LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-21-2017, 11:32 PM   #31
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,508

Original Poster
Rep: Reputation: 177Reputation: 177

Quote:
Originally Posted by rknichols View Post
Nothing bad jumps out at me on a cursory examination.
Alright, I'm going to try this. I'll post results. Meanwhile, one more question. Recall that I am forwarding ports 1901-1914 to other computers. Do I not need the 'multiports' rule?
Code:
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 1901:1914
I'll likely end up trying the revised rules before you have a chance to answer this, but what do you think?
 
Old 09-21-2017, 11:46 PM   #32
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,759

Rep: Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206Reputation: 2206
Quote:
Originally Posted by mfoley View Post
Alright, I'm going to try this. I'll post results. Meanwhile, one more question. Recall that I am forwarding ports 1901-1914 to other computers. Do I not need the 'multiports' rule?
Code:
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 1901:1914
I'll likely end up trying the revised rules before you have a chance to answer this, but what do you think?
  1. You are putting that rule in the INPUT chain, and none of those forwarded packets ever go through the INPUT chain.
  2. As I've said several times, that rule (even if something were to match it) would not affect packet flow since there is no target**. I have a few rules like that in my rule set just for the purpose of keeping a count of how many packets reach said rule and match it. But, see the above item -- nothing will ever match that rule. I have no idea why you ever had it in your firewall at all.
**Basically, that rule says, "If a packet matches these conditions, continue. Else, continue."
 
1 members found this post helpful.
Old 09-22-2017, 12:15 AM   #33
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,508

Original Poster
Rep: Reputation: 177Reputation: 177
Quote:
Originally Posted by rknichols View Post
You are putting that rule in the INPUT chain, and none of those forwarded packets ever go through the INPUT chain. ... nothing will ever match that rule. I have no idea why you ever had it in your firewall at all.
Actually, it was supposed to read, "iptables -A INPUT -i eth0 -p tcp -m multiport --dports 1901:1914 -j DROP". The rule was in my firewall because of a fundamental lack of understanding on my part.

OK, I've implemented the new rules and they seem to work. For the edification of others, I've listed my revised rules, sans comments and DROPs. Thanks for all your help. I'll let this run a day or two, attempt a couple of break-ins myself and make sure things are working, then I'll mark it as solved.
Code:
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -t nat -P PREROUTING ACCEPT
/usr/sbin/iptables -t nat -P POSTROUTING ACCEPT
/usr/sbin/iptables -t nat -P OUTPUT ACCEPT
/usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
/usr/sbin/iptables -t mangle -P INPUT ACCEPT
/usr/sbin/iptables -t mangle -P FORWARD ACCEPT
/usr/sbin/iptables -t mangle -P OUTPUT ACCEPT
/usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT
/usr/sbin/iptables -t raw -P PREROUTING ACCEPT
/usr/sbin/iptables -t raw -P OUTPUT ACCEPT
/usr/sbin/iptables -F
/usr/sbin/iptables -F -t nat
/usr/sbin/iptables -F -t mangle
/usr/sbin/iptables -F -t raw
/usr/sbin/iptables -X
/usr/sbin/iptables -X -t nat
/usr/sbin/iptables -X -t mangle
/usr/sbin/iptables -X -t raw

/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -N bad_people

/usr/sbin/iptables -I bad_people -s 86.57.164.0/16 -j DROP   # 2017-09-21 11:37 10 ssh logins
>>>> more DROPs go here <<<<

/usr/sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
/usr/sbin/iptables --append FORWARD --in-interface eth1 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 587 -j REDIRECT --to-port 25

/usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1906 -j DNAT --to-destination 192.168.0.52:xxxx
# >> More like the above <<

/usr/sbin/iptables -A FORWARD -i eth0 -j bad_people
/usr/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth1 -p tcp --syn -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth1 -p udp -j ACCEPT
/usr/sbin/iptables -N logdrop
/usr/sbin/iptables -A logdrop -j LOG --log-level 6 --log-prefix SSH Break-in attempt 
/usr/sbin/iptables -A logdrop -j DROP
/usr/sbin/iptables -N checkcount
/usr/sbin/iptables -A checkcount -m recent --set
/usr/sbin/iptables -A checkcount -m recent --rcheck --hitcount 12 -j logdrop
/usr/sbin/iptables -A checkcount -j RETURN
/usr/sbin/iptables -A INPUT -p icmp --icmp-type 8 -s 192.168.0.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -I INPUT -i eth0 -p tcp -m tcp -s 24.96.253.242 --dport 22 -j ACCEPT
/usr/sbin/iptables -I INPUT -i eth0 -p tcp -m tcp -s 184.57.118.205 --dport 22 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -i eth0 -j checkcount
/usr/sbin/iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -i eth0 --dport 22 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --syn -m multiport --dports 25,80,143,443,587,993 -j ACCEPT

Last edited by mfoley; 09-22-2017 at 02:26 AM.
 
  


Reply

Tags
attack, iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Routing from remote ip, to remote ip on linux by iptables dramcio Linux - Networking 1 10-26-2013 06:55 PM
LXer: Government accused of sneaking in web filter LXer Syndicated Linux News 0 05-22-2013 03:20 AM
Accessing remote desktop on VM from a remote machine using iptables cram869 Linux - Networking 3 03-07-2012 04:25 PM
LXer: Scalix is sneaking Linux in through the corporate mailbox LXer Syndicated Linux News 0 09-25-2006 11:33 PM
Sneaking an application under X11 kav Linux - Software 4 05-20-2006 12:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration