Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Running Centos 7 and have IPTables set to block most inbound traffic. However some attackers are getting past the firewall.
I have a small script setup that allows quick changes to the script. I expect I have something out of place, or missing something completely.
I even put Drop instructions, but these addresses are still getting by
Can anyone see anything wrong with this?
Code:
#!/bin/bash
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
iptables -F
#
# Allow SSH connections on tcp port 22
# This is essential when working on remote servers via SSH to prevent locking yourself out of the system
#
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
# Set access for localhost
#
iptables -A INPUT -i lo -j ACCEPT
#
# Accept packets belonging to established and related connections
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Accept packets from trusted IP addresses
iptables -A INPUT -m state --state NEW -s 215.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 164.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 37.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 185.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 82.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 212.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 91.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 170.0.0.0/8 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -s 143.0.0.0/8 -j ACCEPT -m comment --comment "allow network"
iptables -A INPUT -s 96.0.0.0/8 -j ACCEPT -m comment --comment "allow network"
# Save settings
#
/sbin/service iptables save
#
# List rules
#
iptables -L -v
Your first rule on the INPUT chain accepts all access to port 22. If you want to block certain addresses, you need to put them before that in the list. iptables stops on the first matching rule.
That's not the issue I am having - this is on an Asterisk PBX and I have port 5060 forwarded to the system.
My intention was to only allow outside access from the allowed IP addresses/subnets I had allowed in the IPtables, however some addresses, even though listed as a drop address, they still seem to get by to port 5060
I thought even without these entries here, the rules would block all access, unless otherwise allowed
iptables -A INPUT -m state --state NEW -s 215.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 164.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 37.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 185.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 82.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 212.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 91.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 170.0.0.0/8 -j DROP
I think there is a misunderstanding about the order of the iptables rules.
Puting the rules in a certain order is important.
I this case, I would Set default policies 1st in the script.
After default policies state RELATED,ESTABLISHED followed with:
loopback, also followed with the SSH Access rule, in this order, and then the rest of the rules.
iptables is applying the rules, in the same way you are reading a grocery store list.
Give it a try this way and let us know if all works fine.
I think there is a misunderstanding about the order of the iptables rules.
Puting the rules in a certain order is important.
I this case, I would Set default policies 1st in the script.
After default policies state RELATED,ESTABLISHED followed with:
loopback, also followed with the SSH Access rule, in this order, and then the rest of the rules.
iptables is applying the rules, in the same way you are reading a grocery store list.
Give it a try this way and let us know if all works fine.
Thanks gunfight
So are you saying put all the drop rules at the top, above the ssh entry?
So are you saying put all the drop rules at the top, above the ssh entry?
Yes. The default policy rules should be at the top of the script. Not only the drop ones, all of them, followed by the state RELATED,ESTABLISHED, then followed by the loopback rule, then followed by the rules on ports you would like to be opened.
Example:
Code:
#!/bin/bash
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Distribution: Void, Linux From Scratch, Slackware64
Posts: 3,152
Rep:
Quote:
Originally Posted by smallpond
Your first rule on the INPUT chain accepts all access to port 22. If you want to block certain addresses, you need to put them before that in the list. iptables stops on the first matching rule.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.