Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
It's been 2 years now since I had to take over managing a server based on old (EOL) distribution Trustix (v 3.0.5)
It has an annoying feature (to me at least) to manage Firewall with Giptables script, which I don't understand,
well, honestly neither I do IPTABLES, but I'm trying to learn it.
Now here comes my 'revelation' part, where I finally found where IPTABLES script is saved, so I can manually write rules to apply.
What I'm trying to do is to block SSH and FTP ports for all, except allow my static IP's (a few of them)
and let other ports for web services opened (80, 443, 25, udp 53, udp 123- NTP and some more I will made up)
Currently running Giptables script is working (somehow) and I would like to migrate existing ruleset (now running) to IPTABLES
and add my 'blocked' ports allowing only my IP's.
I'm asking please if someone would write me the right way IPTABLES configuration combining the following
The currently running (g)IPTABLES -nL is (let's say my server IP is 11.12.13.14):
Code:
Chain INPUT (policy DROP)
target prot opt source destination
loopback_in all -- 0.0.0.0/0 0.0.0.0/0
interface0_in all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
loopback_out all -- 0.0.0.0/0 0.0.0.0/0
interface0_out all -- 0.0.0.0/0 0.0.0.0/0
Chain interface0_in (1 references)
target prot opt source destination
DROP all -- 93.103.1.51 0.0.0.0/0
syn_flood_interface0_in tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
DROP all -f 0.0.0.0/0 0.0.0.0/0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
DROP all -- 11.12.13.14 0.0.0.0/0
DROP all -- 0.0.0.0/8 0.0.0.0/0
DROP all -- 127.0.0.0/8 0.0.0.0/0
DROP all -- 10.0.0.0/8 0.0.0.0/0
DROP all -- 172.16.0.0/12 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 11.12.13.14 udp spt:53 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 11.12.13.14 tcp spt:53 dpts:1024:65535 state ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 11.12.13.14 udp spt:53 dpt:53 state ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 11.12.13.14 udp spts:1024:65535 dpt:53 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 11.12.13.14 tcp spts:1024:65535 dpt:53 state NEW,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 11.12.13.14 udp spt:53 dpt:53 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 11.12.13.14 tcp spt:21 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 11.12.13.14 tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 11.12.13.14 tcp spt:20 dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 11.12.13.14 tcp spts:1024:65535 dpt:21 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 11.12.13.14 tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 11.12.13.14 tcp spts:1024:65535 dpt:20 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 11.12.13.14 tcp spts:513:65535 dpt:22 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 11.12.13.14 tcp spt:25 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 11.12.13.14 tcp spts:1024:65535 dpt:25 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 11.12.13.14 tcp spt:110 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 11.12.13.14 tcp spts:1024:65535 dpt:110 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 11.12.13.14 tcp spt:80 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 11.12.13.14 tcp spts:1024:65535 dpt:80 state NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 11.12.13.14 tcp spt:443 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 