Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 26

Thread: IPTables problems

  1. #11
    Join Date
    Nov 2009
    Location
    Catalunya, Spain
    Beans
    14,558
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: IPTables problems

    That -Pn option means nothing, it only treats the host as online in case it can't detect it. It makes no difference whether the port will be reported as opened and closed. At least that's how I understand it from the nmap options.

    You also asked about loading the rules at boot. Usually you would do it by create a text file, for example /etc/iptables.rules and then loading this file on boot by adding a command in /etc/network/interfaces.

    For example, in the eth0 section (group of commands), you will add:
    post-up iptables-restore < /etc/iptables.rules

    That will flush the iptables and load the rules from the file specified immediately after the eth0 interface is brought online.

    The /etc/iptables.rules file is little bit simpler than the script Doug posted, like:
    Code:
    *nat
    <any rules you want for the nat chain
    ignore this part if you don't need nat rules>
    COMMIT
    
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    ...continue with all your other rules...
    COMMIT
    In the *filter section you first set the default policies, and then start adding rules. Don't forget to also add rules about ssh if you plan to manage the server over the network. In that case, especially if you are on the same internal network all the time, you can specify to let you in only from your private IP.

    Lets say your desktop has the 192.168.1.100 address (you better make it static, not dynamic). Then it would be like:
    -A INPUT -p tcp -s 192.168.1.100 --dport 22 -j ACCEPT

    That will allow ssh only from your desktop, for additional security.
    Darko.
    -----------------------------------------------------------------------
    Ubuntu 18.04 LTS 64bit

  2. #12
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,499
    Distro
    Ubuntu Development Release

    Re: IPTables problems

    You can put my file anywhere. You can execute it by setting it as executable and path/diogo_firewall . You can also automate on startup the same way darko showed above.
    I could have done the script in the iptales-restore method, I just didn't.

    It has the ESTABLISHED, RELATED stuff darko mentioned, for the reasons that darko mentioned.

    I left OUTPUT default policy as DROP, as that is my own preference. If I covered everything properly, that default policy rule should actually never be hit.
    Last edited by Doug S; November 16th, 2012 at 05:05 PM. Reason: typos

  3. #13
    Join Date
    Nov 2012
    Beans
    38

    Re: IPTables problems

    I'm receiving a DDoS attack right now!

    With this rules (INPUT Drop, Forw Drop, Output accept) my servers are up and running but with 50% packet loss! (It's better than before I applied this rules).

    Is there anyway to decrease the packet loss %?

    Before this rules the servers went down...

    Thanks.
    Last edited by Di0g0; November 19th, 2012 at 08:39 PM.

  4. #14
    Join Date
    Nov 2009
    Location
    Catalunya, Spain
    Beans
    14,558
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: IPTables problems

    Well, Doug is a better expert than me, but what do you refer to with "packet loss"?

    If you are counting the packets dropped by iptables, then it's normal to drop the packets that shouldn't be allowed in. How big the number will be, depends on the amount of "good" and "bad" traffic.

    In any case the ESTABLISHED,RELATED rule should be no problem since it only allows in traffic that originated from your server. If any attacks originate on the server, you have much bigger problems. If you have only "legitimate" traffic on the server, it's no problem to allow in the response to that traffic, right?

    During attacks there will be a high number of packets dropped all the time, so don't worry about that number if that gets you worried.
    Darko.
    -----------------------------------------------------------------------
    Ubuntu 18.04 LTS 64bit

  5. #15
    Join Date
    Nov 2012
    Beans
    38

    Re: IPTables problems

    Quote Originally Posted by darkod View Post
    Well, Doug is a better expert than me, but what do you refer to with "packet loss"?

    If you are counting the packets dropped by iptables, then it's normal to drop the packets that shouldn't be allowed in. How big the number will be, depends on the amount of "good" and "bad" traffic.

    In any case the ESTABLISHED,RELATED rule should be no problem since it only allows in traffic that originated from your server. If any attacks originate on the server, you have much bigger problems. If you have only "legitimate" traffic on the server, it's no problem to allow in the response to that traffic, right?

    During attacks there will be a high number of packets dropped all the time, so don't worry about that number if that gets you worried.
    My problem is the bandwith. With packet loss I mean people breaking on teamspeak 3 beacause the server starts loosing packets, and the same happens on the samp server.



    When the attack reaches 100mbit/s the server starts failing, but when it's only 60mbit/s I have no problems !

    Thanks.

  6. #16
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,499
    Distro
    Ubuntu Development Release

    Re: IPTables problems

    Sorry, I am not following, and I don't understand the two graphs above or what we are supposed to learn from looking at them.
    Maybe we need to observe some traffic via a tcpdump capture to be sure bad guy packets are being dealt with in the most effiecient manor. It might be that some direct bad guy drops need to be inserted.
    I don't know anything about Teamspeak or samp or minecraft. Is it possible your server is overloading? Do you observe with "top" at all?

  7. #17
    Join Date
    Nov 2012
    Beans
    38

    Re: IPTables problems

    Quote Originally Posted by Doug S View Post
    Sorry, I am not following, and I don't understand the two graphs above or what we are supposed to learn from looking at them.
    Maybe we need to observe some traffic via a tcpdump capture to be sure bad guy packets are being dealt with in the most effiecient manor. It might be that some direct bad guy drops need to be inserted.
    I don't know anything about Teamspeak or samp or minecraft. Is it possible your server is overloading? Do you observe with "top" at all?
    I can explain.

    This simple rules helped keep the servers online, but with packet loss, people connected to my VPS starts loosing packets. I think this is happening because my VPS is with only 100mbit/s connection and the attacks are eating all the bandwith.

    On the first printscreen you can see the attack. As you can see MDX-MultiGaming is my machine and the right side ip's with :domain in the end are servers attacking my VPS. And as you can see on the print screen they are attacking random ports on my VPS.

    The second image shows the Incoming traffic (INPUT) created by this DDoS. 10M means 100mbit/s, when the attack reaches this peak (100mbit/s) all the servers starts failing, but when it's above 10M everything runs fine.

    I'm sorry for my english, I don't speak english frequently so...

    Thanks

  8. #18
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,499
    Distro
    Ubuntu Development Release

    Re: IPTables problems

    Could you post a new output for the command from posting #4, so we can see the packet/byte counts for the various paths through iptables.

    I think Darko explained well in posting #14, what should be occuring in terms of dropping the bad guy traffic.

  9. #19
    Join Date
    Nov 2012
    Beans
    38

    Re: IPTables problems

    Code:
    Chain INPUT (policy DROP 16957046 packets, 11531184145 bytes)
        pkts      bytes target     prot opt in     out     source               dest                                                                             ination
        4278   350991 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp dpt:22
          24     1108 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp dpt:7777
    33645992 2846439092 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.                                                                             0.0/0           udp dpt:7777
           0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp dpt:9987
    11857137 1150061110 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.                                                                             0.0/0           udp dpt:9987
       12069   675947 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp dpt:10011
         253   169695 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           udp dpt:10011
        6638   394542 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp dpt:30033
         367   338870 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           udp dpt:30033
           6      288 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp dpt:25555
         217   138508 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           udp dpt:25555
        3423   172672 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp dpt:41144
         261   174205 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           udp dpt:2010
          13      604 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp dpt:2008
           0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp spt:53 dpts:1024:65535 state ESTABLISHED
        2147   244383 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           udp spt:53 dpts:1024:65535 state ESTABLISHED
       53285  4458057 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0
       73003 107941145 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0                                                                             .0/0           state RELATED,ESTABLISHED
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
        pkts      bytes target     prot opt in     out     source               dest                                                                             ination
    
    Chain OUTPUT (policy ACCEPT 50491 packets, 2228699 bytes)
        pkts      bytes target     prot opt in     out     source               dest                                                                             ination
        3959   674028 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp spt:22
          24      960 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp spt:7777
    47324442 5027877148 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.                                                                             0.0/0           udp spt:7777
           0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp spt:9987
    33748075 3654322644 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.                                                                             0.0/0           udp spt:9987
        9440  4781557 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp spt:10011
           0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           udp spt:10011
        9734  8804487 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp spt:30033
           0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           udp spt:30033
           6      240 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp spt:25555
           0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           udp spt:25555
        3423   136920 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp spt:41144
           0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           udp spt:2010
          13      520 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp spt:2008
           0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           tcp spts:1024:65535 dpt:53 state NEW,ESTABLISHED
        2197   153192 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           udp spts:1024:65535 dpt:53 state NEW,ESTABLISHED
       10352  1369060 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0
    
    Chain LOGGING (0 references)
        pkts      bytes target     prot opt in     out     source               dest                                                                             ination
        2474   193918 LOG        all  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0           limit: avg 2/min burst 5 LOG flags 0 level 7 prefix `IPTables Pack                                                                             et Dropped: '
       41515  3291955 DROP       all  --  *      *       0.0.0.0/0            0.0.0.                                                                             0/0

  10. #20
    Join Date
    Nov 2009
    Location
    Catalunya, Spain
    Beans
    14,558
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: IPTables problems

    You have a lot of traffic on ports 7777 and 9987, not only INPUT but also OUTPUT.

    I can't judge if this is all attacks. Are you sure you don't have very high legitimate traffic too?
    Darko.
    -----------------------------------------------------------------------
    Ubuntu 18.04 LTS 64bit

Page 2 of 3 FirstFirst 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •