ip forwarding

Disable the forwarding:

 echo 0 > /proc/sys/net/ipv4/ip_forward

delete all existing rules

 /sbin/iptables -F INPUT
 /sbin/iptables -F OUTPUT
 /sbin/iptables -F FORWARD

start with a full drop of all packages

 /sbin/iptables -P INPUT DROP
 /sbin/iptables -P OUTPUT DROP
 /sbin/iptables -P FORWARD DROP

input rules

 /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/iptables -A INPUT -m state --state NEW -j ACCEPT
 /sbin/iptables -A INPUT -p tcp ! --syn -j ACCEPT
 /sbin/iptables -A INPUT -i lo -j ACCEPT

 /sbin/iptables -A INPUT -i eth0 -j ACCEPT
 # or more stronger
 /sbin/iptables -A INPUT -i eth0 -s -j ACCEPT
 /sbin/iptables -A INPUT -i eth0 -s -j ACCEPT
 /sbin/iptables -A INPUT -i eth0 -s -j ACCEPT
 # else drop package
 /sbin/iptables -A INPUT -j DROP

output rules

 /sbin/iptables -A OUTPUT -j ACCEPT

forward rules

 /sbin/iptables -A FORWARD -j DROP

The Recent Module

 iptables -A FORWARD  -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -m recent --update -j DROP
 iptables -A FORWARD -i externinterface -p tcp --dport 135 -m recent --set -j DROP
fills recent list with ip addresses which try to get connected via port 135 (most likely worms searching for sacrifices with DCOM-RPC vulnerability from windows)
 iptables -A FORWARD -j DROP 

If the same host tries again a connect within an interval of 60 seconds the firewall will block this host. Additionally the timestamp will be set up again because of the option "--update".

To use different lists use option "--name identifier". User tools can reach the lists at "/proc/net/ipt_recent/list". A new entry will be made by:

 echo address > /proc/net/ipt_recent/DEFAULT

delete address:

 echo -address > /proc/net/ipt_recent/DEFAULT

Generally the list consist of 100 entries. You can change that with

 modprobe ipt_recent ip_list_tot=1000

To prevent portscan you can setup two hosts with addresses at the beginning and the end of your address space. Every communication with this two hosts are illegal. So you can set rules for these two hosts and block each host that try to connect to these hosts.

A useful sample to use this module with snort, syslog-ng and a pearl block script can be found at "Linux Magazin - 04/07 page 68 Hausverbot".