Port problem on Firewall/iptables rules
Hello,
when I restart my firewall, all ports are closed for 30 minutes before taking into account the new firewall configuration.
and I do not know why?
this is my file config
#!/bin/bash
## Règles iptables.
## On flush iptables.
iptables -F
## On supprime toutes les chaînes utilisateurs.
iptables -X
## On drop tout le trafic entrant.
iptables -t filter -P INPUT DROP
## On drop tout le trafic sortant.
iptables -t filter -P OUTPUT DROP
## On drop le forward.
iptables -t filter -P FORWARD DROP
# Ne pas casser les connexions etablies
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Autoriser loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
# Log Management
if [ $"logEnabled" == "true" ]
then
log1='-j LOG \--log-prefix "IPTABLES NULL-SCAN:"'
log2='-j LOG \--log-prefix "IPTABLES XMAS-SCAN:"'
log3='-j LOG \--log-prefix "IPTABLES SYNFIN-SCAN:"'
log4='-j LOG \--log-prefix "IPTABLES NMAP-XMAS-SCAN:"'
log5='-j LOG \--log-prefix "IPTABLES FIN-SCAN:"'
log6='-j LOG \--log-prefix "IPTABLES NMAP-ID:"'
log7='-j LOG \--log-prefix "IPTABLES SYN-RST:"'
log8='-j LOG \--log-prefix "IPTABLES SYN-FLOOD:"'
log9='-j LOG \--log-prefix "IPTABLES PORT-SCAN:"'
else
log1=''
log2=''
log3=''
log4=''
log5=''
log6=''
log7=''
log8=''
log9=''
fi
# IP rules common to all servers ==================================================================
## NULL-SCAN / Flag sans option
iptables -t filter -A INPUT -p tcp --tcp-flags ALL NONE $log1
iptables -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
## XMAS-SCAN / Flag sans details
iptables -t filter -A INPUT -p tcp --tcp-flags ALL ALL $log2
iptables -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
## SYNFIN-SCAN /
iptables -t filter -A INPUT -p tcp --tcp-flags ALL SYN,FIN $log3
iptables -t filter -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
## NMAP-XMAS-SCAN
iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN $log4
iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP
## FIN-SCAN
iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN $log5
iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
## NMAP-ID
iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN $log6
iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP
## SYN-RST
iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST $log7
iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## SYN-FLOODING
iptables -t filter -N syn-flood
iptables -t filter -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -t filter -A syn-flood -m limit --limit 1/sec --limit-burst 4 -j RETURN
iptables -t filter -A syn-flood $log8
iptables -t filter -A syn-flood -j DROP
## Make sure NEW tcp connections are SYN packets
iptables -t filter -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW $log8
iptables -t filter -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
## port scaner
iptables -t filter -N port-scan
iptables -t filter -A INPUT -i eth0 -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan
iptables -t filter -A port-scan -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -t filter -A port-scan $log9
iptables -t filter -A port-scan -j DROP
## Dropper silencieusement tous les paquets broadcastes
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
iptables -A INPUT -m state --state NEW -m tcp -s 192.168.45.1 -p tcp -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -s 192.123.88.3 -p tcp -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -s 212.345.34.1 -p tcp --dport 22 -j ACCEPT
# On bloque certaines requetes
iptables -I INPUT -p tcp --dport 80 -m string --string 'GET http' --algo bm -j REJECT
iptables -I INPUT -p tcp --dport 80 -m string --string 'CACHEBUSTER' --algo bm -j REJECT
iptables -I INPUT -p tcp --dport 80 -m string --string 'CONNECT' --algo bm -j REJECT
iptables -I INPUT -p tcp --dport 80 -m string --string 'GET /blog/xmlrpc.php' --algo bm -j REJECT
iptables -I INPUT -p tcp --dport 80 -m string --string 'POST /blog/xmlrpc.php' --algo bm -j REJECT
# Drop empty packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Thanks
|