Page 7 of 7 FirstFirst ... 567
Results 61 to 69 of 69

Thread: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

  1. #61
    Join Date
    Sep 2007
    Location
    Oklahoma, USA
    Beans
    2,125
    Distro
    Xubuntu 12.04 Precise Pangolin

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    No, it still will not allow new connections. You have
    Code:
    # Allow NEW, ESTABLISHED and RELATED incoming connection
    iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    and until you make it read
    Code:
    # Allow NEW, ESTABLISHED and RELATED incoming connection
    iptables -A FIREWALL -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    no new connections will be allowed.

    As for the meaning of "$OUTS" this will be replaced by the content of a variable named "OUTS" which I suspect will be defined near the start of the script with a line that looks something like
    Code:
    declare OUTS=eth0
    Many script authors do this to make it easy to customize the script by changing the actual value at just one spot. For instance, my outgoing interface is "eth1" so I could just change the "eth0" to "eth1" and the script would work for me. Without using the variable, I would have to change every place that it's used.

    The "$" prefix tells the shell to use the value of the following expression, rather than using it literally. While it's similar to the concept of a symlink, it really has no direct connection to them.

    I'm not sure what you mean by "the ipt_recent patch" since this is simply a module that is added to your script. Once you have edited the script it makes no difference whether you did so via a GUI or by using the command line; the iptables program will simply follow your list of rules and will include the module along with all the others.
    --
    Jim Kyle in Oklahoma, USA
    Linux Counter #259718
    Howto mark thread: https://wiki.ubuntu.com/UnansweredPo.../SolvedThreads

  2. #62
    Join Date
    Jul 2012
    Beans
    30

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    hy

    Thank you for your advice to
    Code:
    iptables -A FIREWALL -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    I will do so. Actually i had the "NEW", but i deleted it, because my connection did work without also.

    Ok, i understand the meaning of the "$" prefix. Due to my past years in work, i used to tell CNC-machines what to do.
    As this "$" prefix used in IT-systems, we did use for example
    Code:
    #500=X23.56
    at the start of the script.

    The ipt_recent_patch is this one. http://www.snowman.net/projects/ipt_recent/
    I did a check in the
    Code:
    :~$ ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/
    arptable_filter.ko  iptable_raw.ko     ipt_LOG.ko           nf_defrag_ipv4.ko  nf_nat_proto_dccp.ko
    arp_tables.ko        iptable_security.ko  ipt_MASQUERADE.ko     nf_nat_amanda.ko   nf_nat_proto_gre.ko
    arpt_mangle.ko        ip_tables.ko     ipt_NETMAP.ko           nf_nat_ftp.ko      nf_nat_proto_sctp.ko
    ip_queue.ko        ipt_ah.ko         ipt_REDIRECT.ko       nf_nat_h323.ko      nf_nat_proto_udplite.ko
    iptable_filter.ko   ipt_CLUSTERIP.ko     ipt_REJECT.ko           nf_nat_irc.ko      nf_nat_sip.ko
    iptable_mangle.ko   ipt_ecn.ko         ipt_ULOG.ko           nf_nat.ko      nf_nat_snmp_basic.ko
    iptable_nat.ko        ipt_ECN.ko         nf_conntrack_ipv4.ko  nf_nat_pptp.ko      nf_nat_tftp.ko
    :~$
    and i do not have this module compilied. There for i ask for your support on a how to that i do not mess up anything.

    Kind regards
    Last edited by duesentriebchen; July 31st, 2012 at 04:19 PM.

  3. #63
    Join Date
    Jul 2012
    Beans
    30

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    Hy dear frodon, dear JKyleOKC.

    I got it working with your help and your knowledge =D>=D>=D>

    I did a seperation on the DROP_LOG´s, to see why the packet is dropped!

    This is really running

    Like you analysed and proposed JKyleOKC, i put the final
    Code:
    -j DROP
    to the end of the script.

    If i do a
    Code:
    tail -f /var/log/firewall
    or a
    Code:
    tail -f /var/log/syslog
    i can see upon the DROP_LOG criteria why the packet is dropped

    This is absoloutely stunning!!! I started with LINUX in February and now i have a almost DIY Firewall on my little server

    The only thing i do not understand, is that upon the modules listed i do not have the ipt_recent module compiled! But it´s running ... ?

