Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a very simple iptables script I use with whitelist and blacklist processing.
However, the blacklist does not seem to be working. Can anyone see any problems with this?
My blacklist is long, about 93k. I block by country and known attackers. I tested it by blocking an ip address I have and then was able to still login to it.
#
#First, run through $WGITELIST, acceptiong all traffic from hosts and networks
#contained therein.
#
for x in `grep -v ^# $WHITELIST | awk '{print $1} '`; do
echo "Permitting $x..."
iptables -A INPUT -t filter -s $x -j ACCEPT
done
#
#Now run through $BLACKLIST, dropping all traffic from the hosts and networks
#contained therein.
#
for x in `grep -v ^# $BLACKLIST | awk '{print $1}'`; do
echo "blocking $x..."
iptables -A INPUT -t filter -s $x -j DROP
done
#
#Next, the permitted ports: What will we accept from hosts not appearing
#on the blacklist?
#
for port in $ALLOWED; do
echo "Accepting port $port..."
iptables -A INPUT -t filter -p tcp --dport $port -j ACCEPT
done
#
#Unless it's mentioned above, and it's inbound startup request,
#we will just drop it.
#
iptables -A INPUT -t filter -p tcp --syn -j DROP
#
#end
First, I'd recommend getting rid of the last rule you have and setting your default input policy to "DROP" instead. By not explicitly setting a default policy it gets set automatically to ACCEPT, which means any non-syn tcp traffic, all udp, and all icmp will cut through your firewall like a hot knife through butter.
WRT the blacklist, your script works for me. Try putting a single IP (like 1.2.3.4) in the blacklist file by itself, reload your firewall rules and see if the IP appears in the output of iptables -vnL. Also make sure that your whitelist IPs are not somehow overriding the blacklist.
Thanks for the heads up on that last rule. I tested my blacklist and added a single IP address that is one of mine. However, I was able to get into it still. I verified this address or subnet was not in my whitelist.
Here's the strange thing, when I do an iptables -vnL - I see this before my blacklist.
Note the 0.0.0.0/8 entry. Where is this coming from. I don't have it in my white list. Do you think something is compromised?
Chain INPUT (policy ACCEPT 46 packets, 3347 bytes)
pkts bytes target prot opt in out source destination
You might also want to try something like the "-m iprange --src-range 55.55.0.0-55.55.255.255 -j DROP, if your blacklist is big, as such big lists can slow your network.
I've added the default policy now I can't get to my server via ssh. Does this default policy set it so there must be a whitelist entry to connect to the machine?
I can't have that. I use it for an email server so I need incoming connections.
OR do I put the default policy prior to my white and blacklist processing?
Yes, put the default drop policy at the very beginning, after the flush (where you might want to add also iptables -X to delete all possible custom chains).
Are you also missing the default states rules? If so, try e.g. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT. Naturally these rules block also the SSH, if not otherwise specified. Try running something like -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT. Or append these to your OUTPUT and FORWARD chains if you are connecting to a different server within your network.
EDIT: naturally consider the following INPUT/OUTPUT/FORWARD examples with a reference to your network, which I am not familiar with.
Here's what fixed the problem. I have added the new content to my firewall and it is now functioning.
The problem in the first message with the line from iptables -L:
Chain INPUT (policy ACCEPT 46 packets, 3347 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 216.21.229.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 69.91.0.0/16 0.0.0.0/0
0 0 ACCEPT all -- * * 194.106.220.51 0.0.0.0/0
3659 285K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
I removed iptables and resinstalled it. Then re-ran my rules it worked. The Accept all from 0.0.0.0/0.0.0.0 is gone.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Help - Something wrong with my firewall
