2

I want to add some rules to my iptables to prevent port scanning, how can I do this?
I find some solution but it's not efficient.

Port canning solution

Amirreza
  • 664
  • 1
  • 7
  • 12

2 Answers2

3

The best bet is having a default drop policy in iptables and then only allowing what's required. Something like:

# Drop all packets by default.
iptables -P INPUT DROP
# Allow preexisting connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH from 192.0.2.0/24
iptables -A INPUT -p tcp -s 192.0.2.0/24 --destination-port 22 -i eth0 -j ACCEPT
# Allow HTTP from all
iptables -A INPUT -p tcp --destination-port 80 -i eth0 -j ACCEPT

It won't stop people from doing portscans, but it will mean that all they'll see is port 80 open.

Niall Donegan
  • 3,859
  • 19
  • 17
  • it didn't that do what I want :(, your solution force me to open specific ports – Amirreza Mar 12 '11 at 05:24
  • There's no way to block port scans specifically without blocking legitimate traffic. All you can do is make sure that as little as possible is open to the public and that it's well secured. The above script does a default "DROP" rather than "REJECT". A "REJECT" would tell the port scanner that the port is closed straight away. The DROP wastes their time by making the scanner have to waste a certain amount of time before moving onto another port. – Niall Donegan Mar 12 '11 at 12:05
0

For nmap port scanning, you can check the following answer: iptables Tips & Tricks

I'm not familiar with Hping, but if Hping uses NULLflags, the answer I've linked above should also work.

pepoluan
  • 4,918
  • 3
  • 43
  • 71