Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: IPTables problems

  1. #1
    Join Date
    Nov 2012
    Beans
    38

    IPTables problems

    Hi

    I'm having some problems with my VPS running Ubuntu Server 11.04 x64.

    First I can't use sudo apt-get update, because my ubuntu can't connect to the repositories (iptables is blocking).

    And I can't put my TS3 online, because of a DNS related problem (Iptables blocking).

    I'm using the follow rules:

    Code:
    INPUT DROP
    FORWARD DROP
    OUTPUT DROP
    
    
    INPUT:
    
    
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -p tcp --dport 7777 -j ACCEPT
    iptables -A INPUT -p udp --dport 7777 -j ACCEPT
    iptables -A INPUT -p tcp --dport 9987 -j ACCEPT
    iptables -A INPUT -p udp --dport 9987 -j ACCEPT
    iptables -A INPUT -p tcp --dport 10011 -j ACCEPT
    iptables -A INPUT -p udp --dport 10011 -j ACCEPT
    iptables -A INPUT -p tcp --dport 30033 -j ACCEPT
    iptables -A INPUT -p udp --dport 30033 -j ACCEPT
    iptables -A INPUT -p tcp --dport 25555 -j ACCEPT
    iptables -A INPUT -p udp --dport 25555 -j ACCEPT
    iptables -A INPUT -p tcp --dport 41144 -j ACCEPT
    iptables -A INPUT -p udp --dport 2010 -j ACCEPT
    iptables -A INPUT -p tcp --dport 2008 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    iptables -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    
    OUTPUT:
    
    
    iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 7777 -j ACCEPT
    iptables -A OUTPUT -p udp --sport 7777 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 9987 -j ACCEPT
    iptables -A OUTPUT -p udp --sport 9987 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 10011 -j ACCEPT
    iptables -A OUTPUT -p udp --sport 10011 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 30033 -j ACCEPT
    iptables -A OUTPUT -p udp --sport 30033 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 25555 -j ACCEPT
    iptables -A OUTPUT -p udp --sport 25555 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 41144 -j ACCEPT
    iptables -A OUTPUT -p udp --sport 2010 -j ACCEPT
    iptables -A OUTPUT -p tcp --sport 2008 -j ACCEPT
    iptables -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    I only want the necessary ports accepting connectons, I think it's all there (Teamspeak3 ports).

    I need all blocked, because before this rules my VPS was being constantly attacked and this can help a lot.
    Last edited by Di0g0; November 16th, 2012 at 12:34 AM.

  2. #2
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    1,610
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: IPTables problems

    Hi and welcome to Ubuntu forums.

    Your iptables rule set is very odd.
    There is no return path for an ESTABLSHED RELATED packet created via the OUTPUT chain. I also don't see an OUTPUT path for apt-get to work.

    I realize my reply is incomplete. I might came back later and add some.

    I suggest some further reading about iptables.
    Reference: http://bodhizazen.net/Tutorials/iptables/
    There are many other good references.

    Edit: how does your VPS get its IP address? Is it static? (There doesn't seem to be a path for DHCP stuff)
    Last edited by Doug S; November 16th, 2012 at 01:03 AM. Reason: forgot to ask something

  3. #3
    Join Date
    Nov 2012
    Beans
    38

    Re: IPTables problems

    Hi

    First I want to thank you for your post.

    My VPS have a static IP address. I know that this rules are a sh... But I'm new to the IPTables world, and I searched and searched before make this topic.

    Right now I have my VPS with all traffic allowed, but I want to block all the ports again to cut some attacks. I have something like 1Gbit/s bandwith but I'm receiving 100 mbit/s DDoS attacks and because of my IPTables configuration I'm getting DDoSed on all ports (all ports are accepting incoming, right now).

    I made these rules to try to stop these attacks, and other type of attacks.

    I'd be very grateful if you could help me.

    Thanks!

