Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I would like to try and block a specific port range on a server running centos7.
Ports i would like to block are 20000 to 65535
I found the below commands looking around the net. I have tried them, but it seems to break SSL after i've run them.
iptables -A INPUT -p tcp --dport 20000:65535 -j DROP
iptables -A OUTPUT -p tcp --sport 20000:65535 -j DROP
iptables -A INPUT -p udp --dport 20000:65535 -j DROP
iptables -A OUTPUT -p udp --sport 20000:65535 -j DROP
OpenVPN Access Server is installed. Once i run those commands i am unable to get to the server via HTTPS. Also if i try to connect via the openvpn client i get a weird XML error. It is not until i remove those rules i can then connect back up and/or get to via HTTPS
Additionally three things: first of all posting output of 'iptables-save' is a good way to show which rules should go where if you're in doubt. And right now we don't even know if adding those rules would work. (Well obviously it doesn't but you get what I mean, right?) Secondly you're not using any interfaces or state. Third you're not using logging output to debug what's going on, here's the example for the input chain TCP which requires two rules:
Code:
iptables -A INPUT -i eth0 -m conntrack --ctstate NEW -p tcp --dport 20000:65535 -m limit --limit 1/s -j LOG --log-prefix "in_DROP_RANGE "
iptables -A INPUT -i eth0 -m conntrack --ctstate NEW -p tcp --dport 20000:65535 -j REJECT
then check your /var/log/messages or equivalent with 'grep in_DROP_RANGE /var/log/messages;'. *Note I used REJECT target so non-malicious clients will know they should halt sending requests.
**Obviously the question why you want to do this remains (and even then it might be easier / allow for more control to use a default DROP policy and explicitly open ports you need).
I would like to try and limit the ports available to bittorrent. Try and force torrent clients to use a lower number if possible (long shot but worth ago)
Quote:
Originally Posted by unSpawn
Additionally three things: first of all posting output of 'iptables-save' is a good way to show which rules should go where if you're in doubt.
use a default DROP policy and explicitly open ports you need).
I did try with a default DROP policy and opening up the ports needed (943, 443, 1194 etc) but openvpn still has issues connecting
Below is my iptables-save
Code:
# Generated by iptables-save v1.4.21 on Fri Jun 26 16:11:08 2015
*nat
:PREROUTING ACCEPT [5961:416085]
:INPUT ACCEPT [3824:227368]
:OUTPUT ACCEPT [4243:304207]
:POSTROUTING ACCEPT [4243:304207]
:AS0_DPFWD_TCP - [0:0]
:AS0_DPFWD_UDP - [0:0]
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST
-A PREROUTING -d XX.XX.XX.XX/32 -p udp -m udp --dport 1194 -m state --state NEW -j AS0_DPFWD_UDP
-A PREROUTING -d XX.XX.XX.XX/32 -p tcp -m tcp --dport 443 -m state --state NEW -j AS0_DPFWD_TCP
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST
-A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE
-A AS0_DPFWD_TCP -p tcp -j DNAT --to-destination XX.XX.XX.XX:914
-A AS0_DPFWD_TCP -j ACCEPT
-A AS0_DPFWD_UDP -p udp -j DNAT --to-destination XX.XX.XX.XX:918
-A AS0_DPFWD_UDP -j ACCEPT
-A AS0_NAT -o ens160 -j SNAT --to-source XX.XX.XX.XX
-A AS0_NAT -j ACCEPT
-A AS0_NAT_POST_REL_EST -j ACCEPT
-A AS0_NAT_PRE -m mark --mark 0x8000000/0x8000000 -j AS0_NAT
-A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST
-A AS0_NAT_PRE -j AS0_NAT
-A AS0_NAT_PRE_REL_EST -j ACCEPT
-A AS0_NAT_TEST -o as0t+ -j ACCEPT
-A AS0_NAT_TEST -m mark --mark 0x4000000/0x4000000 -j ACCEPT
-A AS0_NAT_TEST -d 172.27.224.0/20 -j ACCEPT
-A AS0_NAT_TEST -j AS0_NAT
COMMIT
# Completed on Fri Jun 26 16:11:08 2015
# Generated by iptables-save v1.4.21 on Fri Jun 26 16:11:08 2015
*mangle
:PREROUTING ACCEPT [6303:437868]
:INPUT ACCEPT [57400:10397181]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [53697:13632361]
:POSTROUTING ACCEPT [53697:13632361]
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST
-A PREROUTING -i as0t+ -j AS0_MANGLE_TUN
-A AS0_MANGLE_PRE_REL_EST -j ACCEPT
-A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff
-A AS0_MANGLE_TUN -j ACCEPT
COMMIT
# Completed on Fri Jun 26 16:11:08 2015
# Generated by iptables-save v1.4.21 on Fri Jun 26 16:11:08 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [53697:13632361]
:AS0_ACCEPT - [0:0]
:AS0_IN - [0:0]
:AS0_IN_NAT - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_IN_ROUTE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_POST - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_WEBACCEPT - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A INPUT -i lo -j AS0_ACCEPT
-A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A INPUT -d XX.XX.XX.XX/32 -p tcp -m state --state NEW -m tcp --dport 915 -j AS0_ACCEPT
-A INPUT -d XX.XX.XX.XX/32 -p tcp -m state --state NEW -m tcp --dport 914 -j AS0_ACCEPT
-A INPUT -d XX.XX.XX.XX/32 -p tcp -m state --state NEW -m tcp --dport 917 -j AS0_ACCEPT
-A INPUT -d XX.XX.XX.XX/32 -p tcp -m state --state NEW -m tcp --dport 916 -j AS0_ACCEPT
-A INPUT -d XX.XX.XX.XX/32 -p udp -m state --state NEW -m udp --dport 919 -j AS0_ACCEPT
-A INPUT -d XX.XX.XX.XX/32 -p udp -m state --state NEW -m udp --dport 918 -j AS0_ACCEPT
-A INPUT -d XX.XX.XX.XX/32 -p udp -m state --state NEW -m udp --dport 921 -j AS0_ACCEPT
-A INPUT -d XX.XX.XX.XX/32 -p udp -m state --state NEW -m udp --dport 920 -j AS0_ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT
-A INPUT -d XX.XX.XX.XX/32 -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 20000:65535 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 20000:65535 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A FORWARD -o as0t+ -j AS0_OUT_S2C
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o as0t+ -j AS0_OUT_LOCAL
-A AS0_ACCEPT -j ACCEPT
-A AS0_IN -d 172.27.224.1/32 -j ACCEPT
-A AS0_IN -j AS0_IN_POST
-A AS0_IN_NAT -j MARK --set-xmark 0x8000000/0x8000000
-A AS0_IN_NAT -j ACCEPT
-A AS0_IN_POST -o as0t+ -j AS0_OUT
-A AS0_IN_POST -j DROP
-A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN
-A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN
-A AS0_IN_PRE -j ACCEPT
-A AS0_IN_ROUTE -j MARK --set-xmark 0x4000000/0x4000000
-A AS0_IN_ROUTE -j ACCEPT
-A AS0_OUT -j AS0_OUT_POST
-A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP
-A AS0_OUT_LOCAL -j ACCEPT
-A AS0_OUT_POST -j DROP
-A AS0_OUT_S2C -j AS0_OUT
-A AS0_WEBACCEPT -j ACCEPT
...hence my question. You see, that's quite an elaborate rule set and any subsequent "iptables -A INPUT" rules would be added below the existing filter table INPUT chain rule # 20 which would not make sense as you already have a "-A INPUT -p udp -m udp --dport 20000:65535 -j REJECT --reject-with icmp-port-unreachable" rule for both TCP and UDP (no idea who or what created those rules). So is the Bittorrent client running on this machine or any LAN machines?
Quote:
Originally Posted by zokstar
I did try with a default DROP policy and opening up the ports needed (943, 443, 1194 etc) but openvpn still has issues connecting
Does OpenVPN work with the current rule set as you have posted it? If not then that would need addressing first.
Quote:
Originally Posted by zokstar
I would like to try and limit the ports available to bittorrent.
If your aim is to limit inbound ports, meaning new connections to a locally running Bittorrent client, then that should be configured in the local client as the port range (let's not talk about uPNP) it advertises to remote clients (usually 6881 - 6999). (Please note that trying to force Bittorrent clients to use lower port numbers "just because" is not a reason.) If your aim OTOH is to limit outbound ports a locally running Bittorrent client uses to connect to others then note it uses the system-wide port range defined in the net.ipv4.ip_local_port_range sysctl. In that case I assert your Bittorrent client does not run as root (woe if you do) and see 'iptables -m owner --help'.
Ideally i would like to block bittorrent all together on this machine, but after looking around there is no good solution.
So what is the purpose of this machine? Is it a stand alone server? Does it serve as VPN gateway for LAN clients? And what is the setting? Is this a business or institution? Or SOHO / private? And what is your reason for blocking Bittorrent? I mean, what actual problem are you combatting? (Note asking questions means you should clarify things so we can help you better. So please be complete and precise.)
So what is the purpose of this machine? Is it a stand alone server? Does it serve as VPN gateway for LAN clients? And what is the setting? Is this a business or institution? Or SOHO / private? And what is your reason for blocking Bittorrent? I mean, what actual problem are you combatting? (Note asking questions means you should clarify things so we can help you better. So please be complete and precise.)
It is a dedicated server. Private use for a few family and friends just to VPN into. Mainly used for Geo Blocking and privacy etc. The reason to block torrents is so the others don't use it for P2P downloading , which I'm sure some of the family members kids may jump on and use it for that.
Three things you might want to look into then: a friendly nudge or agreement (so everybody knows they shouldn't hog all available bandwidth), a per-user/network/port bandwidth limiter (so all get even access and you get to spot transgressors), plus a Layer 7 firewall (because some Bittorrent clients may advertise using other ports than the assigned range).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.