Attackers getting past IPTables

Running Centos 7 and have IPTables set to block most inbound traffic. However some attackers are getting past the firewall.

I have a small script setup that allows quick changes to the script. I expect I have something out of place, or missing something completely.

I even put Drop instructions, but these addresses are still getting by

Can anyone see anything wrong with this?

Code:

#!/bin/bash
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
 iptables -F
#
# Allow SSH connections on tcp port 22
# This is essential when working on remote servers via SSH to prevent locking yourself out of the system
#
 iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT
#
# Set access for localhost
#
 iptables -A INPUT -i lo -j ACCEPT
#
# Accept packets belonging to established and related connections
#
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Accept packets from trusted IP addresses
 iptables -A INPUT -m state --state NEW -s 215.0.0.0/8 -j DROP
 iptables -A INPUT -m state --state NEW -s 164.0.0.0/8 -j DROP
 iptables -A INPUT -m state --state NEW -s 37.0.0.0/8 -j DROP
 iptables -A INPUT -m state --state NEW -s 185.0.0.0/8 -j DROP
 iptables -A INPUT -m state --state NEW -s 82.0.0.0/8 -j DROP
 iptables -A INPUT -m state --state NEW -s 212.0.0.0/8 -j DROP
 iptables -A INPUT -m state --state NEW -s 91.0.0.0/8 -j DROP
 iptables -A INPUT -m state --state NEW -s 170.0.0.0/8 -j DROP
 iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
 iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
 iptables -A INPUT -s 143.0.0.0/8 -j ACCEPT -m comment --comment "allow network"
 iptables -A INPUT -s 96.0.0.0/8 -j ACCEPT -m comment --comment "allow network"

# Save settings
#
 /sbin/service iptables save
#
# List rules
#
 iptables -L -v

Thanks in advance,

GW

Your first rule on the INPUT chain accepts all access to port 22. If you want to block certain addresses, you need to put them before that in the list. iptables stops on the first matching rule.

Thanks Smallpond

That's not the issue I am having - this is on an Asterisk PBX and I have port 5060 forwarded to the system.

My intention was to only allow outside access from the allowed IP addresses/subnets I had allowed in the IPtables, however some addresses, even though listed as a drop address, they still seem to get by to port 5060


I thought even without these entries here, the rules would block all access, unless otherwise allowed

iptables -A INPUT -m state --state NEW -s 215.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 164.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 37.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 185.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 82.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 212.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 91.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 170.0.0.0/8 -j DROP

I think there is a misunderstanding about the order of the iptables rules.
Puting the rules in a certain order is important.

I this case, I would Set default policies 1st in the script.
After default policies state RELATED,ESTABLISHED followed with:
loopback, also followed with the SSH Access rule, in this order, and then the rest of the rules.

iptables is applying the rules, in the same way you are reading a grocery store list.

Give it a try this way and let us know if all works fine.

Quote:

Originally Posted by GunFighT I think there is a misunderstanding about the order of the iptables rules. Puting the rules in a certain order is important. I this case, I would Set default policies 1st in the script. After default policies state RELATED,ESTABLISHED followed with: loopback, also followed with the SSH Access rule, in this order, and then the rest of the rules. iptables is applying the rules, in the same way you are reading a grocery store list. Give it a try this way and let us know if all works fine.

Thanks gunfight

So are you saying put all the drop rules at the top, above the ssh entry?

Is this computer behind a router or directly connected to the Internet?

A default policy of drop will not allow any traffic unless you add a rule to accept it.

Quote:

Originally Posted by michaelk Is this computer behind a router or directly connected to the Internet? A default policy of drop will not allow any traffic unless you add a rule to accept it.

The computer is behind a firewall, but we have port 5060 forwarded because there are remote users that need to connect.

I do have certain subnets that are set to drop, but the attackers still get by the firewall and hit the fail2ban.

Perhaps they are flooding the connection and the firewall cant keep up? I do know they hammer away at this IP Address

Quote:

Originally Posted by gw22 Thanks gunfight So are you saying put all the drop rules at the top, above the ssh entry?

Yes. The default policy rules should be at the top of the script. Not only the drop ones, all of them, followed by the state RELATED,ESTABLISHED, then followed by the loopback rule, then followed by the rules on ports you would like to be opened.

Example:

Code:

#!/bin/bash
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Quote:

Originally Posted by smallpond Your first rule on the INPUT chain accepts all access to port 22. If you want to block certain addresses, you need to put them before that in the list. iptables stops on the first matching rule.

Had exactly this problem fixed now thx!