  4. #4
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    1,610
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: IPTables problems

    While odd, I don't understand why your dns lookups are not working.
    Could you post the output from:
    Code:
    sudo iptables -v -x -n -L

  5. #5
    Join Date
    Nov 2012
    Beans
    38

    Re: IPTables problems

    Code:
    Chain INPUT (policy ACCEPT 6654 packets, 288907 bytes)
        pkts      bytes target     prot opt in     out     source               dest                                                                             ination
        2106   168736 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp dpt:22
           0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp dpt:7777
     7561839 462969835 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0                                                                             .0/0           udp dpt:7777
           0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp dpt:9987
     1864794 190943096 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0                                                                             .0/0           udp dpt:9987
        1250    69948 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp dpt:10011
           0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           udp dpt:10011
         683    30948 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp dpt:30033
           0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           udp dpt:30033
           0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp dpt:25555
           0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           udp dpt:25555
        2699   136520 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp dpt:41144
           0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           udp dpt:2010
           0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp dpt:2008
           0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp spt:53 dpts:1024:65535 state ESTABLISHED
          95     9480 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           udp spt:53 dpts:1024:65535 state ESTABLISHED
         772    65091 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
        pkts      bytes target     prot opt in     out     source               dest                                                                             ination
    
    Chain OUTPUT (policy ACCEPT 12154 packets, 16819685 bytes)
        pkts      bytes target     prot opt in     out     source               dest                                                                             ination
        1849   282687 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp spt:22
           0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp spt:7777
    11689161 1243583286 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.                                                                             0.0/0           udp spt:7777
           0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp spt:9987
     4473440 524422603 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0                                                                             .0/0           udp spt:9987
         983   518929 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp spt:10011
           0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           udp spt:10011
        1059   999059 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp spt:30033
           0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           udp spt:30033
           0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp spt:25555
           0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           udp spt:25555
        2699   107960 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp spt:41144
           0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           udp spt:2010
           0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp spt:2008
           0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp spts:1024:65535 dpt:53 state NEW,ESTABLISHED
          96     6321 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           udp spts:1024:65535 dpt:53 state NEW,ESTABLISHED
        1604   253075 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0
    
    Chain LOGGING (0 references)
        pkts      bytes target     prot opt in     out     source               dest                                                                             ination
        2474   193918 LOG        all  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           limit: avg 2/min burst 5 LOG flags 0 level 7 prefix `IPTables Pack                                                                             et Dropped: '
       41515  3291955 DROP       all  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0
    7777 = SA:MP server running on my VPS
    9987, 2008, 10011, 30033, 41144 = Teamspeak3
    2555 = Minecraft Server


    Maybe the problem here is:

    I can't use apt-get update (can't connect), and ts3 is blocked somehere like that.

    TS3 errors:

    TS3ANetwork::ResolveHostName failed error: -3 (Temporary failure in name resolution) 11
    TS3ANetwork::Connect failed error: 110

    And I found this on the web:

    "Hello

    Check if the 2008 port is still open.
    Check if you can ping accouting.teamspeak.com (on the linux system).

    If you can't, it sound like a DNS problem (maybe after an update)"

    --

    I tested, and I can ping.....
    Last edited by Di0g0; November 16th, 2012 at 03:08 AM.

  6. #6
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    1,610
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: IPTables problems

    For Teamspeak3 you might want to study some and determine if all incoming ports need to be open, or if your server will actually create the connection via an outgoing packet to start with. I don't know.

    Below is a quickly created suggestion at an iptables rule set. You will have to set the external IP address, as I have it set for one of my computers for testing. You might want to reduce the number of logging statements to reduce the sizes of your log files.
    You need to read and fully understand the script before you try it. Modifications are proably required for your overall situation.
    Code:
    #!/bin/sh
    FWVER=0.01
    #
    # diogo_firewall 2011.11.15 Ver: 0.01 Attempt 1.
    #       See Ubuntu forums post 12356849
    #       Quick and dirty
    #       diogo: you might want to reduce the logging.
    echo "Loading diogo_firewall version $FWVER..\n"
    # The location of the iptables program
    #
    IPTABLES=/sbin/iptables
    #Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
    #
    EXTIF="eth0"
    # Temp set to Doug s15 computer. diogo set this right.
    EXTIP="192.168.111.112"
    UNIVERSE="0.0.0.0/0"
    echo "   External Interface: $EXTIF   External IP: $EXTI"
    #Clearing any previous configuration
    #
    echo "  Clearing any existing rules and setting default policy to DROP.."
    # maybe default of ACCEPT will be used until sure things are working
    $IPTABLES -P INPUT DROP
    $IPTABLES -F INPUT
    $IPTABLES -P OUTPUT DROP
    $IPTABLES -F OUTPUT
    $IPTABLES -P FORWARD DROP
    $IPTABLES -F FORWARD
    # Otherwise, I can not seem to delete it later on
    $IPTABLES -F log-n-drop
    # Delete user defined chains
    $IPTABLES -X
    # Reset all IPTABLES counters
    $IPTABLES -Z
    #######################################################################
    # USER DEFINED CHAIN SUBROUTINES:
    #
    # log-n-drop
    $IPTABLES -N log-n-drop
    $IPTABLES -A log-n-drop -j LOG --log-prefix "GENERIC:" --log-level info
    $IPTABLES -A log-n-drop -j DROP
    #######################################################################
    # INPUT: Incoming traffic from various interfaces.  All rulesets are
    #        already flushed and set to a default policy of DROP.
    #
    # loopback interfaces are valid.
    #
    $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
    # Block specific jerks.
    #
    # http related
    # for example. Put particular annoying IPs directly here:
    #$IPTABLES -A INPUT -i $EXTIF -s 93.170.1.53 -j DROP
    # A NEW TCP connection requires SYN bit set and FIN,RST,ACK reset.
    $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "NEW TCP no SYN:" --log-level info
    $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
    # remote interface, RFC 1918, private internet packets, and some others.
    # diogo: You might be more relaxed and delete this:
    # this one must be removed for testing on Doug internel network:
    #$IPTABLES -A INPUT -i $EXTIF -s 192.168.0.0/16 -d $UNIVERSE -j LOG --log-prefix "Sub192:" --log-level info
    #$IPTABLES -A INPUT -i $EXTIF -s 192.168.0.0/16 -d $UNIVERSE -j DROP
    $IPTABLES -A INPUT -i $EXTIF -s 10.0.0.0/8 -d $UNIVERSE -j LOG --log-prefix "Sub10:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -s 10.0.0.0/8 -d $UNIVERSE -j DROP
    $IPTABLES -A INPUT -i $EXTIF -s 172.16.0.0/12 -d $UNIVERSE -j LOG --log-prefix "Sub172:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -s 172.16.0.0/12 -d $UNIVERSE -j DROP
    $IPTABLES -A INPUT -i $EXTIF -s 240.0.0.0/5 -d $UNIVERSE -j LOG --log-prefix "Sub240:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -s 240.0.0.0/5 -d $UNIVERSE -j DROP
    $IPTABLES -A INPUT -i $EXTIF -s 224.0.0.0/4 -d $UNIVERSE -j LOG --log-prefix "Sub224:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -s 224.0.0.0/4 -d $UNIVERSE -j DROP
    $IPTABLES -A INPUT -i $EXTIF -s 169.254.0.0/16 -d $UNIVERSE -j LOG --log-prefix "Sub169:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -s 169.254.0.0/16 -d $UNIVERSE -j DROP
     
    # external interface, from any source, for ICMP traffic is valid
    #
    $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
    # Allow any related traffic coming back to the server in.
    #
    #  STATEFULLY TRACKED
    #
    $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
    # ----- Begin OPTIONAL INPUT Section -----
    # Secure Shell on port 22.
    #
    # Dynamic Badguy List. Detect and DROP Bad IPs that do password attacks on SSH.
    # Once they are on the BADGUY list then DROP all packets from them.
    $IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 3 --seconds 5400 --name BADGUY_SSH -j LOG --log-prefix "SSH BAD:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 3 --seconds 5400 --name BADGUY_SSH -j DROP
    $IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 -m recent --set --name BADGUY_SSH -j ACCEPT
    # HTTPd - Enable the following lines if you run an EXTERNAL WWW server
    #
    #$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j LOG --log-prefix "NEW80:" --log-level info
    #$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
    # E-mail on port 25. Enable the following lines if you run an EXTERNAL e-mail server.
    #
    #$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -m limit --limit 5/minute --limit-burst 3 -s $UNIVERSE -d $EXTIP --dport 25 -j ACCEPT
    # SA:MP server
    #
    $IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p udp -s $UNIVERSE -d $EXTIP --dport 7777 -j ACCEPT
    # Teamspeak3
    #
    $IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p udp -s $UNIVERSE -d $EXTIP --dport 9987 -j ACCEPT
    $IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 10011 -j ACCEPT
    $IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 30033 -j ACCEPT
    $IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 41144 -j ACCEPT
    # Minecraft
    # Is it 2555 or 25555??? UDP or TCP or both?
    #
    $IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p udp -s $UNIVERSE -d $EXTIP --dport 25555 -j ACCEPT
    # Catch all rule, all other incoming is denied.
    # (Leave the log-n-drop jump here so that in future I can remember how to do it.)
    #
    $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j log-n-drop
    # ----- End OPTIONAL INPUT Section -----
    #
    echo Loading OUTPUT rulesets...
    #######################################################################
    # OUTPUT: Outgoing traffic from various interfaces.  All rulesets are
    #         already flushed and set to a default policy of DROP.
    #
    # loopback interface is valid.
    #
    $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
    # anything else outgoing on remote interface is valid
    #
    $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
    # ----- Begin OPTIONAL OUTPUT Section -----
    #
    # Catch all rule, all other outgoing is denied.
    $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j LOG --log-prefix "OCATCH:" --log-level info
    $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j DROP
    # ----- End OPTIONAL OUTPUT Section -----
    #
    #######################################################################
    echo diogo_firewall $FWVER done.
    (note: cut and pasting took out some of my blank line formatting)

  7. #7
    Join Date
    Nov 2009
    Location
    Segur De Calafell, Spain
    Beans
    11,660
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: IPTables problems

    I am not an expert on iptables myself, but i would like to add my opinion:
    1. Make the OUTPUT policy ACCEPT. The attacks are coming from outside the server so having an open OUTPUT policy is very little risk. In my humble opinion.

    2. In addition to the ESTABLISHED connections being accepted by the INPUT chain, I would add RELATED too, and without limiting the ports. What ever established and related traffic originated from your server you should accept back. Exactly rules like this can stop programs working because the connection they are trying to establish is not accepted back by the INPUT chain. I would use something like:
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    If I'm not mistaken that accepts all traffic originating from your server so that all programs that need internet access can work correctly (this would include DNS requests and apt-get traffic).
    Darko.
    -----------------------------------------------------------------------
    Ubuntu 12.04 LTS 64bit & Windows 7 Ultimate 64bit

  8. #8
    Join Date
    Nov 2012
    Beans
    38

    Re: IPTables problems

    Quote Originally Posted by Doug S View Post
    For Teamspeak3 you might want to study some and determine if all incoming ports need to be open, or if your server will actually create the connection via an outgoing packet to start with. I don't know.

    Below is a quickly created suggestion at an iptables rule set. You will have to set the external IP address, as I have it set for one of my computers for testing. You might want to reduce the number of logging statements to reduce the sizes of your log files.
    You need to read and fully understand the script before you try it. Modifications are proably required for your overall situation.
    Code:
    #!/bin/sh
    FWVER=0.01
    #
    # diogo_firewall 2011.11.15 Ver: 0.01 Attempt 1.
    #       See Ubuntu forums post 12356849
    #       Quick and dirty
    #       diogo: you might want to reduce the logging.
    echo "Loading diogo_firewall version $FWVER..\n"
    # The location of the iptables program
    #
    IPTABLES=/sbin/iptables
    #Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
    #
    EXTIF="eth0"
    # Temp set to Doug s15 computer. diogo set this right.
    EXTIP="192.168.111.112"
    UNIVERSE="0.0.0.0/0"
    echo "   External Interface: $EXTIF   External IP: $EXTI"
    #Clearing any previous configuration
    #
    echo "  Clearing any existing rules and setting default policy to DROP.."
    # maybe default of ACCEPT will be used until sure things are working
    $IPTABLES -P INPUT DROP
    $IPTABLES -F INPUT
    $IPTABLES -P OUTPUT DROP
    $IPTABLES -F OUTPUT
    $IPTABLES -P FORWARD DROP
    $IPTABLES -F FORWARD
    # Otherwise, I can not seem to delete it later on
    $IPTABLES -F log-n-drop
    # Delete user defined chains
    $IPTABLES -X
    # Reset all IPTABLES counters
    $IPTABLES -Z
    #######################################################################
    # USER DEFINED CHAIN SUBROUTINES:
    #
    # log-n-drop
    $IPTABLES -N log-n-drop
    $IPTABLES -A log-n-drop -j LOG --log-prefix "GENERIC:" --log-level info
    $IPTABLES -A log-n-drop -j DROP
    #######################################################################
    # INPUT: Incoming traffic from various interfaces.  All rulesets are
    #        already flushed and set to a default policy of DROP.
    #
    # loopback interfaces are valid.
    #
    $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
    # Block specific jerks.
    #
    # http related
    # for example. Put particular annoying IPs directly here:
    #$IPTABLES -A INPUT -i $EXTIF -s 93.170.1.53 -j DROP
    # A NEW TCP connection requires SYN bit set and FIN,RST,ACK reset.
    $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "NEW TCP no SYN:" --log-level info
    $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
    # remote interface, RFC 1918, private internet packets, and some others.
    # diogo: You might be more relaxed and delete this:
    # this one must be removed for testing on Doug internel network:
    #$IPTABLES -A INPUT -i $EXTIF -s 192.168.0.0/16 -d $UNIVERSE -j LOG --log-prefix "Sub192:" --log-level info
    #$IPTABLES -A INPUT -i $EXTIF -s 192.168.0.0/16 -d $UNIVERSE -j DROP
    $IPTABLES -A INPUT -i $EXTIF -s 10.0.0.0/8 -d $UNIVERSE -j LOG --log-prefix "Sub10:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -s 10.0.0.0/8 -d $UNIVERSE -j DROP
    $IPTABLES -A INPUT -i $EXTIF -s 172.16.0.0/12 -d $UNIVERSE -j LOG --log-prefix "Sub172:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -s 172.16.0.0/12 -d $UNIVERSE -j DROP
    $IPTABLES -A INPUT -i $EXTIF -s 240.0.0.0/5 -d $UNIVERSE -j LOG --log-prefix "Sub240:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -s 240.0.0.0/5 -d $UNIVERSE -j DROP
    $IPTABLES -A INPUT -i $EXTIF -s 224.0.0.0/4 -d $UNIVERSE -j LOG --log-prefix "Sub224:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -s 224.0.0.0/4 -d $UNIVERSE -j DROP
    $IPTABLES -A INPUT -i $EXTIF -s 169.254.0.0/16 -d $UNIVERSE -j LOG --log-prefix "Sub169:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -s 169.254.0.0/16 -d $UNIVERSE -j DROP
     
    # external interface, from any source, for ICMP traffic is valid
    #
    $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
    # Allow any related traffic coming back to the server in.
    #
    #  STATEFULLY TRACKED
    #
    $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
    # ----- Begin OPTIONAL INPUT Section -----
    # Secure Shell on port 22.
    #
    # Dynamic Badguy List. Detect and DROP Bad IPs that do password attacks on SSH.
    # Once they are on the BADGUY list then DROP all packets from them.
    $IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 3 --seconds 5400 --name BADGUY_SSH -j LOG --log-prefix "SSH BAD:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 3 --seconds 5400 --name BADGUY_SSH -j DROP
    $IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 -m recent --set --name BADGUY_SSH -j ACCEPT
    # HTTPd - Enable the following lines if you run an EXTERNAL WWW server
    #
    #$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j LOG --log-prefix "NEW80:" --log-level info
    #$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
    # E-mail on port 25. Enable the following lines if you run an EXTERNAL e-mail server.
    #
    #$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -m limit --limit 5/minute --limit-burst 3 -s $UNIVERSE -d $EXTIP --dport 25 -j ACCEPT
    # SA:MP server
    #
    $IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p udp -s $UNIVERSE -d $EXTIP --dport 7777 -j ACCEPT
    # Teamspeak3
    #
    $IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p udp -s $UNIVERSE -d $EXTIP --dport 9987 -j ACCEPT
    $IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 10011 -j ACCEPT
    $IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 30033 -j ACCEPT
    $IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 41144 -j ACCEPT
    # Minecraft
    # Is it 2555 or 25555??? UDP or TCP or both?
    #
    $IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p udp -s $UNIVERSE -d $EXTIP --dport 25555 -j ACCEPT
    # Catch all rule, all other incoming is denied.
    # (Leave the log-n-drop jump here so that in future I can remember how to do it.)
    #
    $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j log-n-drop
    # ----- End OPTIONAL INPUT Section -----
    #
    echo Loading OUTPUT rulesets...
    #######################################################################
    # OUTPUT: Outgoing traffic from various interfaces.  All rulesets are
    #         already flushed and set to a default policy of DROP.
    #
    # loopback interface is valid.
    #
    $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
    # anything else outgoing on remote interface is valid
    #
    $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
    # ----- Begin OPTIONAL OUTPUT Section -----
    #
    # Catch all rule, all other outgoing is denied.
    $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j LOG --log-prefix "OCATCH:" --log-level info
    $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j DROP
    # ----- End OPTIONAL OUTPUT Section -----
    #
    #######################################################################
    echo diogo_firewall $FWVER done.
    (note: cut and pasting took out some of my blank line formatting)
    I'll see it later and say something, but I have some questions:

    Where i can put this script?
    How to execute the script?

    Thank you!

    Quote Originally Posted by darkod View Post
    I am not an expert on iptables myself, but i would like to add my opinion:
    1. Make the OUTPUT policy ACCEPT. The attacks are coming from outside the server so having an open OUTPUT policy is very little risk. In my humble opinion.

    2. In addition to the ESTABLISHED connections being accepted by the INPUT chain, I would add RELATED too, and without limiting the ports. What ever established and related traffic originated from your server you should accept back. Exactly rules like this can stop programs working because the connection they are trying to establish is not accepted back by the INPUT chain. I would use something like:
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    If I'm not mistaken that accepts all traffic originating from your server so that all programs that need internet access can work correctly (this would include DNS requests and apt-get traffic).
    I tried that and now I can use teamspeak 3 without problems, and apt-get. I don't know if that kind of rules are secure, but it's working.. But now I can easly portscan my server with NMap

    Thanks!
    Last edited by Di0g0; November 16th, 2012 at 12:38 PM.

  9. #9
    Join Date
    Nov 2009
    Location
    Segur De Calafell, Spain
    Beans
    11,660
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: IPTables problems

    When you say you can scan with nmap, do you mean the ports that you opened for the services, or all ports?

    Because the ports that are opened for the services, to all the world, will be picked up by nmap, you can't run away from that as far as I know.

    But other ports should be reported as filtered, iptables is blocking them.

    You did leave the INPUT policy to DROP, right?
    Darko.
    -----------------------------------------------------------------------
    Ubuntu 12.04 LTS 64bit & Windows 7 Ultimate 64bit

  10. #10
    Join Date
    Nov 2012
    Beans
    38

    Re: IPTables problems

    Quote Originally Posted by darkod View Post
    When you say you can scan with nmap, do you mean the ports that you opened for the services, or all ports?

    Because the ports that are opened for the services, to all the world, will be picked up by nmap, you can't run away from that as far as I know.

    But other ports should be reported as filtered, iptables is blocking them.

    You did leave the INPUT policy to DROP, right?
    With the old rules I need to put -Pn on Nmap to sucessfully portscan. With this rules I can scan the Vps without -Pn.

    Yes I have INPUT policy to DROP

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •