LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-21-2019, 05:34 AM   #1
gw22
LQ Newbie
 
Registered: May 2019
Posts: 4

Rep: Reputation: Disabled
Attackers getting past IPTables


Running Centos 7 and have IPTables set to block most inbound traffic. However some attackers are getting past the firewall.

I have a small script setup that allows quick changes to the script. I expect I have something out of place, or missing something completely.

I even put Drop instructions, but these addresses are still getting by

Can anyone see anything wrong with this?

Code:
#!/bin/bash
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
 iptables -F
#
# Allow SSH connections on tcp port 22
# This is essential when working on remote servers via SSH to prevent locking yourself out of the system
#
 iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT
#
# Set access for localhost
#
 iptables -A INPUT -i lo -j ACCEPT
#
# Accept packets belonging to established and related connections
#
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Accept packets from trusted IP addresses
 iptables -A INPUT -m state --state NEW -s 215.0.0.0/8 -j DROP
 iptables -A INPUT -m state --state NEW -s 164.0.0.0/8 -j DROP
 iptables -A INPUT -m state --state NEW -s 37.0.0.0/8 -j DROP
 iptables -A INPUT -m state --state NEW -s 185.0.0.0/8 -j DROP
 iptables -A INPUT -m state --state NEW -s 82.0.0.0/8 -j DROP
 iptables -A INPUT -m state --state NEW -s 212.0.0.0/8 -j DROP
 iptables -A INPUT -m state --state NEW -s 91.0.0.0/8 -j DROP
 iptables -A INPUT -m state --state NEW -s 170.0.0.0/8 -j DROP
 iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
 iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
 iptables -A INPUT -s 143.0.0.0/8 -j ACCEPT -m comment --comment "allow network"
 iptables -A INPUT -s 96.0.0.0/8 -j ACCEPT -m comment --comment "allow network"

# Save settings
#
 /sbin/service iptables save
#
# List rules
#
 iptables -L -v
Thanks in advance,

GW
 
Old 05-21-2019, 01:18 PM   #2
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 6 & 7
Posts: 3,174

Rep: Reputation: 850Reputation: 850Reputation: 850Reputation: 850Reputation: 850Reputation: 850Reputation: 850
Your first rule on the INPUT chain accepts all access to port 22. If you want to block certain addresses, you need to put them before that in the list. iptables stops on the first matching rule.
 
1 members found this post helpful.
Old 05-21-2019, 01:27 PM   #3
gw22
LQ Newbie
 
Registered: May 2019
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thanks Smallpond

That's not the issue I am having - this is on an Asterisk PBX and I have port 5060 forwarded to the system.

My intention was to only allow outside access from the allowed IP addresses/subnets I had allowed in the IPtables, however some addresses, even though listed as a drop address, they still seem to get by to port 5060


I thought even without these entries here, the rules would block all access, unless otherwise allowed

iptables -A INPUT -m state --state NEW -s 215.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 164.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 37.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 185.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 82.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 212.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 91.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 170.0.0.0/8 -j DROP
 
Old 06-18-2019, 09:48 AM   #4
GunFighT
Member
 
Registered: May 2014
Location: Romania
Distribution: Debian, Red Hat
Posts: 51

Rep: Reputation: Disabled
I think there is a misunderstanding about the order of the iptables rules.
Puting the rules in a certain order is important.

I this case, I would Set default policies 1st in the script.
After default policies state RELATED,ESTABLISHED followed with:
loopback, also followed with the SSH Access rule, in this order, and then the rest of the rules.

iptables is applying the rules, in the same way you are reading a grocery store list.

Give it a try this way and let us know if all works fine.
 
1 members found this post helpful.
Old 06-19-2019, 05:31 PM   #5
gw22
LQ Newbie
 
Registered: May 2019
Posts: 4

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by GunFighT View Post
I think there is a misunderstanding about the order of the iptables rules.
Puting the rules in a certain order is important.

I this case, I would Set default policies 1st in the script.
After default policies state RELATED,ESTABLISHED followed with:
loopback, also followed with the SSH Access rule, in this order, and then the rest of the rules.

iptables is applying the rules, in the same way you are reading a grocery store list.

Give it a try this way and let us know if all works fine.
Thanks gunfight

So are you saying put all the drop rules at the top, above the ssh entry?
 
Old 06-19-2019, 08:54 PM   #6
michaelk
Moderator
 
Registered: Aug 2002
Posts: 18,687

Rep: Reputation: 2734Reputation: 2734Reputation: 2734Reputation: 2734Reputation: 2734Reputation: 2734Reputation: 2734Reputation: 2734Reputation: 2734Reputation: 2734Reputation: 2734
Is this computer behind a router or directly connected to the Internet?

A default policy of drop will not allow any traffic unless you add a rule to accept it.
 
Old 06-20-2019, 09:32 AM   #7
gw22
LQ Newbie
 
Registered: May 2019
Posts: 4

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by michaelk View Post
Is this computer behind a router or directly connected to the Internet?

A default policy of drop will not allow any traffic unless you add a rule to accept it.
The computer is behind a firewall, but we have port 5060 forwarded because there are remote users that need to connect.

I do have certain subnets that are set to drop, but the attackers still get by the firewall and hit the fail2ban.

Perhaps they are flooding the connection and the firewall cant keep up? I do know they hammer away at this IP Address
 
Old 06-26-2019, 04:27 AM   #8
GunFighT
Member
 
Registered: May 2014
Location: Romania
Distribution: Debian, Red Hat
Posts: 51

Rep: Reputation: Disabled
Quote:
Originally Posted by gw22 View Post
Thanks gunfight

So are you saying put all the drop rules at the top, above the ssh entry?
Yes. The default policy rules should be at the top of the script. Not only the drop ones, all of them, followed by the state RELATED,ESTABLISHED, then followed by the loopback rule, then followed by the rules on ports you would like to be opened.

Example:
Code:
#!/bin/bash
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 
2 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Striking Back At Attackers snowman81 Linux - Security 5 02-13-2008 10:18 AM
LXer: Fail2ban - Put brute force attackers away from your Linux Box LXer Syndicated Linux News 0 10-13-2007 11:20 AM
LXer: How To Secure Your CentOS Server Against Attackers LXer Syndicated Linux News 0 08-23-2006 02:54 PM
LXer: Linux on Mac Could Spike Attackers' Interest LXer Syndicated Linux News 0 04-23-2006 11:54 PM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 08:20 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration