For what it's worth, changing port 22 to something "obscure" is an excellent idea: it separates the script kiddies and bots from real hackers trying to pwn the box. Your log files will contain only hack attempts that should be of concern.
Comments and critiques regarding the following script are most welcome.
#!/bin/bash
# Rules:
# http://www.newartisans.com/2007/09/neat-tricks-with-iptables.html
# Sel also:
# https://help.ubuntu.com/community/IptablesHowTo
echo "[SCRIPT] Limit to ports 1222 and 80."
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 1222 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport www -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
echo "[SCRIPT] Ban incorrect SSH login attempts (120 seconds)."
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp ! --tcp-option 2 -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp --dport 1222 -i eth0 -m state --state NEW \
-m recent --set
iptables -I INPUT -p tcp --dport 1222 -i eth0 -m state --state NEW \
-m recent --update --seconds 120 --hitcount 4 -j DROP
iptables -P INPUT DROP
echo "[SCRIPT] Drop spoofed IP addresses."
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP
echo "[SCRIPT] Limit spamming PINGs."
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp -m icmp -m limit --limit 2/second -j ACCEPT
echo "[SCRIPT] Drop packets with an invalid state."
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
echo "[SCRIPT] Drop SYN,FIN invalid ordering."
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
echo "[SCRIPT] Limit RST RST spam."
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST \
-m limit --limit 2/second --limit-burst 2 -j ACCEPT
echo "[SCRIPT] Restrict port scanners for 24 hours."
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove
echo "[SCRIPT] Drop scans on port 139 (Microsoft)."
iptables -A INPUT -p tcp -m tcp --dport 139 \
-m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A INPUT -p tcp -m tcp --dport 139 \
-m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 139 \
-m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A FORWARD -p tcp -m tcp --dport 139 \
-m recent --name portscan --set -j DROP
iptables-save > /etc/network/iptables
printf '#!/bin/sh\niptables-restore < /etc/network/iptables\n' > /etc/network/if-pre-up.d/iptables
chmod 754 /etc/network/if-pre-up.d/iptables
Comments and critiques regarding the following script are most welcome.