Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]
No, it still will not allow new connections. You have
Code:
# Allow NEW, ESTABLISHED and RELATED incoming connection
iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
and until you make it read
Code:
# Allow NEW, ESTABLISHED and RELATED incoming connection
iptables -A FIREWALL -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
no new connections will be allowed.
As for the meaning of "$OUTS" this will be replaced by the content of a variable named "OUTS" which I suspect will be defined near the start of the script with a line that looks something like Many script authors do this to make it easy to customize the script by changing the actual value at just one spot. For instance, my outgoing interface is "eth1" so I could just change the "eth0" to "eth1" and the script would work for me. Without using the variable, I would have to change every place that it's used.
The "$" prefix tells the shell to use the value of the following expression, rather than using it literally. While it's similar to the concept of a symlink, it really has no direct connection to them.
I'm not sure what you mean by "the ipt_recent patch" since this is simply a module that is added to your script. Once you have edited the script it makes no difference whether you did so via a GUI or by using the command line; the iptables program will simply follow your list of rules and will include the module along with all the others.
Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]
hy ;)
Thank you for your advice to
Code:
iptables -A FIREWALL -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
I will do so. Actually i had the "NEW", but i deleted it, because my connection did work without also.
Ok, i understand the meaning of the "$" prefix. Due to my past years in work, i used to tell CNC-machines what to do.
As this "$" prefix used in IT-systems, we did use for example at the start of the script.
The ipt_recent_patch is this one. http://www.snowman.net/projects/ipt_recent/
I did a check in the
Code:
:~$ ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/
arptable_filter.ko iptable_raw.ko ipt_LOG.ko nf_defrag_ipv4.ko nf_nat_proto_dccp.ko
arp_tables.ko iptable_security.ko ipt_MASQUERADE.ko nf_nat_amanda.ko nf_nat_proto_gre.ko
arpt_mangle.ko ip_tables.ko ipt_NETMAP.ko nf_nat_ftp.ko nf_nat_proto_sctp.ko
ip_queue.ko ipt_ah.ko ipt_REDIRECT.ko nf_nat_h323.ko nf_nat_proto_udplite.ko
iptable_filter.ko ipt_CLUSTERIP.ko ipt_REJECT.ko nf_nat_irc.ko nf_nat_sip.ko
iptable_mangle.ko ipt_ecn.ko ipt_ULOG.ko nf_nat.ko nf_nat_snmp_basic.ko
iptable_nat.ko ipt_ECN.ko nf_conntrack_ipv4.ko nf_nat_pptp.ko nf_nat_tftp.ko
:~$
and i do not have this module compilied. There for i ask for your support on a how to that i do not mess up anything.
Kind regards [-o<
Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]
Hy dear frodon, dear JKyleOKC.
I got it working with your help and your knowledge :popcorn: =D>=D>=D>
I did a seperation on the DROP_LOGīs, to see why the packet is dropped!
This is really running :biggrin:
Like you analysed and proposed JKyleOKC, i put the final to the end of the script.
If i do a
Code:
tail -f /var/log/firewall
or a
Code:
tail -f /var/log/syslog
i can see upon the DROP_LOG criteria why the packet is dropped :cool:
This is absoloutely stunning!!! I started with LINUX in February and now i have a almost DIY Firewall on my little server :-\"
The only thing i do not understand, is that upon the modules listed i do not have the ipt_recent module compiled! But itīs running ... ?
Check out the script and let me know what you think about it!
Code:
#!/bin/bash
# ftp.service.3
# No spoofing !!!
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi
# No icmp
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
modprobe iptable_filter
modprobe iptable_nat
modprobe ipt_recent
# Remove all rules
iptables -F
iptables -X
# first set the default behaviour => accept connections
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# New chains
iptables -N FIREWALL
iptables -N TRUSTED
iptables -N BADGUY
# Log chain
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
iptables -A LOG_DROP -j DROP
iptables -N LOG_DROP_BAD
iptables -A LOG_DROP_BAD -j LOG --log-prefix '[IPTABLES DROP BADGUYS] : '
iptables -A LOG_DROP_BAD -j DROP
iptables -N LOG_DROP_BADEND
iptables -A LOG_DROP_BADEND -j LOG --log-prefix '[IPTABLES DROP BADEND] : '
iptables -A LOG_DROP_BADEND -j DROP
iptables -N LOG_DROP_SSH
iptables -A LOG_DROP_SSH -j LOG --log-prefix '[IPTABLES DROP SSH BRUTEFORCE] : '
iptables -A LOG_DROP_SSH -j DROP
iptables -N LOG_DROP_FWD
iptables -A LOG_DROP_FWD -j LOG --log-prefix '[IPTABLES DROP FORWARD] : '
iptables -A LOG_DROP_FWD -j DROP
iptables -N LOG_DROP_ICMP
iptables -A LOG_DROP_ICMP -j LOG --log-prefix '[IPTABLES DROP ICMP] : '
iptables -A LOG_DROP_ICMP -j DROP
# Block any packet from IP-addresses that are present in the badguys list for one hour - port scan
iptables -A FIREWALL -i eth0 -m recent --name badguys --update --seconds 3600 -j LOG_DROP_BAD
#iptables -A FIREWALL -i eth0 -m recent --name badguys -j LOG_DROP_BAD
# Allow NEW, ESTABLISHED and RELATED incoming connection
iptables -A FIREWALL -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow self communication
iptables -A FIREWALL -i lo -j ACCEPT
iptables -A FIREWALL -o lo -j ACCEPT
# Send all package to the TRUSTED chain
iptables -A FIREWALL -j TRUSTED
# DROP all other packets
#iptables -A FIREWALL -j LOG_DROP
# Send all through the FIREWALL chain
iptables -A INPUT -j FIREWALL
iptables -A FORWARD -j LOG_DROP_FWD
iptables -A OUTPUT -j FIREWALL
# SSH brute force attacks - verify in /proc/net/ipt_recent files badguys and ssh
iptables -t filter -I BADGUY -m recent --set --name badguys
iptables -A FIREWALL -i eth0 -p tcp --syn --dport 22 -m recent --name ssh --set
iptables -A FIREWALL -i eth0 -p tcp --syn --dport 22 -m recent --name ssh --rcheck --seconds 300 --hitcount 6 -j BADGUY
iptables -A FIREWALL -i eth0 -p tcp --syn --dport 22 -m recent --name ssh --rcheck --seconds 30 --hitcount 3 -j LOG_DROP_SSH
# Block inbound and outbound icmp traffic
iptables -A TRUSTED -i eth0 -p icmp -j LOG_DROP_ICMP
iptables -A TRUSTED -o eth0 -p icmp -j LOG_DROP_ICMP
# Allow inbound ssh traffic
iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -i eth0 -p udp -m multiport --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow ftp inbound and outbound traffic
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 1024:65535 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
# Allow inbound http,https traffic
iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -i eth0 -p udp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow outbound tcp and udp traffic
iptables -A TRUSTED -o eth0 -p tcp -m tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A TRUSTED -o eth0 -p udp -m udp -m state --state ESTABLISHED -j ACCEPT
# IMPORTANT Send all DROP package from FIREWALL chain to the badguys list - port scan
iptables -A FIREWALL -t filter -i eth0 -j LOG_DROP_BADEND -m recent --set --name badguys
# End message
echo " [End iptables rules setting]"
Kind regards :-D
Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]
I don't see anything seriously wrong. You do have a few rules that will never match, because rules that will be tested earlier will already deal with any packet that could match them, but it won't hurt anything to leave them in. One of my main policies, always, is to be very careful about making changes once I have something working the way I want!
I'm not sure that your outbound FTP rule for port 21 will allow you to FTP anything INTO the server, such as downloading a software package from some other system, since it still does not have a NEW state specified although the input rule does. However you may not want to be able to initiate an FTP transfer at the server, so this might not be a problem at all.
Congratulations!
EDIT: The ipt-reject module may be compiled into your kernel already; it is in mine. The actual name is ipt-REJECT so the difference in case might be why you aren't finding it. I checked by doing "lsmod|grep ip" on a command line, to find it.
Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]
Dear JKyleOKC
Thank you for your quick reply.
Wich NON-CONSIDERED rules do mean. Could you be so kind to point these out please?
Considering the FTP-service:
I did upload, download and delete files. Also create, rename etc. and delete directories using ftp, ftps and sftp.
So the ftp service is working.
ipt-REJECT you say. I will check this. Thank you for pointing out!!!
Best regards :D
Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]
My remark involved the "NEW, ESTABLISHED, RELATED" and "ESTABLISHED,RELATED" clauses in the TRUSTED chain. On closer examination, I may have found a serious error here.
My original reasoning was that since the third rule in your FIREWALL chain accepts any NEW,ESTABLISHED,RELATED packet that the rules in the TRUSTED chain that included similar match conditions would not be reached.
What I've just discovered is that including "NEW," in that third rule makes sure that the TRUSTED chain will never be reached, since the rule that jumps to it appears later in the FIREWALL chain.
I believe that you can remove "NEW," from that third rule of FIREWALL, leaving only "ESTABLISHED,RELATED" as its match conditions, and can then remove all "ESTABLISHED,RELATED" conditions from all the rules in TRUSTED, leaving only NEW as their match condition. Any rule in TRUSTED that does not have a NEW match condition would then be superfluous and could be removed.
What I believe will be the result of those changes is that any new connection will have to pass through the TRUSTED chain to be accepted. Once the packet is accepted by TRUSTED, subsequent packets in that connection will be accepted by the third rule of FIREWALL and never go to TRUSTED for checking again. If TRUSTED rejects the packet, no connection will be established and all subsequent packets from that attempt will also go to TRUSTED and be rejected. At least, that's my intention.
When testing this, I would keep a safe copy of the script as another file, since it does work as written and my analysis just might prevent it from working! When tracing the progress of a packet through the whole set of chains, it's very easy to introduce unwanted side effects.
I hope I'm not leading you astray!
Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]
Hy JKyleOKC
Ok, i think slowly i get an idea of this thing working.
I do understand your topic for processing packets in the tables NEW.
But...
Isnīt any packet forwarded from the FIREWALL chain to the TRUSTED chain if it does not match any rules in the FIREWALL chain. If i understand this, then the packets that do not match any criteria in the FIREWALL chain should be forwarded in the TRUSTED chain.....
Aaahh...now i understand!!! OK!!!
The INPUT chain forwards any packet to the FIREWALL chain.
If it is not dropped in the FIREWALL chain it will be forwarderd to the TRUSTED chain.
If it does not meet any criteria in the TRUSTED chain then it will be finally DROPPED. Is this right?
1.) So if i delete NEW in the first rule down below, then NO NEW packet will be processed in the FIREWALL chain. But what happens to this NEW packet? Is it forwarded to the TRUSTED chain since this NEW packet does not meet any criteria in the FIREWALL chain, or is it dropped in the FIREWALL chain?
Code:
# Allow NEW, ESTABLISHED and RELATED incoming connection
iptables -A FIREWALL -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT# Send all package to the TRUSTED chain
iptables -A FIREWALL -j TRUSTED
2.) If i leave the NEW in the first rule, and it does not meet any criteria in the FIREWALL chain, is it then forwarded to the TRUSTED chain as a NEW packet or is it dropped by the FIREWALL chain?
I did modify the script. My services are still running and reachable.
The only thing i am missing in the DROP_LOGīs, is that the ssh bruteforce rule does not seem to work. On the other hand nobody is bruteforcing me at the moment beeing :D
But i think i am having problems by building the files ssh and badguys. I also do not believe that the ssh brutforce chain is working...
EDIT: It must be working. The SRC is first dropped by the DROP_LOG_BADEND and aftherwords by DROP_LOG_BADGUYS -> so the listīs are obviousley working!!! I just have to wait for a bruteforce-attack ....
Code:
Aug 1 20:26:48 kernel: [167587.550598] [IPTABLES DROP BADEND] : IN=eth0 OUT= MAC= SRC=74.120.12.140 DST=xxx.xxx.xxx.xx LEN=626 TOS=0x00 PREC=0x00 TTL=45 ID=39804 DF PROTO=TCP SPT=24517 DPT=9001 WINDOW=16 RES=0x00 ACK URGP=0
Aug 1 20:26:49 kernel: [167588.007598] [IPTABLES DROP BADGUYS] : IN=eth0 OUT= MAC= SRC=74.120.12.140 DST=xxx.xxx.xxx.xx LEN=576 TOS=0x00 PREC=0x00 TTL=45 ID=39806 DF PROTO=TCP SPT=24517 DPT=9001 WINDOW=16 RES=0x00 ACK URGP=0
Aug 1 20:26:49 kernel: [167588.691429] [IPTABLES DROP BADGUYS] : IN=eth0 OUT= MAC= SRC=77.106.125.32 DST=xxx.xxx.xxx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=15137 DF PROTO=TCP SPT=52198 DPT=16906 WINDOW=8192 RES=0x00 SYN URGP=0
Aug 1 20:26:50 kernel: [167588.931737] [IPTABLES DROP BADGUYS] : IN=eth0 OUT= MAC= SRC=74.120.12.140 DST=xxx.xxx.xxx.xx LEN=576 TOS=0x00 PREC=0x00 TTL=45 ID=39807 DF PROTO=TCP SPT=24517 DPT=9001 WINDOW=16 RES=0x00 ACK URGP=0
My /var/log/firewall looks like this
Code:
Aug 1 19:35:09 xxxxxxx kernel: [164488.550780] [IPTABLES DROP BADEND] : IN=eth0 OUT= MAC=xx:Xx:xx:Xx:XX:XX:xx:xx:XX:xx SRC=93.182.175.141 DST=xxx.xxx.xx.xxx LEN=76 TOS=0x00 PREC=0x00 TTL=107 ID=9425 PROTO=UDP SPT=13501 DPT=16906 LEN=56
Aug 1 19:35:10 xxxxxxx kernel: [164489.102976] [IPTABLES DROP BADGUYS] : IN=eth0 OUT= MAC=xx:Xx:xx:Xx:XX:XX:xx:xx:XX:xx SRC=81.206.158.42 DST=xxx.xxx.xx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=24627 DF PROTO=TCP SPT=56270 DPT=9030 WINDOW=0 RES=0x00 ACK RST URGP=0
Aug 1 19:43:13 xxxxxxx kernel: [164972.054903] [IPTABLES DROP ICMP] : IN=eth0 OUT= MAC=xx:Xx:xx:Xx:XX:XX:xx:xx:XX:xx SRC=94.245.252.128 DST=xxx.xxx.xx.xxx LEN=84 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43017 SEQ=1
My script looks like this at the moment.
EDIT: I do some experimental logging with the NEW filter in the FIREWALL chain below. If i leave it there my logging/dropping decreases. If i remove it my logging/dropping increases. WHAT does this in conclusion mean?
Code:
# Allow NEW, ESTABLISHED and RELATED incoming connection
iptables -A FIREWALL -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Code:
#!/bin/bash
# ftp.service.4
# No spoofing !!!
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi
# No icmp
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
modprobe iptable_filter
modprobe iptable_nat
modprobe ipt_REJECT
modprobe ipt_recent
# Remove all rules
iptables -F
iptables -X
# first set the default behaviour => accept connections
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# New chains
iptables -N FIREWALL
iptables -N TRUSTED
iptables -N BADGUY
# Log chain
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
iptables -A LOG_DROP -j DROP
iptables -N LOG_DROP_BAD
iptables -A LOG_DROP_BAD -j LOG --log-prefix '[IPTABLES DROP BADGUYS] : '
iptables -A LOG_DROP_BAD -j DROP
iptables -N LOG_DROP_BADEND
iptables -A LOG_DROP_BADEND -j LOG --log-prefix '[IPTABLES DROP BADEND] : '
iptables -A LOG_DROP_BADEND -j DROP
iptables -N LOG_DROP_SSH
iptables -A LOG_DROP_SSH -j LOG --log-prefix '[IPTABLES DROP SSH BRUTEFORCE] : '
iptables -A LOG_DROP_SSH -j DROP
iptables -N LOG_DROP_FWD
iptables -A LOG_DROP_FWD -j LOG --log-prefix '[IPTABLES DROP FORWARD] : '
iptables -A LOG_DROP_FWD -j DROP
iptables -N LOG_DROP_ICMP
iptables -A LOG_DROP_ICMP -j LOG --log-prefix '[IPTABLES DROP ICMP] : '
iptables -A LOG_DROP_ICMP -j DROP
iptables -N LOG_DROP_HTTP
iptables -A LOG_DROP_HTTP -j LOG --log-prefix '[IPTABLES DROP HTTP] : '
iptables -A LOG_DROP_HTTP -j DROP
# Block any packet from IP-addresses that are present in the badguys list for one hour - port scan
iptables -A FIREWALL -i eth0 -m recent --name badguys --update --seconds 3600 -j LOG_DROP_BAD
# Allow NEW, ESTABLISHED and RELATED incoming connection
iptables -A FIREWALL -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Block any packet from IP-addresses that are present in the badguys list for one hour - port scan
#iptables -A FIREWALL -i eth0 -m recent --name badguys --update --seconds 3600 -j LOG_DROP_BAD
# SSH brute force attacks - verify in /proc/net/files badguys and ssh
iptables -t filter -I BADGUY -m recent --set --name badguys
iptables -A FIREWALL -i eth0 -p tcp --syn --dport 22 -m recent --name ssh --set
iptables -A FIREWALL -i eth0 -p tcp --syn --dport 22 -m recent --name ssh --rcheck --seconds 300 --hitcount 6 -j BADGUY
iptables -A FIREWALL -i eth0 -p tcp --syn --dport 22 -m recent --name ssh --rcheck --seconds 30 --hitcount 3 -j LOG_DROP_SSH
# HTTP attacks - verify in /proc/net/ipt_recent files badguys and http
iptables -t filter -I BADGUY -m recent --set --name badguys
iptables -A FIREWALL -i eth0 -p tcp --syn --dport 80 -m recent --name http --set
iptables -A FIREWALL -i eth0 -p tcp --syn --dport 80 -m recent --name http --rcheck --seconds 300 --hitcount 6 -j BADGUY
iptables -A FIREWALL -i eth0 -p tcp --syn --dport 80 -m recent --name http --rcheck --seconds 30 --hitcount 3 -j LOG_DROP_HTTP
# Block inbound and outbound icmp traffic
iptables -A FIREWALL -i eth0 -p icmp -j LOG_DROP_ICMP
iptables -A FIREWALL -o eth0 -p icmp -j LOG_DROP_ICMP
# Allow self communication
iptables -A FIREWALL -i lo -j ACCEPT
iptables -A FIREWALL -o lo -j ACCEPT
# IMPORTANT Send all DROP package from FIREWALL chain to the badguys list - port scan
#iptables -A FIREWALL -t filter -i eth0 -j LOG_DROP_BADEND -m recent --set --name badguys
# Send all package to the TRUSTED chain
iptables -A FIREWALL -j TRUSTED
# Send all through the FIREWALL chain
iptables -A INPUT -j FIREWALL
iptables -A FORWARD -j LOG_DROP_FWD
iptables -A OUTPUT -j FIREWALL
# IMPORTANT Send all DROP package from FIREWALL chain to the badguys list - port scan
iptables -A FIREWALL -t filter -i eth0 -j LOG_DROP_BADEND -m recent --set --name badguys
# Allow inbound ssh traffic
iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -i eth0 -p udp -m multiport --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow ftp inbound and outbound traffic
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 1024:65535 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow inbound http,https traffic
iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -i eth0 -p udp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow outbound tcp and udp traffic
iptables -A TRUSTED -o eth0 -p tcp -m tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -o eth0 -p udp -m udp -m state --state NEW,ESTABLISHED -j ACCEPT
# IMPORTANT Send all DROP package from FIREWALL chain to the badguys list - port scan
#iptables -A FIREWALL -t filter -i eth0 -j LOG_DROP_BADEND -m recent --set --name badguys
# End message
echo " [End iptables rules setting]"
Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]
I have to be a bit brief this time but will go over your full script later.
For your first question, if you leave out NEW from the FIREWALL chain then the packet will go to TRUSTED to be checked since there's no DROP between the third rule and the jump to TRUSTED. Actually you don't need a DROP action in FIREWALL at all, and if the jump to TRUSTED were its last rule then TRUSTED would not need a DROP either. A bad packet would come into INPUT, go to FIREWALL and not be accepted, then go to TRUSTED and not be accepted there either, then "fall off the end" of TRUSTED to return to FIREWALL, there do the same to return to INPUT, and finally at INPUT be dropped, either by an explicit rule or by policy. This would lose your detailed logging scheme, however, so I would leave those DROP actions in TRUSTED and FIREWALL.
For question two, if you leave NEW in firewall then any new connection will be accepted without ever going to TRUSTED to be checked. This is also why you see fewer drops in this case per your final question; bad connections get through unquestioned.
I'll go through the full script later today.
Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]
Dera JKyleOKC
Thank you very much for your exlpanation!!! I did not know, that there is a loop in the chains. So thanks to your effort i did understand this and implementet, or tried to, your knowledge in the script. I tried to clean it, so it is more understandable. The LOG_DROPīs help me to understand what is dropped, why it is dropped, and which chain did DROP.
I also did find the badguys and ssh list in /proc/net/xt_recent :D
I hope you are not to deeply investigating my previous script, and getting a headache because of me!!!!
I can proudly present a running script :biggrin:
Code:
#!/bin/bash
# ftp.service.final
# No spoofing !!!
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi
# No icmp
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
modprobe iptable_filter
modprobe iptable_nat
modprobe ipt_REJECT
modprobe ipt_recent
# Remove all rules
iptables -F
iptables -X
# first set the default behaviour => accept connections
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# New chains
iptables -N FIREWALL
iptables -N TRUSTED
iptables -N BADGUY
# Log chain
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-prefix '[DROP INPUT] : '
iptables -A LOG_DROP -j DROP
iptables -N LOG_DROP_BAD1
iptables -A LOG_DROP_BAD1 -j LOG --log-prefix '[DROP BADGUYS FIREWALL] : '
iptables -A LOG_DROP_BAD1 -j DROP
iptables -N LOG_DROP_BAD2
iptables -A LOG_DROP_BAD2 -j LOG --log-prefix '[DROP BADGUYS TRUSTED] : '
iptables -A LOG_DROP_BAD2 -j DROP
iptables -N LOG_DROP_BADEND1
iptables -A LOG_DROP_BADEND1 -j LOG --log-prefix '[DROP BADEND FIREWALL] : '
iptables -A LOG_DROP_BADEND1 -j DROP
iptables -N LOG_DROP_BADEND2
iptables -A LOG_DROP_BADEND2 -j LOG --log-prefix '[DROP BADEND TRUSTED] : '
iptables -A LOG_DROP_BADEND2 -j DROP
iptables -N LOG_DROP_SSH
iptables -A LOG_DROP_SSH -j LOG --log-prefix '[DROP SSH BRUTEFORCE] : '
iptables -A LOG_DROP_SSH -j DROP
iptables -N LOG_DROP_FTP
iptables -A LOG_DROP_FTP -j LOG --log-prefix '[DROP FTP BRUTEFORCE] : '
iptables -A LOG_DROP_FTP -j DROP
iptables -N LOG_DROP_FWD
iptables -A LOG_DROP_FWD -j LOG --log-prefix '[DROP FORWARD] : '
iptables -A LOG_DROP_FWD -j DROP
iptables -N LOG_DROP_ICMP1
iptables -A LOG_DROP_ICMP1 -j LOG --log-prefix '[DROP ICMP FIREWALL] : '
iptables -A LOG_DROP_ICMP1 -j DROP
iptables -N LOG_DROP_ICMP2
iptables -A LOG_DROP_ICMP2 -j LOG --log-prefix '[DROP ICMP TRUSTED] : '
iptables -A LOG_DROP_ICMP2 -j DROP
# -----------------------------------------------------------------------------------------------------------------------
# Block any packet from IPīs that are present in the badguys list verify in /proc/net/xt_recent/files badguys and ssh
iptables -t filter -I BADGUY -m recent --set --name badguys
iptables -A FIREWALL -i eth0 -m recent --name badguys --update --seconds 3600 -j LOG_DROP_BAD1
# Allow ESTABLISHED and RELATED incoming connection
iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow self communication
iptables -A FIREWALL -i lo -j ACCEPT
iptables -A FIREWALL -o lo -j ACCEPT
# Block inbound and outbound icmp traffic
iptables -A FIREWALL -i eth0 -p icmp -j LOG_DROP_ICMP1
iptables -A FIREWALL -o eth0 -p icmp -j LOG_DROP_ICMP1
# Send all package to the TRUSTED chain
iptables -A FIREWALL -j TRUSTED
# IMPORTANT Send all DROP package from FIREWALL chain to the badguys list - port scan
iptables -A FIREWALL -t filter -i eth0 -j LOG_DROP_BADEND1 -m recent --set --name badguys
# Send all through the FIREWALL chain
iptables -A INPUT -j FIREWALL
iptables -A FORWARD -j LOG_DROP_FWD
iptables -A OUTPUT -j FIREWALL
# -----------------------------------------------------------------------------------------------------------------------
# Block any packet from IPīs that are present in the badguys list verify in /proc/net/xt_recent/files badguys and ssh
iptables -A TRUSTED -i eth0 -m recent --name badguys --update --seconds 3600 -j LOG_DROP_BAD2
# SSH brute force attacks - verify in /proc/net/xt_recent/file ssh
iptables -A TRUSTED -i eth0 -p tcp --syn --dport ssh -m recent --name ssh --set
iptables -A TRUSTED -i eth0 -p tcp --syn --dport ssh -m recent --name ssh --rcheck --seconds 300 --hitcount 6 -j BADGUY
iptables -A TRUSTED -i eth0 -p tcp --syn --dport ssh -m recent --name ssh --rcheck --seconds 30 --hitcount 3 -j LOG_DROP_SSH
# FTP brute force attacks - verify in /proc/net/xt_recent/file ftp
iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 20,21 --syn -m recent --name ftp --set
iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 20,21 --syn -m recent --name ftp --rcheck --seconds 300 --hitcount 6 -j BADGUY
iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 20,21 --syn -m recent --name ftp --rcheck --seconds 30 --hitcount 3 -j LOG_DROP_FTP
# Block inbound and outbound icmp traffic
iptables -A TRUSTED -i eth0 -p icmp -j LOG_DROP_ICMP2
iptables -A TRUSTED -o eth0 -p icmp -j LOG_DROP_ICMP2
# Allow inbound ssh traffic
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -i eth0 -p udp -m udp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow ftp inbound and outbound traffic
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 1024:65535 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow inbound http,https traffic
iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -i eth0 -p udp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow outbound tcp and udp traffic
iptables -A TRUSTED -o eth0 -p tcp -m tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -o eth0 -p udp -m udp -m state --state NEW,ESTABLISHED -j ACCEPT
# IMPORTANT Send all DROP package from TRUSTED chain to the badguys list - port scan
iptables -A TRUSTED -t filter -i eth0 -j LOG_DROP_BADEND2 -m recent --set --name badguys
# -----------------------------------------------------------------------------------------------------------------------
iptables -A INPUT -j LOG_DROP
# End message
echo " [End iptables rules setting]"
I want to thank you all very, very, very much for hanging me trough the last days and nights!
THANK YOU VERY MUCH!!!!
It would not have been possible without you!!!
Thank you!!!
Kindest regards from Austria,
Duesentriebchen ):P