11.12.13.14 tcp spts:1024:65535 dpt:443 state NEW,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:123 dpt:123 state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:123 dpt:123 state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 11.12.13.14 tcp spt:8181 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 11.12.13.14 tcp spts:1024:65535 dpt:8181 state NEW,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 11.12.13.14 state RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain interface0_out (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 93.103.1.51
ACCEPT udp -- 11.12.13.14 0.0.0.0/0 udp spts:1024:65535 dpt:53 state NEW,ESTABLISHED
ACCEPT tcp -- 11.12.13.14 0.0.0.0/0 tcp spts:1024:65535 dpt:53 state NEW,ESTABLISHED
ACCEPT udp -- 11.12.13.14 0.0.0.0/0 udp spt:53 dpt:53 state NEW,ESTABLISHED
ACCEPT udp -- 11.12.13.14 0.0.0.0/0 udp spt:53 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- 11.12.13.14 0.0.0.0/0 tcp spt:53 dpts:1024:65535 state ESTABLISHED
ACCEPT udp -- 11.12.13.14 0.0.0.0/0 udp spt:53 dpt:53 state ESTABLISHED
ACCEPT tcp -- 11.12.13.14 0.0.0.0/0 tcp spts:1024:65535 dpt:21 state NEW,ESTABLISHED
ACCEPT tcp -- 11.12.13.14 0.0.0.0/0 tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- 11.12.13.14 0.0.0.0/0 tcp spts:1024:65535 dpt:20 state ESTABLISHED
ACCEPT tcp -- 11.12.13.14 0.0.0.0/0 tcp spt:21 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- 11.12.13.14 0.0.0.0/0 tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- 11.12.13.14 0.0.0.0/0 tcp spt:20 dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- 11.12.13.14 0.0.0.0/0 tcp spt:22 dpts:513:65535 state ESTABLISHED
ACCEPT tcp -- 11.12.13.14 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW,ESTABLISHED
ACCEPT tcp -- 11.12.13.14 0.0.0.0/0 tcp spt:25 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- 11.12.13.14 0.0.0.0/0 tcp spts:1024:65535 dpt:110 state NEW,ESTABLISHED
ACCEPT tcp -- 11.12.13.14 0.0.0.0/0 tcp spt:110 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- 11.12.13.14 0.0.0.0/0 tcp spts:1024:65535 dpt:80 state NEW,ESTABLISHED
ACCEPT tcp -- 11.12.13.14 0.0.0.0/0 tcp spt:80 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- 11.12.13.14 0.0.0.0/0 tcp spts:1024:65535 dpt:443 state NEW,ESTABLISHED
ACCEPT tcp -- 11.12.13.14 0.0.0.0/0 tcp spt:443 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:123 dpt:123 state NEW,RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:123 dpt:123 state NEW,RELATED,ESTABLISHED
ACCEPT udp -- 11.12.13.14 0.0.0.0/0 udp spts:1024:65535 dpts:33434:33523 state NEW
ACCEPT tcp -- 11.12.13.14 0.0.0.0/0 tcp spts:1024:65535 dpt:8181 state NEW,ESTABLISHED
ACCEPT tcp -- 11.12.13.14 0.0.0.0/0 tcp spt:8181 dpts:1024:65535 state ESTABLISHED
ACCEPT icmp -- 11.12.13.14 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
Chain loopback_in (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain loopback_out (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain syn_flood_interface0_in (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 20
DROP all -- 0.0.0.0/0 0.0.0.0/0
and what I made up from multiple google searching how-to's, examples (my wish to implement / migrate with previous output):
Code:
#
# Sample iptables rules.
# /etc/sysconfig/iptables-ipv4.d/start
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Keep state.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# http/https, smtp/smtps, pop3/pop3s, imap/imaps, ssh ...
-A INPUT -p tcp -m multiport --dport 25,80,110,443 -j ACCEPT
-A INPUT -p tcp -m multiport --dport 53 -j ACCEPT
-A INPUT -p udp -m multiport --dport 53 -j ACCEPT
# Loop device.
-A INPUT -i lo -j ACCEPT
# http/https
#-A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT
# -A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT
# named /rndc
-A INPUT -s 127.0.0.1 -p tcp --dport 953 -j ACCEPT
# smtp/smtps
# -A INPUT -p tcp -m multiport --dport 25,465 -j ACCEPT
# pop3/pop3s
# -A INPUT -p tcp -m multiport --dport 110,995 -j ACCEPT
# ftp.
## # -A INPUT -p tcp -m multiport --dport 21,20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp --dport 11000:12000 -j ACCEPT
# SSH port 22
-A INPUT -s 192.168.0.0/18 -p tcp -m tcp -m multiport --dports 21,22 -j ACCEPT
-A INPUT -s 192.168.0.0/18 -p tcp -m tcp -m state --state RELATED,ESTABLISHED -m multiport --dports 21,22 -j ACCEPT
-A INPUT -s my.fixed.ip.1 -p tcp -m tcp -m multiport --dports 21,22 -j ACCEPT
-A INPUT -s my.fixed.ip.1 -p tcp -m tcp -m state --state RELATED,ESTABLISHED -m multiport --dports 21,22 -j ACCEPT
-A INPUT -s my.fixed.ip.2 -p tcp -m tcp -m multiport --dports 21,22 -j ACCEPT
-A INPUT -s my.fixed.ip.2 -p tcp -m tcp -m state --state RELATED,ESTABLISHED -m multiport --dports 21,22 -j ACCEPT
-A INPUT -s my.fixed.ip.3 -p tcp -m tcp -m multiport --dports 21,22 -j ACCEPT
-A INPUT -s my.fixed.ip.3 -p tcp -m tcp -m state --state RELATED,ESTABLISHED -m multiport --dports 21,22 -j ACCEPT
-A INPUT -s 11.12.13.14 -p tcp -m tcp -m multiport --dports 21,22 -j ACCEPT
-A INPUT -s 11.12.13.14 -p tcp -m tcp -m state --state RELATED,ESTABLISHED -m multiport --dports 21,22 -j ACCEPT
################
# Blocked IP's
################
-A INPUT -s 149.0.0.0/8 -j DROP
-A INPUT -s 209.0.0.0/8 -j DROP
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
What I don't know is the right 'flow' of IPTABLES config (not to have server clogged dealing only with iptables - yes, I managed to do that :-), and neither how to implement some more complex CIDR notation of IP ranges of countries to block out attackers completely. Eventually I would go with CSF maybe, but first I must learn and understand basics of IPTABLES.
Thank you in advance for taking time to write up to this.
Regards
Last edited by lithos; 02-09-2012 at 04:08 PM.
Reason: typos, rephrasing, spelling
iptables for me is like acl for network filtering. The way it read rules is the same way as that of ACL that is top to bottom. So basically you would like to keep the allow rules at top and at the end explicit deny. But as you said that you want to block IP address range from particular countries then you have to put a deny statement for them first and then allow statements and finally explicit deny statement.
For example: You want to block IP address range from xyz country then you need to know the IP and the subnet mask and you will set your first deny statement to block traffic from that country to your server as follows:
This will reject any packet from the IP xxx.xxx.xxx.xxx which is the ip address or ipaddress range of that country to your server.
Remember that that numbering is very import. I prefer using INPUT instead of APPEND the reason being in APPEND it might be possible that you are appending it after explicity deny.
I always put a number when I use INPUT policy as you can see in the above example I have put 1 after INPUT which tells the system that this will be inserted as rule number 1 in input policy.
For the setup as you mentioned my suggestions will be as follows:
1. Add the deny rules for specific IP / IP address range at top (Remember if you are blocking an IP range here then no one will be able to connect to your server from that IP range even if you mention an IP from that range later in allow rule)
2. Add allow rules for specific ports (basically to allow any users to connect to this port on the server) so the rule will look like as follows:
Thank you T3RM1NVT0R for your explanation, that lightened up my understanding now.
If I understand it correctly, then the rules I manually wrote are appending (-A INPUT) in the order they are written, so that 'misplacement' could happen and can block instead of allow (or maybe even don't get applied).
I will try to rewrite it properly (taking country IP blocks into account) in some near future time,
but there are still things I don't know, that is how to write the rules from the ones that are currently active,
for example:
Code:
syn_flood_interface0_in tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
DROP all -f 0.0.0.0/0 0.0.0.0/0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
how is that written in IPTABLES configuration ?
Maybe something like:
-A syn_flood_interface0_in -s 0.0.0.0 -j DROP
This is what I would like to understand too, but I can't find that from searching on internet (my english is not first language, so I probably don't know how to phrase the search correctly).
To be honest even I dont know what that is. The thing that I know is that iptables are based on most restictive that is it does not allow anything by default. When you install a system that make use of iptables by default nothing is allowed, not even ssh. So basically everything is blocked in the beginning. You have to configure the system to allow communication on specific ports.
Instead of using -j DROP I would suggest using -j REJECT.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.