024:65535 -j LOG --log-prefix "FW:DROP:VIR" --log-level 6
iptables -A FORWARD -p udp -m udp --sport 137 --dport 1024:65535 -m recent --name virus --set -j DROP
iptables -A FORWARD -p tcp -m multiport --dports 135,139,445 -j LOG --log-prefix "FW:DROP:VIR" --log-level 6
iptables -A FORWARD -p tcp -m multiport --dports 135,139,445 -m recent --name virus --set -j DROP
iptables -A FORWARD -p udp -m udp --dport 1900 -j LOG --log-prefix "FW:DROP:VIR" --log-level 6
iptables -A FORWARD -p udp -m udp --dport 1900 -m recent --name virus --set -j DROP
This is filleting out dubious connections and also use the recent module to ban the infected host for 60 seconds.
The idea is that when a rule is matched the ip of the host generating the trouble (source ip) is inserted in to a table named virus by the command -m recent --name virus --set
The first line it say to drop all the connections from the host that is in the list if 60 second has not elapsed from the time of the insertion. If the time has elapsed the host is removed from the list. And if it is still causing problem it start over again baning the host.
Also I log all packets that cause the banning of the IP so I get a general idea what happening
3 comments:
Call me pig-ignorant but I hear that saying over and over. I know what a LITERAL firewall is. But the computer version ..? Maybe mine hasn't got one either then ...
Hi I only found your blog by chance. I hopped out of my one and this is what I found ...
I'm at gledwood2.blogspot you're welcome to drop round. Mine is very different though..!!
All the best now,
See ya later
Gledwood
should be helpful to the programmer.
Post a Comment