    Check out the script and let me know what you think about it!
    Code:
    #!/bin/bash
    
    # ftp.service.3
    # No spoofing !!!
    if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
    then
    for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
    do
    echo 1 > $filtre
    done
    fi 
    
    # No icmp
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    
    modprobe ip_tables
    modprobe ip_nat_ftp
    modprobe ip_nat_irc
    modprobe ip_conntrack_irc
    modprobe ip_conntrack_ftp
    modprobe iptable_filter
    modprobe iptable_nat
    modprobe ipt_recent
    
    # Remove all rules
    iptables -F
    iptables -X
    
    # first set the default behaviour => accept connections
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    
    # New chains
    iptables -N FIREWALL
    iptables -N TRUSTED
    iptables -N BADGUY
    
    # Log chain
    iptables -N LOG_DROP
    iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
    iptables -A LOG_DROP -j DROP
    
    iptables -N LOG_DROP_BAD
    iptables -A LOG_DROP_BAD -j LOG --log-prefix '[IPTABLES DROP BADGUYS] : '
    iptables -A LOG_DROP_BAD -j DROP
    
    iptables -N LOG_DROP_BADEND
    iptables -A LOG_DROP_BADEND -j LOG --log-prefix '[IPTABLES DROP BADEND] : '
    iptables -A LOG_DROP_BADEND -j DROP
    
    iptables -N LOG_DROP_SSH
    iptables -A LOG_DROP_SSH -j LOG --log-prefix '[IPTABLES DROP SSH BRUTEFORCE] : '
    iptables -A LOG_DROP_SSH -j DROP
    
    iptables -N LOG_DROP_FWD
    iptables -A LOG_DROP_FWD -j LOG --log-prefix '[IPTABLES DROP FORWARD] : '
    iptables -A LOG_DROP_FWD -j DROP
    
    iptables -N LOG_DROP_ICMP
    iptables -A LOG_DROP_ICMP -j LOG --log-prefix '[IPTABLES DROP ICMP] : '
    iptables -A LOG_DROP_ICMP -j DROP
    
    # Block any packet from IP-addresses that are present in the badguys list for one hour - port scan
    iptables -A FIREWALL -i eth0 -m recent --name badguys --update --seconds 3600 -j LOG_DROP_BAD
    #iptables -A FIREWALL -i eth0 -m recent --name badguys -j LOG_DROP_BAD
    # Allow NEW, ESTABLISHED and RELATED incoming connection
    iptables -A FIREWALL -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    # Allow self communication
    iptables -A FIREWALL -i lo -j ACCEPT
    iptables -A FIREWALL -o lo -j ACCEPT
    # Send all package to the TRUSTED chain
    iptables -A FIREWALL -j TRUSTED
    # DROP all other packets
    #iptables -A FIREWALL -j LOG_DROP
    
    # Send all through the FIREWALL chain
    iptables -A INPUT -j FIREWALL
    iptables -A FORWARD -j LOG_DROP_FWD
    iptables -A OUTPUT -j FIREWALL
    
    # SSH brute force attacks - verify in /proc/net/ipt_recent files badguys and ssh
    iptables -t filter -I BADGUY -m recent --set --name badguys
    iptables -A FIREWALL -i eth0 -p tcp --syn --dport 22 -m recent --name ssh --set
    iptables -A FIREWALL -i eth0 -p tcp --syn --dport 22 -m recent --name ssh --rcheck --seconds 300 --hitcount 6 -j BADGUY
    iptables -A FIREWALL -i eth0 -p tcp --syn --dport 22 -m recent --name ssh --rcheck --seconds 30 --hitcount 3 -j LOG_DROP_SSH
    
    # Block inbound and outbound icmp traffic
    iptables -A TRUSTED -i eth0 -p icmp -j LOG_DROP_ICMP
    iptables -A TRUSTED -o eth0 -p icmp -j LOG_DROP_ICMP
    
