Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort

If some site is making a habit of scanning your machine or otherwise being a nuisance, you might decide to deny it access to everything, at least until the problem behavior is corrected.

One way to do this without editing the rc.firewall script each time is to include a separate file of specific drop rules. By inserting the rules into the INPUT chain rather than appending them, the site will be blocked even if subsequent rules would otherwise allow them access to some service. The file is named /etc/rc.d/rc.firewall.blocked. To avoid a possible runtime error, check for the file's existence before trying to include it:

# Refuse packets claiming to be from the banned list if [ -f /etc/rc.d/rc.firewall.blocked ]; then . /etc/rc.d/rc.firewall.blocked fi

An example of a global drop rule in the rc.firewall.blocked file is this:

$IPT -I INPUT -i $INTERNET -s <address/mask> -j DROP

As an alternative to inserting the rules at the very beginning of the chains, which would precede state checking, the rules could be append rules, and the file could be included in the spoofed source address section of the ruleset.

Any packet from this source address range is dropped, regardless of message protocol type or source or destination port.