Need help with iptables

IPTABLES=/sbin/iptables
LOGLEVEL=DEBUG
LOGLIMIT="2/s" # Overall Limit for Loggging in Logging-Chains
LOGLIMITBURST="10" # Burst Limit for Logging in Logging-Chains

$IPTABLES -N LOG_BAD_FLAG #TCP-Packets with one ore more bad flags
(commomly scans)
$IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags ALL FIN,URG,PSH -m limit
--limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level
$LOGLEVEL --log-prefix "Stealth XMAS scan: " # (NMAP) FIN/URG/PSH
$IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m
limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level
$LOGLEVEL --log-prefix "Stealth XMAS-PSH scan: " # SYN/RST/ACK/FIN/URG
$IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags ALL ALL -m limit --limit
$LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL
--log-prefix "Stealth XMAS-ALL scan: " # ALL/ALL
$IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags ALL FIN -m limit --limit
$LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL
--log-prefix "Stealth FIN scan: " # NMAP FIN Stealth
$IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags SYN,RST SYN,RST -m limit
--limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level
$LOGLEVEL --log-prefix "Stealth SYN/RST scan: " # SYN/RST
$IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit
--limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level
$LOGLEVEL --log-prefix "Stealth SYN/FIN scan(?): " # SYN/FIN (probably)
$IPTABLES -A LOG_BAD_FLAG -p tcp --tcp-flags ALL NONE -m limit --limit
$LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level $LOGLEVEL
--log-prefix "Stealth Null scan: " # Null scan
$IPTABLES -A LOG_BAD_FLAG -j DROP



$IPTABLES -N CHECK_BAD_FLAG
$IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j
LOG_BAD_FLAG # NMAP FIN/URG/PSH
$IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG
-j LOG_BAD_FLAG # SYN/RST/ACK/FIN/URG
$IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags ALL ALL -j LOG_BAD_FLAG #
ALL/ALL Scan
$IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags ALL NONE -j LOG_BAD_FLAG
# NMAP Null Scan
$IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags SYN,RST SYN,RST -j
LOG_BAD_FLAG # SYN/RST
$IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j
LOG_BAD_FLAG # SYN/FIN -- Scan(probably)
$IPTABLES -A CHECK_BAD_FLAG -p tcp --tcp-flags ALL FIN -j LOG_BAD_FLAG #
NMAP FIN Stealth

$IPTABLES -A INPUT -p tcp -j CHECK_BAD_FLAG

here is mine rules set of iptables for preventing port scans. I was
trying to scan ports with nmap with different types of scanning methods,
but I saw that with Null scan it passes mine iptables rules set and
daemon for example Openssh answers to invalid packet sequence=( maybe I
have made a mistake in tcp flag specification?

and second question can I somehow to prevent from stealth scan and -sT
(new connection scan) with iptables?

Relevant Pages

  • Re: Look what Ive found
    ... > and I also scanned myself with nmap and I got no log. ... > Runing RH9.0 with latest patches, iptables, with everything closed, ...
    (comp.os.linux.security)
  • Re: Can IPTABLES stop port scans by NMAP?
    ... By looking for certain flags which nmap typically sets in the packets and then ... But, since iptables gives you ... It patches your kernel to include ... RedHat Linux: How linux would have looked if Micro$oft had written it. ...
    (comp.os.linux.security)
  • Re: iptables, loopback and NMAP self-scan
    ... > My curent loopback/localhost rules are: ... > test sites, allow an NMAP self-scan to bypass the iptables. ...
    (comp.os.linux.security)
  • Re: iptables, loopback and NMAP self-scan
    ... > My curent loopback/localhost rules are: ... > test sites, allow an NMAP self-scan to bypass the iptables. ...
    (comp.os.linux.security)
  • Re: nmap shows 6667/tcp closed irc, hack evidence?
    ... >the nmap output has always verified that. ... >i changed my iptables to specifically drop 6667 tcp and udp. ... >run it still shows '6667/tcp closed irc'. ... >the port immediately reappears in the same state after a reboot. ...
    (comp.security.firewalls)