    # Allow inbound ssh traffic
    iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A TRUSTED -i eth0 -p udp -m multiport --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    # Allow ftp inbound and outbound traffic
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 1024:65535 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    
    # Allow inbound http,https traffic
    iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A TRUSTED -i eth0 -p udp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    # Allow outbound tcp and udp traffic
    iptables -A TRUSTED -o eth0 -p tcp -m tcp -m state --state ESTABLISHED -j ACCEPT
    iptables -A TRUSTED -o eth0 -p udp -m udp -m state --state ESTABLISHED -j ACCEPT
    
    # IMPORTANT Send all DROP package from FIREWALL chain to the badguys list - port scan
    iptables -A FIREWALL -t filter -i eth0 -j LOG_DROP_BADEND -m recent --set --name badguys
    
    # End message
    echo " [End iptables rules setting]"
    Kind regards

  4. #64
    Join Date
    Sep 2007
    Location
    Oklahoma, USA
    Beans
    2,125
    Distro
    Xubuntu 12.04 Precise Pangolin

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    I don't see anything seriously wrong. You do have a few rules that will never match, because rules that will be tested earlier will already deal with any packet that could match them, but it won't hurt anything to leave them in. One of my main policies, always, is to be very careful about making changes once I have something working the way I want!

    I'm not sure that your outbound FTP rule for port 21 will allow you to FTP anything INTO the server, such as downloading a software package from some other system, since it still does not have a NEW state specified although the input rule does. However you may not want to be able to initiate an FTP transfer at the server, so this might not be a problem at all.

    Congratulations!

    EDIT: The ipt-reject module may be compiled into your kernel already; it is in mine. The actual name is ipt-REJECT so the difference in case might be why you aren't finding it. I checked by doing "lsmod|grep ip" on a command line, to find it.
    Last edited by JKyleOKC; August 1st, 2012 at 04:43 AM. Reason: Added information.
    --
    Jim Kyle in Oklahoma, USA
    Linux Counter #259718
    Howto mark thread: https://wiki.ubuntu.com/UnansweredPo.../SolvedThreads

  5. #65
    Join Date
    Jul 2012
    Beans
    30

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    Dear JKyleOKC

    Thank you for your quick reply.

    Wich NON-CONSIDERED rules do mean. Could you be so kind to point these out please?

    Considering the FTP-service:
    I did upload, download and delete files. Also create, rename etc. and delete directories using ftp, ftps and sftp.
    So the ftp service is working.

    ipt-REJECT you say. I will check this. Thank you for pointing out!!!

    Best regards

  6. #66
    Join Date
    Sep 2007
    Location
    Oklahoma, USA
    Beans
    2,125
    Distro
    Xubuntu 12.04 Precise Pangolin

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    My remark involved the "NEW, ESTABLISHED, RELATED" and "ESTABLISHED,RELATED" clauses in the TRUSTED chain. On closer examination, I may have found a serious error here.

    My original reasoning was that since the third rule in your FIREWALL chain accepts any NEW,ESTABLISHED,RELATED packet that the rules in the TRUSTED chain that included similar match conditions would not be reached.

    What I've just discovered is that including "NEW," in that third rule makes sure that the TRUSTED chain will never be reached, since the rule that jumps to it appears later in the FIREWALL chain.

    I believe that you can remove "NEW," from that third rule of FIREWALL, leaving only "ESTABLISHED,RELATED" as its match conditions, and can then remove all "ESTABLISHED,RELATED" conditions from all the rules in TRUSTED, leaving only NEW as their match condition. Any rule in TRUSTED that does not have a NEW match condition would then be superfluous and could be removed.

    What I believe will be the result of those changes is that any new connection will have to pass through the TRUSTED chain to be accepted. Once the packet is accepted by TRUSTED, subsequent packets in that connection will be accepted by the third rule of FIREWALL and never go to TRUSTED for checking again. If TRUSTED rejects the packet, no connection will be established and all subsequent packets from that attempt will also go to TRUSTED and be rejected. At least, that's my intention.

    When testing this, I would keep a safe copy of the script as another file, since it does work as written and my analysis just might prevent it from working! When tracing the progress of a packet through the whole set of chains, it's very easy to introduce unwanted side effects.

    I hope I'm not leading you astray!
    --
    Jim Kyle in Oklahoma, USA
    Linux Counter #259718
    Howto mark thread: https://wiki.ubuntu.com/UnansweredPo.../SolvedThreads

  7. #67
    Join Date
    Jul 2012
    Beans
    30

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    Hy JKyleOKC

    Ok, i think slowly i get an idea of this thing working.
    I do understand your topic for processing packets in the tables NEW.
    But...
    Isn´t any packet forwarded from the FIREWALL chain to the TRUSTED chain if it does not match any rules in the FIREWALL chain. If i understand this, then the packets that do not match any criteria in the FIREWALL chain should be forwarded in the TRUSTED chain.....
    Aaahh...now i understand!!! OK!!!
    The INPUT chain forwards any packet to the FIREWALL chain.
    If it is not dropped in the FIREWALL chain it will be forwarderd to the TRUSTED chain.
    If it does not meet any criteria in the TRUSTED chain then it will be finally DROPPED. Is this right?

    1.) So if i delete NEW in the first rule down below, then NO NEW packet will be processed in the FIREWALL chain. But what happens to this NEW packet? Is it forwarded to the TRUSTED chain since this NEW packet does not meet any criteria in the FIREWALL chain, or is it dropped in the FIREWALL chain?
    Code:
    # Allow NEW, ESTABLISHED and RELATED incoming connection
    iptables -A FIREWALL -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT# Send all package to the TRUSTED chain
    iptables -A FIREWALL -j TRUSTED
    2.) If i leave the NEW in the first rule, and it does not meet any criteria in the FIREWALL chain, is it then forwarded to the TRUSTED chain as a NEW packet or is it dropped by the FIREWALL chain?

    I did modify the script. My services are still running and reachable.
    The only thing i am missing in the DROP_LOG´s, is that the ssh bruteforce rule does not seem to work. On the other hand nobody is bruteforcing me at the moment beeing

    But i think i am having problems by building the files ssh and badguys. I also do not believe that the ssh brutforce chain is working...

    EDIT: It must be working. The SRC is first dropped by the DROP_LOG_BADEND and aftherwords by DROP_LOG_BADGUYS -> so the list´s are obviousley working!!! I just have to wait for a bruteforce-attack ....
    Code:
    Aug  1 20:26:48  kernel: [167587.550598] [IPTABLES DROP BADEND] : IN=eth0 OUT= MAC= SRC=74.120.12.140 DST=xxx.xxx.xxx.xx LEN=626 TOS=0x00 PREC=0x00 TTL=45 ID=39804 DF PROTO=TCP SPT=24517 DPT=9001 WINDOW=16 RES=0x00 ACK URGP=0 
    Aug  1 20:26:49 kernel: [167588.007598] [IPTABLES DROP BADGUYS] : IN=eth0 OUT= MAC= SRC=74.120.12.140 DST=xxx.xxx.xxx.xx LEN=576 TOS=0x00 PREC=0x00 TTL=45 ID=39806 DF PROTO=TCP SPT=24517 DPT=9001 WINDOW=16 RES=0x00 ACK URGP=0 
    Aug  1 20:26:49 kernel: [167588.691429] [IPTABLES DROP BADGUYS] : IN=eth0 OUT= MAC= SRC=77.106.125.32 DST=xxx.xxx.xxx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=15137 DF PROTO=TCP SPT=52198 DPT=16906 WINDOW=8192 RES=0x00 SYN URGP=0 
    Aug  1 20:26:50 kernel: [167588.931737] [IPTABLES DROP BADGUYS] : IN=eth0 OUT= MAC= SRC=74.120.12.140 DST=xxx.xxx.xxx.xx LEN=576 TOS=0x00 PREC=0x00 TTL=45 ID=39807 DF PROTO=TCP SPT=24517 DPT=9001 WINDOW=16 RES=0x00 ACK URGP=0
    My /var/log/firewall looks like this
    Code:
    Aug  1 19:35:09 xxxxxxx kernel: [164488.550780] [IPTABLES DROP BADEND] : IN=eth0 OUT= MAC=xx:Xx:xx:Xx:XX:XX:xx:xx:XX:xx SRC=93.182.175.141 DST=xxx.xxx.xx.xxx LEN=76 TOS=0x00 PREC=0x00 TTL=107 ID=9425 PROTO=UDP SPT=13501 DPT=16906 LEN=56 
    Aug  1 19:35:10 xxxxxxx kernel: [164489.102976] [IPTABLES DROP BADGUYS] : IN=eth0 OUT= MAC=xx:Xx:xx:Xx:XX:XX:xx:xx:XX:xx  SRC=81.206.158.42 DST=xxx.xxx.xx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=24627 DF PROTO=TCP SPT=56270 DPT=9030 WINDOW=0 RES=0x00 ACK RST URGP=0 
    Aug  1 19:43:13 xxxxxxx kernel: [164972.054903] [IPTABLES DROP ICMP] : IN=eth0 OUT= MAC=xx:Xx:xx:Xx:XX:XX:xx:xx:XX:xx SRC=94.245.252.128 DST=xxx.xxx.xx.xxx LEN=84 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43017 SEQ=1
    My script looks like this at the moment.

    EDIT: I do some experimental logging with the NEW filter in the FIREWALL chain below. If i leave it there my logging/dropping decreases. If i remove it my logging/dropping increases. WHAT does this in conclusion mean?
    Code:
    # Allow NEW, ESTABLISHED and RELATED incoming connection
    iptables -A FIREWALL -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    Code:
    #!/bin/bash
    
    # ftp.service.4
    # No spoofing !!!
    if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
    then
    for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
    do
    echo 1 > $filtre
    done
    fi 
    
    # No icmp
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    
    modprobe ip_tables
    modprobe ip_nat_ftp
    modprobe ip_nat_irc
    modprobe ip_conntrack_irc
    modprobe ip_conntrack_ftp
    modprobe iptable_filter
    modprobe iptable_nat
    modprobe ipt_REJECT
    modprobe ipt_recent
    
    # Remove all rules
    iptables -F
    iptables -X
    
    # first set the default behaviour => accept connections
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    
    # New chains
    iptables -N FIREWALL
    iptables -N TRUSTED
    iptables -N BADGUY
    
    # Log chain
    iptables -N LOG_DROP
    iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
    iptables -A LOG_DROP -j DROP
    
    iptables -N LOG_DROP_BAD
    iptables -A LOG_DROP_BAD -j LOG --log-prefix '[IPTABLES DROP BADGUYS] : '
    iptables -A LOG_DROP_BAD -j DROP
    
    iptables -N LOG_DROP_BADEND
    iptables -A LOG_DROP_BADEND -j LOG --log-prefix '[IPTABLES DROP BADEND] : '
    iptables -A LOG_DROP_BADEND -j DROP
    
    iptables -N LOG_DROP_SSH
    iptables -A LOG_DROP_SSH -j LOG --log-prefix '[IPTABLES DROP SSH BRUTEFORCE] : '
    iptables -A LOG_DROP_SSH -j DROP
    
    iptables -N LOG_DROP_FWD
    iptables -A LOG_DROP_FWD -j LOG --log-prefix '[IPTABLES DROP FORWARD] : '
    iptables -A LOG_DROP_FWD -j DROP
    
    iptables -N LOG_DROP_ICMP
    iptables -A LOG_DROP_ICMP -j LOG --log-prefix '[IPTABLES DROP ICMP] : '
    iptables -A LOG_DROP_ICMP -j DROP
    
    iptables -N LOG_DROP_HTTP
    iptables -A LOG_DROP_HTTP -j LOG --log-prefix '[IPTABLES DROP HTTP] : '
    iptables -A LOG_DROP_HTTP -j DROP
    
    # Block any packet from IP-addresses that are present in the badguys list for one hour - port scan
    iptables -A FIREWALL -i eth0 -m recent --name badguys --update --seconds 3600 -j LOG_DROP_BAD
    
    # Allow NEW, ESTABLISHED and RELATED incoming connection
    iptables -A FIREWALL -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    
    # Block any packet from IP-addresses that are present in the badguys list for one hour - port scan
    #iptables -A FIREWALL -i eth0 -m recent --name badguys --update --seconds 3600 -j LOG_DROP_BAD
    
