LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-15-2011, 02:13 PM   #16
smallgamer
LQ Newbie
 
Registered: Jul 2011
Posts: 29

Original Poster
Rep: Reputation: Disabled

I'm getting the message "line 32 failed" after applying those last two changes. Does that indicate some problem with this iptables text, or is it fine and I should just use that other method of activating the iptables file from your last post?
 
Old 10-15-2011, 02:29 PM   #17
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,019
Blog Entries: 54

Rep: Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766
The only thing missing are "-i eth0" items in lines below the ESTABLISHED,RELATED rule. Try adding it similar to that line.
 
Old 10-15-2011, 02:38 PM   #18
smallgamer
LQ Newbie
 
Registered: Jul 2011
Posts: 29

Original Poster
Rep: Reputation: Disabled
Still "iptables-restore: line 32 failed."

And this is the FIRST step? I'm grateful that you're helping me, but YIKES.
 
Old 10-15-2011, 02:47 PM   #19
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,019
Blog Entries: 54

Rep: Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766
OK, this is taking too long. Save as appropriate and run it like this standalone shell script:
Code:
#!/bin/sh --
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
/sbin/iptables -t filter -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t filter -A INPUT -i eth0 -m conntrack --ctstate INVALID -j LOG --log-prefix "IN_inv "
/sbin/iptables -t filter -A INPUT -i eth0 -m conntrack --ctstate INVALID -j REJECT
/sbin/iptables -t filter -A INPUT -i eth0 -m tcp -p tcp --syn -m connlimit --connlimit-above 30 --connlimit-mask 24 -j LOG --log-prefix "IN_lim "
/sbin/iptables -t filter -A INPUT -i eth0 -m tcp -p tcp --syn -m connlimit --connlimit-above 30 --connlimit-mask 24 -j REJECT
/sbin/iptables -t filter -A INPUT -i eth0 -m udp -p udp -m state --state NEW -m connlimit --connlimit-above 100 --connlimit-mask 24 -j LOG --log-prefix "IN_lim "
/sbin/iptables -t filter -A INPUT -i eth0 -m udp -p udp -m state --state NEW -m connlimit --connlimit-above 100 --connlimit-mask 24 -j REJECT
/sbin/iptables -t filter -A INPUT -i eth0 -m state --state NEW -m tcp -p tcp -m multiport --dports 22,80 -j LOG  --log-prefix "IN_tcpnew "
/sbin/iptables -t filter -A INPUT -i eth0 -m state --state NEW -m tcp -p tcp -m multiport --dports 22,80 -j ACCEPT
/sbin/iptables -t filter -A INPUT -i eth0 -m state --state NEW -m udp -p udp -m multiport --dports 36900:36999 -j LOG  --log-prefix "IN_udpnew "
/sbin/iptables -t filter -A INPUT -i eth0 -m state --state NEW -m udp -p udp -m multiport --dports 36900:36999 -j ACCEPT
/sbin/iptables -t filter -A INPUT -i eth0 -m limit --limit 1/minute --limit-burst 3 -j LOG --log-prefix "IN_rej "
/sbin/iptables -t filter -A INPUT -i eth0 -j REJECT --reject-with icmp-host-prohibited
/sbin/iptables -t filter -A OUTPUT -o lo -j ACCEPT
sleep 5m
service iptables restart
exit 0

Last edited by unSpawn; 10-15-2011 at 02:50 PM. Reason: //Restart
 
1 members found this post helpful.
Old 10-15-2011, 02:55 PM   #20
smallgamer
LQ Newbie
 
Registered: Jul 2011
Posts: 29

Original Poster
Rep: Reputation: Disabled
It froze on the fifth line and I can no longer log into my server via ssh.
 
Old 10-15-2011, 03:30 PM   #21
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,019
Blog Entries: 54

Rep: Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766
Not back up yet? No access to port 80 (meaning it's inaccessible completely)?
 
Old 10-15-2011, 03:34 PM   #22
smallgamer
LQ Newbie
 
Registered: Jul 2011
Posts: 29

Original Poster
Rep: Reputation: Disabled
How do I access port 80? Through my ssh client, just change port 22 to 80?

I need to stress that you're dealing with a noob here.

EDIT: That's not working.

Last edited by smallgamer; 10-15-2011 at 03:36 PM.
 
Old 10-15-2011, 03:59 PM   #23
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,019
Blog Entries: 54

Rep: Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766Reputation: 2766
OK, that plainly sucks. Just to be sure: the iptables rule set is really simple and unless your VPS doesn't come with the most basic of modules ('grep -i iptables /etc/vz/vz.conf'), or used an ethernet device other than eth0, I can't see why it wouldn't have worked. Anyway, since it remains inaccessible the only alternative is to ask your provider to either log in and fix things for you if they can or gracefully shut down and reboot it. After that you'll have to find out if iptables is enabled by your provider and if so which modules are offered.



Quote:
Originally Posted by smallgamer View Post
How do I access port 80? Through my ssh client, just change port 22 to 80?
EDIT: That's not working.
No, use a browser for port 80.


Quote:
Originally Posted by smallgamer View Post
I need to stress that you're dealing with a noob here.
Thanks, I sometimes tend to forget that.

Last edited by unSpawn; 10-15-2011 at 04:01 PM.
 
Old 10-21-2011, 04:58 AM   #24
smallgamer
LQ Newbie
 
Registered: Jul 2011
Posts: 29

Original Poster
Rep: Reputation: Disabled
Okay, apf firewall is set up and configured. I did have help with this (I'm sorry for not following your advice via email, but I'm also trying to maintain my job and it was either pay someone to set that up for me or shut down my gaming server.) My current iptables contents are below.

Unfortunately, the attack I described previously is still happening multiple times per day.

I have some more information about what is going on when the attack happens. The targeted application actually continues to run... it even continues producing log files. But it is dead to the outside world. Apparently this attack causes the application's socket to terminate.

I read that this is an exploit for attacking some other games as well. An oversized udp packet is sent, and it causes the application's socket to terminate. That seems to be what is happening here. So I had a rule added to the firewall:

-A INPUT -p udp -m length --length 2001:65535 -j DROP

(2000 is the number the game developer recommended, saying anything over that could be dropped.)

This rule is not stopping the attack. But wouldn't an oversized packet mean one which is larger than 65535 anyway? However, I can't enter any number higher than that, or I get an error when I restart iptables. So, can this be reversed and changed to ACCEPT with a criteria of 0-2000, so that ANY packet over 2000 (no matter HOW large) is automatically not accepted? If so, what is the syntax for that, and if not, do I have any other options?

I also noticed when I first looked at this configuration that there is no LIMIT rule for the rate of udp packets. What should I put for that kind of rule, so that if more than a certain number of udp packets come per second from the same IP address, they are automatically ignored and the DOS attack fails while the IP address is added to the deny hosts list?

Code:
# Generated by iptables-save v1.3.5 on Wed Oct 19 23:25:17 2011
*mangle
:PREROUTING ACCEPT [33166894:1191645360]
:INPUT ACCEPT [33166894:1191645360]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [72825690:3800736373]
:POSTROUTING ACCEPT [72825169:3800705902]
-A PREROUTING -p tcp -m tcp --sport 21 -j TOS --set-tos 0x08 
-A PREROUTING -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 
-A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos 0x08 
-A PREROUTING -p tcp -m tcp --sport 25 -j TOS --set-tos 0x10 
-A PREROUTING -p tcp -m tcp --sport 110 -j TOS --set-tos 0x10 
-A PREROUTING -p tcp -m tcp --sport 143 -j TOS --set-tos 0x10 
-A PREROUTING -p tcp -m tcp --sport 512:65535 -j TOS --set-tos 0x00 
-A POSTROUTING -p tcp -m tcp --dport 21 -j TOS --set-tos 0x08 
-A POSTROUTING -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 
-A POSTROUTING -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08 
-A POSTROUTING -p tcp -m tcp --dport 25 -j TOS --set-tos 0x10 
-A POSTROUTING -p tcp -m tcp --dport 110 -j TOS --set-tos 0x10 
-A POSTROUTING -p tcp -m tcp --dport 143 -j TOS --set-tos 0x10 
-A POSTROUTING -p tcp -m tcp --dport 512:65535 -j TOS --set-tos 0x00 
COMMIT
# Completed on Wed Oct 19 23:25:17 2011
# Generated by iptables-save v1.3.5 on Wed Oct 19 23:25:17 2011
*filter
:INPUT ACCEPT [134:6112]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [327:18880]
:FRAG_UDP - [0:0]
:IN_SANITY - [0:0]
:OUT_SANITY - [0:0]
:P2P - [0:0]
:PROHIBIT - [0:0]
:PZERO - [0:0]
:RESET - [0:0]
:TALLOW - [0:0]
:TDENY - [0:0]
:TGALLOW - [0:0]
:TGDENY - [0:0]
:TMP_DROP - [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -s 0.0.0.0/255.0.0.0 -j DROP 
-A INPUT -s 127.0.0.0/255.0.0.0 -j DROP 
-A INPUT -s 169.254.0.0/255.255.0.0 -j DROP 
-A INPUT -s 192.0.0.0/255.255.255.0 -j DROP 
-A INPUT -s 192.0.2.0/255.255.255.0 -j DROP 
-A INPUT -s 198.18.0.0/255.254.0.0 -j DROP 
-A INPUT -s 198.51.100.0/255.255.255.0 -j DROP 
-A INPUT -s 203.0.113.0/255.255.255.0 -j DROP 
-A INPUT -s 224.0.0.0/240.0.0.0 -j DROP 
-A INPUT -s 240.0.0.0/240.0.0.0 -j DROP 
-A INPUT -j TMP_DROP 
-A INPUT -j TALLOW 
-A INPUT -j TDENY 
-A INPUT -j TGALLOW 
-A INPUT -j TGDENY 
-A INPUT -p tcp -m tcp --dport 135:139 -j DROP 
-A INPUT -p udp -m udp --dport 135:139 -j DROP 
-A INPUT -p tcp -m tcp --dport 111 -j DROP 
-A INPUT -p udp -m udp --dport 111 -j DROP 
-A INPUT -p tcp -m tcp --dport 513 -j DROP 
-A INPUT -p udp -m udp --dport 513 -j DROP 
-A INPUT -p tcp -m tcp --dport 520 -j DROP 
-A INPUT -p udp -m udp --dport 520 -j DROP 
-A INPUT -p tcp -m tcp --dport 445 -j DROP 
-A INPUT -p udp -m udp --dport 445 -j DROP 
-A INPUT -p tcp -m tcp --dport 1433 -j DROP 
-A INPUT -p udp -m udp --dport 1433 -j DROP 
-A INPUT -p tcp -m tcp --dport 1434 -j DROP 
-A INPUT -p udp -m udp --dport 1434 -j DROP 
-A INPUT -p tcp -m tcp --dport 1234 -j DROP 
-A INPUT -p udp -m udp --dport 1234 -j DROP 
-A INPUT -p tcp -m tcp --dport 1524 -j DROP 
-A INPUT -p udp -m udp --dport 1524 -j DROP 
-A INPUT -p tcp -m tcp --dport 3127 -j DROP 
-A INPUT -p udp -m udp --dport 3127 -j DROP 
-A INPUT -j IN_SANITY 
-A INPUT -j FRAG_UDP 
-A INPUT -j PZERO 
-A INPUT -j P2P 
-A INPUT -p tcp -m tcp --dport 36943 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 36944 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 55000 -j ACCEPT 
-A INPUT -p udp -m udp --dport 36943 -j ACCEPT 
-A INPUT -p udp -m udp --dport 36944 -j ACCEPT 
-A INPUT -p udp -m udp --dport 22 -j ACCEPT 
-A INPUT -p udp -m udp --dport 21 -j ACCEPT 
-A INPUT -p udp -m udp --dport 22 -j ACCEPT 
-A INPUT -p udp -m udp --dport 25 -j ACCEPT 
-A INPUT -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -p udp -m udp --dport 80 -j ACCEPT 
-A INPUT -p udp -m udp --dport 443 -j ACCEPT 
-A INPUT -p udp -m udp --dport 3306 -j ACCEPT 
-A INPUT -p udp -m udp --dport 55000 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 3 -m limit --limit 30/sec -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 5 -m limit --limit 30/sec -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 11 -m limit --limit 30/sec -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 0 -m limit --limit 30/sec -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 30 -m limit --limit 30/sec -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 30/sec -j ACCEPT 
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -s xxx.xxx.xxx.222 -p udp -m udp --sport 53 --dport 1023:65535 -j ACCEPT 
-A INPUT -s xxx.xxx.xxx.222 -p tcp -m tcp --sport 53 --dport 1023:65535 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 53 --dport 1023:65535 -j DROP 
-A INPUT -p udp -m udp --sport 53 --dport 1023:65535 -j DROP 
-A INPUT -s xxx.xxx.xxx.220 -p udp -m udp --sport 53 --dport 1023:65535 -j ACCEPT 
-A INPUT -s xxx.xxx.xxx.220 -p tcp -m tcp --sport 53 --dport 1023:65535 -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 53 --dport 1023:65535 -j DROP 
-A INPUT -p udp -m udp --sport 53 --dport 1023:65535 -j DROP 
-A INPUT -p tcp -m tcp --sport 1023:65535 --dport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 21,20 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p udp -m multiport --dports 21,20 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 22 --dport 513:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p udp -m udp --dport 22 -m state --state ESTABLISHED -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 33434:33534 -j ACCEPT 
-A INPUT -p tcp -j DROP 
-A INPUT -p udp -j DROP 
-A INPUT -j DROP 
-A INPUT -p udp -m length --length 2001:65535 -j DROP 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A OUTPUT -d 0.0.0.0/255.0.0.0 -j DROP 
-A OUTPUT -d 127.0.0.0/255.0.0.0 -j DROP 
-A OUTPUT -d 169.254.0.0/255.255.0.0 -j DROP 
-A OUTPUT -d 192.0.0.0/255.255.255.0 -j DROP 
-A OUTPUT -d 192.0.2.0/255.255.255.0 -j DROP 
-A OUTPUT -d 198.18.0.0/255.254.0.0 -j DROP 
-A OUTPUT -d 198.51.100.0/255.255.255.0 -j DROP 
-A OUTPUT -d 203.0.113.0/255.255.255.0 -j DROP 
-A OUTPUT -d 224.0.0.0/240.0.0.0 -j DROP 
-A OUTPUT -d 240.0.0.0/240.0.0.0 -j DROP 
-A OUTPUT -j TMP_DROP 
-A OUTPUT -j TALLOW 
-A OUTPUT -j TDENY 
-A OUTPUT -j TGALLOW 
-A OUTPUT -j TGDENY 
-A OUTPUT -p tcp -m tcp --dport 135:139 -j DROP 
-A OUTPUT -p udp -m udp --dport 135:139 -j DROP 
-A OUTPUT -p tcp -m tcp --dport 111 -j DROP 
-A OUTPUT -p udp -m udp --dport 111 -j DROP 
-A OUTPUT -p tcp -m tcp --dport 513 -j DROP 
-A OUTPUT -p udp -m udp --dport 513 -j DROP 
-A OUTPUT -p tcp -m tcp --dport 520 -j DROP 
-A OUTPUT -p udp -m udp --dport 520 -j DROP 
-A OUTPUT -p tcp -m tcp --dport 445 -j DROP 
-A OUTPUT -p udp -m udp --dport 445 -j DROP 
-A OUTPUT -p tcp -m tcp --dport 1433 -j DROP 
-A OUTPUT -p udp -m udp --dport 1433 -j DROP 
-A OUTPUT -p tcp -m tcp --dport 1434 -j DROP 
-A OUTPUT -p udp -m udp --dport 1434 -j DROP 
-A OUTPUT -p tcp -m tcp --dport 1234 -j DROP 
-A OUTPUT -p udp -m udp --dport 1234 -j DROP 
-A OUTPUT -p tcp -m tcp --dport 1524 -j DROP 
-A OUTPUT -p udp -m udp --dport 1524 -j DROP 
-A OUTPUT -p tcp -m tcp --dport 3127 -j DROP 
-A OUTPUT -p udp -m udp --dport 3127 -j DROP 
-A OUTPUT -j OUT_SANITY 
-A OUTPUT -j FRAG_UDP 
-A OUTPUT -j PZERO 
-A OUTPUT -j P2P 
-A OUTPUT -p tcp -m tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -d xxx.xxx.xxx.222 -p udp -m udp --sport 1023:65535 --dport 53 -j ACCEPT 
-A OUTPUT -d xxx.xxx.xxx.222 -p tcp -m tcp --sport 1023:65535 --dport 53 -j ACCEPT 
-A OUTPUT -d xxx.xxx.xxx.222 -p udp -m udp --sport 1023:65535 --dport 53 -j ACCEPT 
-A OUTPUT -d xxx.xxx.xxx.222 -p tcp -m tcp --sport 1023:65535 --dport 53 -j ACCEPT 
-A OUTPUT -d xxx.xxx.xxx.220 -p udp -m udp --sport 1023:65535 --dport 53 -j ACCEPT 
-A OUTPUT -d xxx.xxx.xxx.220 -p tcp -m tcp --sport 1023:65535 --dport 53 -j ACCEPT 
-A OUTPUT -d xxx.xxx.xxx.220 -p udp -m udp --sport 1023:65535 --dport 53 -j ACCEPT 
-A OUTPUT -d xxx.xxx.xxx.220 -p tcp -m tcp --sport 1023:65535 --dport 53 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 21 --dport 1023:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p tcp -m multiport --dports 21,20 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p udp -m multiport --dports 21,20 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p udp -m state --state NEW -m udp --dport 33434:33534 -j ACCEPT 
-A OUTPUT -j ACCEPT 
-A FRAG_UDP -p udp -f -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP 
-A IN_SANITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP 
-A OUT_SANITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
-A OUT_SANITY -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
-A OUT_SANITY -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP 
-A OUT_SANITY -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP 
-A OUT_SANITY -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP 
-A OUT_SANITY -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP 
-A OUT_SANITY -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP 
-A P2P -p tcp -m tcp --dport 1214 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 1214 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1024:65534 --dport 1214 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1214 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --dport 2323 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 2323 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1024:65534 --dport 2323 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 2323 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 1024:65534 --dport 4660:4678 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 4660:4678 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1024:65534 --dport 4660:4678 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 4660:4678 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --dport 6257 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 6257 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1024:65534 --dport 6257 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 6257 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --dport 6699 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 6699 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1024:65534 --dport 6699 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 6699 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --dport 6346 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 6346 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1024:65534 --dport 6346 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 6346 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --dport 6347 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 6347 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1024:65534 --dport 6347 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 6347 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 1024:65534 --dport 6881:6889 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 6881:6889 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1024:65534 --dport 6881:6889 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 6881:6889 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --dport 6346 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 6346 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1024:65534 --dport 6346 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 6346 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --dport 7778 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p tcp -m tcp --sport 7778 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 1024:65534 --dport 7778 -j REJECT --reject-with icmp-port-unreachable 
-A P2P -p udp -m udp --sport 7778 --dport 1024:65534 -j REJECT --reject-with icmp-port-unreachable 
-A PROHIBIT -j REJECT --reject-with icmp-host-prohibited 
-A PZERO -p tcp -m tcp --dport 0 -j DROP 
-A PZERO -p udp -m udp --dport 0 -j DROP 
-A PZERO -p tcp -m tcp --sport 0 -j DROP 
-A PZERO -p udp -m udp --sport 0 -j DROP 
-A RESET -p tcp -j REJECT --reject-with tcp-reset 
-A TALLOW -s 68.61.150.115 -j ACCEPT 
-A TALLOW -d 68.61.150.115 -j ACCEPT 
COMMIT
# Completed on Wed Oct 19 23:25:17 2011
# Generated by iptables-save v1.3.5 on Wed Oct 19 23:25:17 2011
*nat
:PREROUTING ACCEPT [168650:6091718]
:POSTROUTING ACCEPT [778:41469]
:OUTPUT ACCEPT [778:41469]
COMMIT
# Completed on Wed Oct 19 23:25:17 2011

Last edited by smallgamer; 10-21-2011 at 05:04 AM.
 
Old 10-21-2011, 07:02 AM   #25
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
I'm not an iptables guy by any means. However, shouldn't the "-A INPUT -p udp -m length --length 2001:65535 -j DROP" go before the below rules that permit traffic to the port your game service listens on?
Code:
-A INPUT -p udp -m udp --dport 36943 -j ACCEPT 
-A INPUT -p udp -m udp --dport 36944 -j ACCEPT
 
Old 10-21-2011, 07:22 AM   #26
smallgamer
LQ Newbie
 
Registered: Jul 2011
Posts: 29

Original Poster
Rep: Reputation: Disabled
Thanks, I changed that. Hopefully it helps.

It's really hard to find qualified people to work on this stuff. The same person who did that also had logging set to 0 so that it was not logging dropped packets, even though I explicitly said I needed that. At least I'm starting to understand things in the process, but still, that's pretty annoying.
 
Old 10-21-2011, 07:32 AM   #27
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
Quote:
Originally Posted by smallgamer View Post
Thanks, I changed that. Hopefully it helps.

It's really hard to find qualified people to work on this stuff. The same person who did that also had logging set to 0 so that it was not logging dropped packets, even though I explicitly said I needed that. At least I'm starting to understand things in the process, but still, that's pretty annoying.
No problem, I hope it works out for you. But as I said, I'm by no means an iptables guy. My post was a question. I'm a bit rusty since I've been focusing on other areas of security so you may want to wait for verification or double check yourself.
 
Old 10-21-2011, 08:24 AM   #28
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
In general, there are two major philosophies with IP tables that are helpful to keep in mind when working with the rules. One, is that the rules are process in order from top to bottom and if a match is found, it stops comparing. As Ol'Roy pointed out, placing a drop rule based upon packet size beneath one that accepts traffic to that port won't work, because the length check won't even get analyzed. The second philosophy is to set your firewall so that traffic is dropped by default and only accepted when it meets certain parameters. The syntax for the rules is almost identical to your drop rules, but instead of -j DROP, use -j ACCEPT. This practice is commonly referred to as white-listing versus black-listing and it gives you a real leg up on the would be attacker, who can adapt to get around your reject lists. There are two ways to achieve this, one is to set the policy to DROP and then add the rules that you want to accept, the other is to set the policy to ACCEPT, add the rules you want to ACCEPT and then at the end put a catch all DROP rule. The primary difference is in how the filter will behave when the rules have been flushed, in which case it will act according to the policy. If you don't have physical access to the machine, setting the policy to accept is safer in that if the rules get cleared, you can still get at the machine via SSH.

So as an example of how this would impact your rules, instead of having 20+ rules to drop specified ports, you could have three or four rules to only accept the ports, or port ranges you wish to accept. You can also get creative to enhance your security on your SSH port or other management interface. Say for example, that you have either a static IP or you can identify the network+mask that identifies the range that YOU will be using, you can restrict access to only these source IP addresses, effectively cutting off traffic from everyone else. I also noticed that you have duplicate rules for TCP and UDP on the same port, you should be able to simplify your rules by just specifying the port without the protocol. For example, your three rules:
Code:
-A INPUT -p tcp -j DROP 
-A INPUT -p udp -j DROP 
-A INPUT -j DROP
The 3rd rule is really superfluous because traffic will be dropped by one of the two rules, but you could also eliminate the first two and just use the 3rd.

There are some really great tutorials on IPTables, that might help you with these rules. It looks like you have or are getting a grasp of the basic syntax and are starting to get into the art of rule writing. Once you get past the initial learning curve, writing iptables rules is actually enjoyable.

To address your other question about rate limiting: a quantitative suggestion is hard to provide. You might want to ask the developer for some guidance. Otherwise you will need to do some trial and error and expect to fine tune it for a while as a balance can be difficult to achieve.

You might find this link interesting: http://blog.bodhizazen.net/linux/pre...with-iptables/ It is an IPTables tutorial specifically geared towards preventing attacks and it discusses both length and limit functions. While somewhat cursory, it might at least be a good common reference point for refining the discussion.
 
1 members found this post helpful.
Old 10-21-2011, 12:49 PM   #29
smallgamer
LQ Newbie
 
Registered: Jul 2011
Posts: 29

Original Poster
Rep: Reputation: Disabled
Thanks for the help, Noway2. I'm looking through the information you linked to and trying to wrap my head around it.

I think unSpawn may have written me off due to the fact that I paid someone to do the initial configuration on my server.

UnSpawn, if that is the case, please understand where I'm coming from.

I realize that it's not apparent here, but I do have a love for knowledge, and I spend a lot of time each week learning how to do new things. I make my living on the internet, and I'm no stranger to spending days figuring out why X, Y, or Z isn't working.

Paying for someone to do the initial setup on my firewall, however, was logistically unavoidable. I did not have days to spend going through the entire process as a newb, and I also did not want to give up and shut down my gaming server. That only left me with one option. Please try not to think poorly of me. I'm still here trying to finish the job.

Last edited by smallgamer; 10-21-2011 at 01:16 PM.
 
Old 10-21-2011, 01:05 PM   #30
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
I don't think anyone, unSpawn included, will look down upon you for paying to have someone perform a service for you. For that matter, we all have day jobs too. Sometimes expediency is the biggest priority and hired hands can bring that to the table. I do think that most here appreciate making an effort to learn, which you are doing, and I don't think that we could ask any more of you. Sometimes, especially for those who have been using Linux for a long time, we lose sight of the new user perspective. This causes us to forget to include things that have become obvious to us. Please have patience with us in this regard.

Once you have had a chance to read up on iptables and look over some of the tutorial pages, please ask questions and don't be afraid to ask.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Server Attack jitenagr Linux - Server 5 11-10-2006 06:50 AM
Server under some form of attack English_Man Linux - Security 1 10-30-2005 01:03 PM
is this a attack to my web server ohcarol Linux - Security 1 12-29-2004 08:59 AM
game not receving game list from master server Rnastyracer Linux - Games 2 04-02-2004 10:20 PM


All times are GMT -5. The time now is 10:04 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration