Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi,
Depends on what you're trying to accomplish and how your firewall looks like before adding the rules you mentioned. Would be useful to see the result of
Code:
iptables-save
command before you execute your script.
Often, recent Linux distros have a default rule at the top allowing all the traffic that has already been established, to pass through the firewall without further inspection. That's called stateful firewalling, look it up.
If you really need to block the traffic (on INPUT chain) that is coming back to you and you're the source of the traffic (i.e. your browser connects to some remote update site residing on Amazon network), you'd probably need to change "iptables -A" to "iptables -I". Not recommended 1990's approach and a warning here, as you can cut yourself out of the server if it's available only via network and you issue a wrong command.
But, if you want to use "iptables -A" to block the kind of traffic you're talking about, you probably want to use "iptables -A OUTPUT" not INPUT (and still use stateful firewalling).
However, your script works fine for new traffic originating from remote hosts.
Best regards
Smirk
thanks OUTPUT -I solved thing. and i found that ip block that linux qestions use are in blocked ips, i collect from various site.
Quote:
Depends on what you're trying to accomplish
No interaction with blocked ips. after i examine my connections i saw that as soon as i start browser he connects at least 10 amazonaw ips and akamai.
Now i see that you canot block amazon and have browsing acces it seems everything gooing throught theyr network.
Quote:
# iptables -nvL
beafore i post qestion and with INPUT -A he listed all ips under block chain but in ss -tuna still see established to that ip. Now solved with OUTPUT.
one more question
lets say akamai when i block they ip the always come back with with new one i canot call that all time.
So if i put their hostnames (ex. a23-7-196-158.deploy.static.akamaitechnologies.com) in file what command in iptables i need to block and load their hostnames from file.
i know that the are not dangerous but i hate that aggressive companies that collect data.
Thanks
and i can post script it is nothing special but maybe someone find it usefull
Code:
#!/bin/bash
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
###############################################################################
iptables -I INPUT -s 127.0.0.0/8 -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
iptables -I INPUT -p icmp -j DROP
iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -I INPUT -f -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP
######################################################################
###########################spoof#####################################
######################################################################
##########################smurf######################################
iptables -I INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -I INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
######################################################################
#########################bogus########################################
iptables -I INPUT -m state --state INVALID -j DROP
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -I OUTPUT -m state --state INVALID -j DROP
######################################################################
#######################tcpreset#######################################
#iptables -I INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 1/second --limit-burst 1 -j ACCEPT
######################################################################
######################synflod########################################
iptables -t filter -A INPUT -m state --state INVALID -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP
iptables -I INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -I INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
######################################################################
#####################portscan########################################
iptables -I INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -I FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -I INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
######################################################################
iptables -I INPUT -m state --state INVALID -j DROP
iptables -I OUTPUT -m state --state INVALID -j DROP
################################################################################
##############################################################################
###############################################################################
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#internet only from host
iptables -I OUTPUT -t filter -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -t filter -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -I OUTPUT -p udp -m udp --dport 1194 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT -t filter -p tcp -m tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT
#iptables -I INPUT -p udp -m udp --sport 1194 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -m recent --set
iptables -I INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -m recent --update --seconds 1 --hitcount 1 -j DROP
iptables -I INPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -m recent --set
iptables -I INPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -m recent --update --seconds 1 --hitcount 1 -j DROP
#allow dns
iptables -I OUTPUT -t filter -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
iptables -I INPUT -t filter -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
#iptables -I INPUT -i tun0 -p udp -m udp --sport 1194 -m state --state ESTABLISHED -j ACCEPT
#iptables -I OUTPUT -o tun0 -p udp -m udp --dport 1194 -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -I FORWARD -i wlp2s0 -o tun0 -m state --state ESTABLISHED -j ACCEPT
#iptables -I FORWARD -i tun0 -o wlp2s0 -m state --state ESTABLISHED -j ACCEPT
###############################################################################
#allow ssh
#iptables -A OUTPUT -p tcp --dport 444 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp --sport 444 -m state --state ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT
#sshbrute
#iptables -A INPUT -p tcp --dport 6201 -m recent --update --seconds 5 --hitcount 2 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
#iptables -A INPUT -p tcp --dport 6201 -m recent --update --seconds 5 --hitcount 2 --rttl --name SSH -j DROP
#iptables -A INPUT -p tcp -m multiport --dports 5900,5901,6000 -j ACCEPT
#iptables -A OUTPUT -p tcp -m multiport --sports 5900,5901,6000 -j ACCEPT
###############################################################################
#iptables -I OUTPUT -p udp -m udp --sport 7463 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -I INPUT -p udp -m udp --dport 7463 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j DROP
##############################################################################
# download Tor exit nodes
wget -O /blocktor/torexitnodes https://check.torproject.org/exit-addresses
# add iptables rules to reject Tor exit nodes
for torexit in `cat /blocktor/torexitnodes | grep ExitAddress | cut -d ' ' -f 2`
do /sbin/iptables -A INPUT -p tcp -s $torexit -j DROP
done
for torexit in `cat /blocktor/torexitnodes | grep ExitAddress | cut -d ' ' -f 2`
do /sbin/iptables -A INPUT -p udp -s $torexit -j DROP
done
for i in `cat /home/ja/bip`; do iptables -I OUTPUT -d $i -j DROP; done
for i in `cat /home/ja/bip`; do iptables -I INPUT -s $i -j DROP; done
Considering the volume of browser DNS queries this is acceptable, however read
Code:
man iptables-extensions
to see, that this approach is not efficient. Though good enough for your needs I think.
Also check ip6tables if you did not disable ipv6 in the first place. Dropping ipv4 DNS traffic might not suffice.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.