    # SSH brute force attacks - verify in /proc/net/files badguys and ssh
    iptables -t filter -I BADGUY -m recent --set --name badguys
    iptables -A FIREWALL -i eth0 -p tcp --syn --dport 22 -m recent --name ssh --set
    iptables -A FIREWALL -i eth0 -p tcp --syn --dport 22 -m recent --name ssh --rcheck --seconds 300 --hitcount 6 -j BADGUY
    iptables -A FIREWALL -i eth0 -p tcp --syn --dport 22 -m recent --name ssh --rcheck --seconds 30 --hitcount 3 -j LOG_DROP_SSH
    
    # HTTP attacks - verify in /proc/net/ipt_recent files badguys and http
    iptables -t filter -I BADGUY -m recent --set --name badguys
    iptables -A FIREWALL -i eth0 -p tcp --syn --dport 80 -m recent --name http --set
    iptables -A FIREWALL -i eth0 -p tcp --syn --dport 80 -m recent --name http --rcheck --seconds 300 --hitcount 6 -j BADGUY
    iptables -A FIREWALL -i eth0 -p tcp --syn --dport 80 -m recent --name http --rcheck --seconds 30 --hitcount 3 -j LOG_DROP_HTTP
    
    # Block inbound and outbound icmp traffic
    iptables -A FIREWALL -i eth0 -p icmp -j LOG_DROP_ICMP
    iptables -A FIREWALL -o eth0 -p icmp -j LOG_DROP_ICMP
    
    # Allow self communication
    iptables -A FIREWALL -i lo -j ACCEPT
    iptables -A FIREWALL -o lo -j ACCEPT
    
    # IMPORTANT Send all DROP package from FIREWALL chain to the badguys list - port scan
    #iptables -A FIREWALL -t filter -i eth0 -j LOG_DROP_BADEND -m recent --set --name badguys
    
    # Send all package to the TRUSTED chain
    iptables -A FIREWALL -j TRUSTED
    
    # Send all through the FIREWALL chain
    iptables -A INPUT -j FIREWALL
    iptables -A FORWARD -j LOG_DROP_FWD
    iptables -A OUTPUT -j FIREWALL
    
    # IMPORTANT Send all DROP package from FIREWALL chain to the badguys list - port scan
    iptables -A FIREWALL -t filter -i eth0 -j LOG_DROP_BADEND -m recent --set --name badguys
    
    # Allow inbound ssh traffic
    iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A TRUSTED -i eth0 -p udp -m multiport --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    # Allow ftp inbound and outbound traffic
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 1024:65535 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # Allow inbound http,https traffic
    iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A TRUSTED -i eth0 -p udp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    # Allow outbound tcp and udp traffic
    iptables -A TRUSTED -o eth0 -p tcp -m tcp -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A TRUSTED -o eth0 -p udp -m udp -m state --state NEW,ESTABLISHED -j ACCEPT
    
    # IMPORTANT Send all DROP package from FIREWALL chain to the badguys list - port scan
    #iptables -A FIREWALL -t filter -i eth0 -j LOG_DROP_BADEND -m recent --set --name badguys
    
    # End message
    echo " [End iptables rules setting]"
    Last edited by duesentriebchen; August 1st, 2012 at 07:39 PM.

  8. #68
    Join Date
    Sep 2007
    Location
    Oklahoma, USA
    Beans
    2,125
    Distro
    Xubuntu 12.04 Precise Pangolin

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    I have to be a bit brief this time but will go over your full script later.

    For your first question, if you leave out NEW from the FIREWALL chain then the packet will go to TRUSTED to be checked since there's no DROP between the third rule and the jump to TRUSTED. Actually you don't need a DROP action in FIREWALL at all, and if the jump to TRUSTED were its last rule then TRUSTED would not need a DROP either. A bad packet would come into INPUT, go to FIREWALL and not be accepted, then go to TRUSTED and not be accepted there either, then "fall off the end" of TRUSTED to return to FIREWALL, there do the same to return to INPUT, and finally at INPUT be dropped, either by an explicit rule or by policy. This would lose your detailed logging scheme, however, so I would leave those DROP actions in TRUSTED and FIREWALL.

    For question two, if you leave NEW in firewall then any new connection will be accepted without ever going to TRUSTED to be checked. This is also why you see fewer drops in this case per your final question; bad connections get through unquestioned.

    I'll go through the full script later today.
    --
    Jim Kyle in Oklahoma, USA
    Linux Counter #259718
    Howto mark thread: https://wiki.ubuntu.com/UnansweredPo.../SolvedThreads

  9. #69
    Join Date
    Jul 2012
    Beans
    30

    Talking Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    Dera JKyleOKC

    Thank you very much for your exlpanation!!! I did not know, that there is a loop in the chains. So thanks to your effort i did understand this and implementet, or tried to, your knowledge in the script. I tried to clean it, so it is more understandable. The LOG_DROP´s help me to understand what is dropped, why it is dropped, and which chain did DROP.

    I also did find the badguys and ssh list in /proc/net/xt_recent

    I hope you are not to deeply investigating my previous script, and getting a headache because of me!!!!
    I can proudly present a running script

    Code:
    #!/bin/bash
    
    # ftp.service.final
    # No spoofing !!!
    if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
    then
    for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
    do
    echo 1 > $filtre
    done
    fi 
    
    # No icmp
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    
    modprobe ip_tables
    modprobe ip_nat_ftp
    modprobe ip_nat_irc
    modprobe ip_conntrack_irc
    modprobe ip_conntrack_ftp
    modprobe iptable_filter
    modprobe iptable_nat
    modprobe ipt_REJECT
    modprobe ipt_recent
    
    # Remove all rules
    iptables -F
    iptables -X
    
    # first set the default behaviour => accept connections
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    
    # New chains
    iptables -N FIREWALL
    iptables -N TRUSTED
    iptables -N BADGUY
    
    # Log chain
    iptables -N LOG_DROP
    iptables -A LOG_DROP -j LOG --log-prefix '[DROP INPUT] : '
    iptables -A LOG_DROP -j DROP
    
    iptables -N LOG_DROP_BAD1
    iptables -A LOG_DROP_BAD1 -j LOG --log-prefix '[DROP BADGUYS FIREWALL] : '
    iptables -A LOG_DROP_BAD1 -j DROP
    
    iptables -N LOG_DROP_BAD2
    iptables -A LOG_DROP_BAD2 -j LOG --log-prefix '[DROP BADGUYS TRUSTED] : '
    iptables -A LOG_DROP_BAD2 -j DROP
    
    iptables -N LOG_DROP_BADEND1
    iptables -A LOG_DROP_BADEND1 -j LOG --log-prefix '[DROP BADEND FIREWALL] : '
    iptables -A LOG_DROP_BADEND1 -j DROP
    
    iptables -N LOG_DROP_BADEND2
    iptables -A LOG_DROP_BADEND2 -j LOG --log-prefix '[DROP BADEND TRUSTED] : '
    iptables -A LOG_DROP_BADEND2 -j DROP
    
    iptables -N LOG_DROP_SSH
    iptables -A LOG_DROP_SSH -j LOG --log-prefix '[DROP SSH BRUTEFORCE] : '
    iptables -A LOG_DROP_SSH -j DROP
    
    iptables -N LOG_DROP_FTP
    iptables -A LOG_DROP_FTP -j LOG --log-prefix '[DROP FTP BRUTEFORCE] : '
    iptables -A LOG_DROP_FTP -j DROP
    
    iptables -N LOG_DROP_FWD
    iptables -A LOG_DROP_FWD -j LOG --log-prefix '[DROP FORWARD] : '
    iptables -A LOG_DROP_FWD -j DROP
    
    iptables -N LOG_DROP_ICMP1
    iptables -A LOG_DROP_ICMP1 -j LOG --log-prefix '[DROP ICMP FIREWALL] : '
    iptables -A LOG_DROP_ICMP1 -j DROP
    
    iptables -N LOG_DROP_ICMP2
    iptables -A LOG_DROP_ICMP2 -j LOG --log-prefix '[DROP ICMP TRUSTED] : '
    iptables -A LOG_DROP_ICMP2 -j DROP
    
    # -----------------------------------------------------------------------------------------------------------------------
    
    # Block any packet from IP´s that are present in the badguys list verify in /proc/net/xt_recent/files badguys and ssh
    iptables -t filter -I BADGUY -m recent --set --name badguys
    iptables -A FIREWALL -i eth0 -m recent --name badguys --update --seconds 3600 -j LOG_DROP_BAD1
    
    # Allow ESTABLISHED and RELATED incoming connection
    iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # Allow self communication
    iptables -A FIREWALL -i lo -j ACCEPT
    iptables -A FIREWALL -o lo -j ACCEPT
    
    # Block inbound and outbound icmp traffic
    iptables -A FIREWALL -i eth0 -p icmp -j LOG_DROP_ICMP1
    iptables -A FIREWALL -o eth0 -p icmp -j LOG_DROP_ICMP1
    
    # Send all package to the TRUSTED chain
    iptables -A FIREWALL -j TRUSTED
    
    # IMPORTANT Send all DROP package from FIREWALL chain to the badguys list - port scan
    iptables -A FIREWALL -t filter -i eth0 -j LOG_DROP_BADEND1 -m recent --set --name badguys
    
    # Send all through the FIREWALL chain
    iptables -A INPUT -j FIREWALL
    iptables -A FORWARD -j LOG_DROP_FWD
    iptables -A OUTPUT -j FIREWALL
    
    # -----------------------------------------------------------------------------------------------------------------------
    
    # Block any packet from IP´s that are present in the badguys list verify in /proc/net/xt_recent/files badguys and ssh
    iptables -A TRUSTED -i eth0 -m recent --name badguys --update --seconds 3600 -j LOG_DROP_BAD2
    
    # SSH brute force attacks - verify in /proc/net/xt_recent/file ssh
    iptables -A TRUSTED -i eth0 -p tcp --syn --dport ssh -m recent --name ssh --set
    iptables -A TRUSTED -i eth0 -p tcp --syn --dport ssh -m recent --name ssh --rcheck --seconds 300 --hitcount 6 -j BADGUY
    iptables -A TRUSTED -i eth0 -p tcp --syn --dport ssh -m recent --name ssh --rcheck --seconds 30 --hitcount 3 -j LOG_DROP_SSH
    
    # FTP brute force attacks - verify in /proc/net/xt_recent/file ftp
    iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 20,21 --syn -m recent --name ftp --set
    iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 20,21 --syn -m recent --name ftp --rcheck --seconds 300 --hitcount 6 -j BADGUY
    iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 20,21 --syn -m recent --name ftp --rcheck --seconds 30 --hitcount 3 -j LOG_DROP_FTP
    
    # Block inbound and outbound icmp traffic
    iptables -A TRUSTED -i eth0 -p icmp -j LOG_DROP_ICMP2
    iptables -A TRUSTED -o eth0 -p icmp -j LOG_DROP_ICMP2
    
    # Allow inbound ssh traffic
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A TRUSTED -i eth0 -p udp -m udp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    # Allow ftp inbound and outbound traffic
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 1024:65535 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # Allow inbound http,https traffic
    iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A TRUSTED -i eth0 -p udp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    # Allow outbound tcp and udp traffic
    iptables -A TRUSTED -o eth0 -p tcp -m tcp -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A TRUSTED -o eth0 -p udp -m udp -m state --state NEW,ESTABLISHED -j ACCEPT
    
    # IMPORTANT Send all DROP package from TRUSTED chain to the badguys list - port scan
    iptables -A TRUSTED -t filter -i eth0 -j LOG_DROP_BADEND2 -m recent --set --name badguys
    
    # -----------------------------------------------------------------------------------------------------------------------
    
    iptables -A INPUT -j LOG_DROP
    
    # End message
    echo " [End iptables rules setting]"


    I want to thank you all very, very, very much for hanging me trough the last days and nights!
    THANK YOU VERY MUCH!!!!
    It would not have been possible without you!!!
    Thank you!!!

    Kindest regards from Austria,
    Duesentriebchen

    Last edited by duesentriebchen; August 2nd, 2012 at 08:37 PM.

Page 7 of 7 FirstFirst ... 567

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •