Hy JKyleOKC
Ok, i think slowly i get an idea of this thing working.
I do understand your topic for processing packets in the tables NEW.
But...
Isn´t any packet forwarded from the FIREWALL chain to the TRUSTED chain if it does not match any rules in the FIREWALL chain. If i understand this, then the packets that do not match any criteria in the FIREWALL chain should be forwarded in the TRUSTED chain.....
Aaahh...now i understand!!! OK!!!
The INPUT chain forwards any packet to the FIREWALL chain.
If it is not dropped in the FIREWALL chain it will be forwarderd to the TRUSTED chain.
If it does not meet any criteria in the TRUSTED chain then it will be finally DROPPED. Is this right?
1.) So if i delete NEW in the first rule down below, then NO NEW packet will be processed in the FIREWALL chain. But what happens to this NEW packet? Is it forwarded to the TRUSTED chain since this NEW packet does not meet any criteria in the FIREWALL chain, or is it dropped in the FIREWALL chain?
Code:
# Allow NEW, ESTABLISHED and RELATED incoming connection
iptables -A FIREWALL -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT# Send all package to the TRUSTED chain
iptables -A FIREWALL -j TRUSTED
2.) If i leave the NEW in the first rule, and it does not meet any criteria in the FIREWALL chain, is it then forwarded to the TRUSTED chain as a NEW packet or is it dropped by the FIREWALL chain?
I did modify the script. My services are still running and reachable.
The only thing i am missing in the DROP_LOG´s, is that the ssh bruteforce rule does not seem to work. On the other hand nobody is bruteforcing me at the moment beeing
But i think i am having problems by building the files ssh and badguys. I also do not believe that the ssh brutforce chain is working...
EDIT: It must be working. The SRC is first dropped by the DROP_LOG_BADEND and aftherwords by DROP_LOG_BADGUYS -> so the list´s are obviousley working!!! I just have to wait for a bruteforce-attack ....
Code:
Aug 1 20:26:48 kernel: [167587.550598] [IPTABLES DROP BADEND] : IN=eth0 OUT= MAC= SRC=74.120.12.140 DST=xxx.xxx.xxx.xx LEN=626 TOS=0x00 PREC=0x00 TTL=45 ID=39804 DF PROTO=TCP SPT=24517 DPT=9001 WINDOW=16 RES=0x00 ACK URGP=0
Aug 1 20:26:49 kernel: [167588.007598] [IPTABLES DROP BADGUYS] : IN=eth0 OUT= MAC= SRC=74.120.12.140 DST=xxx.xxx.xxx.xx LEN=576 TOS=0x00 PREC=0x00 TTL=45 ID=39806 DF PROTO=TCP SPT=24517 DPT=9001 WINDOW=16 RES=0x00 ACK URGP=0
Aug 1 20:26:49 kernel: [167588.691429] [IPTABLES DROP BADGUYS] : IN=eth0 OUT= MAC= SRC=77.106.125.32 DST=xxx.xxx.xxx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=15137 DF PROTO=TCP SPT=52198 DPT=16906 WINDOW=8192 RES=0x00 SYN URGP=0
Aug 1 20:26:50 kernel: [167588.931737] [IPTABLES DROP BADGUYS] : IN=eth0 OUT= MAC= SRC=74.120.12.140 DST=xxx.xxx.xxx.xx LEN=576 TOS=0x00 PREC=0x00 TTL=45 ID=39807 DF PROTO=TCP SPT=24517 DPT=9001 WINDOW=16 RES=0x00 ACK URGP=0
My /var/log/firewall looks like this
Code:
Aug 1 19:35:09 xxxxxxx kernel: [164488.550780] [IPTABLES DROP BADEND] : IN=eth0 OUT= MAC=xx:Xx:xx:Xx:XX:XX:xx:xx:XX:xx SRC=93.182.175.141 DST=xxx.xxx.xx.xxx LEN=76 TOS=0x00 PREC=0x00 TTL=107 ID=9425 PROTO=UDP SPT=13501 DPT=16906 LEN=56
Aug 1 19:35:10 xxxxxxx kernel: [164489.102976] [IPTABLES DROP BADGUYS] : IN=eth0 OUT= MAC=xx:Xx:xx:Xx:XX:XX:xx:xx:XX:xx SRC=81.206.158.42 DST=xxx.xxx.xx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=24627 DF PROTO=TCP SPT=56270 DPT=9030 WINDOW=0 RES=0x00 ACK RST URGP=0
Aug 1 19:43:13 xxxxxxx kernel: [164972.054903] [IPTABLES DROP ICMP] : IN=eth0 OUT= MAC=xx:Xx:xx:Xx:XX:XX:xx:xx:XX:xx SRC=94.245.252.128 DST=xxx.xxx.xx.xxx LEN=84 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43017 SEQ=1
My script looks like this at the moment.
EDIT: I do some experimental logging with the NEW filter in the FIREWALL chain below. If i leave it there my logging/dropping decreases. If i remove it my logging/dropping increases. WHAT does this in conclusion mean?
Code:
# Allow NEW, ESTABLISHED and RELATED incoming connection
iptables -A FIREWALL -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Code:
#!/bin/bash
# ftp.service.4
# No spoofing !!!
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi
# No icmp
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
modprobe iptable_filter
modprobe iptable_nat
modprobe ipt_REJECT
modprobe ipt_recent
# Remove all rules
iptables -F
iptables -X
# first set the default behaviour => accept connections
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# New chains
iptables -N FIREWALL
iptables -N TRUSTED
iptables -N BADGUY
# Log chain
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
iptables -A LOG_DROP -j DROP
iptables -N LOG_DROP_BAD
iptables -A LOG_DROP_BAD -j LOG --log-prefix '[IPTABLES DROP BADGUYS] : '
iptables -A LOG_DROP_BAD -j DROP
iptables -N LOG_DROP_BADEND
iptables -A LOG_DROP_BADEND -j LOG --log-prefix '[IPTABLES DROP BADEND] : '
iptables -A LOG_DROP_BADEND -j DROP
iptables -N LOG_DROP_SSH
iptables -A LOG_DROP_SSH -j LOG --log-prefix '[IPTABLES DROP SSH BRUTEFORCE] : '
iptables -A LOG_DROP_SSH -j DROP
iptables -N LOG_DROP_FWD
iptables -A LOG_DROP_FWD -j LOG --log-prefix '[IPTABLES DROP FORWARD] : '
iptables -A LOG_DROP_FWD -j DROP
iptables -N LOG_DROP_ICMP
iptables -A LOG_DROP_ICMP -j LOG --log-prefix '[IPTABLES DROP ICMP] : '
iptables -A LOG_DROP_ICMP -j DROP
iptables -N LOG_DROP_HTTP
iptables -A LOG_DROP_HTTP -j LOG --log-prefix '[IPTABLES DROP HTTP] : '
iptables -A LOG_DROP_HTTP -j DROP
# Block any packet from IP-addresses that are present in the badguys list for one hour - port scan
iptables -A FIREWALL -i eth0 -m recent --name badguys --update --seconds 3600 -j LOG_DROP_BAD
# Allow NEW, ESTABLISHED and RELATED incoming connection
iptables -A FIREWALL -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Block any packet from IP-addresses that are present in the badguys list for one hour - port scan
#iptables -A FIREWALL -i eth0 -m recent --name badguys --update --seconds 3600 -j LOG_DROP_BAD
# SSH brute force attacks - verify in /proc/net/files badguys and ssh
iptables -t filter -I BADGUY -m recent --set --name badguys
iptables -A FIREWALL -i eth0 -p tcp --syn --dport 22 -m recent --name ssh --set
iptables -A FIREWALL -i eth0 -p tcp --syn --dport 22 -m recent --name ssh --rcheck --seconds 300 --hitcount 6 -j BADGUY
iptables -A FIREWALL -i eth0 -p tcp --syn --dport 22 -m recent --name ssh --rcheck --seconds 30 --hitcount 3 -j LOG_DROP_SSH
# HTTP attacks - verify in /proc/net/ipt_recent files badguys and http
iptables -t filter -I BADGUY -m recent --set --name badguys
iptables -A FIREWALL -i eth0 -p tcp --syn --dport 80 -m recent --name http --set
iptables -A FIREWALL -i eth0 -p tcp --syn --dport 80 -m recent --name http --rcheck --seconds 300 --hitcount 6 -j BADGUY
iptables -A FIREWALL -i eth0 -p tcp --syn --dport 80 -m recent --name http --rcheck --seconds 30 --hitcount 3 -j LOG_DROP_HTTP
# Block inbound and outbound icmp traffic
iptables -A FIREWALL -i eth0 -p icmp -j LOG_DROP_ICMP
iptables -A FIREWALL -o eth0 -p icmp -j LOG_DROP_ICMP
# Allow self communication
iptables -A FIREWALL -i lo -j ACCEPT
iptables -A FIREWALL -o lo -j ACCEPT
# IMPORTANT Send all DROP package from FIREWALL chain to the badguys list - port scan
#iptables -A FIREWALL -t filter -i eth0 -j LOG_DROP_BADEND -m recent --set --name badguys
# Send all package to the TRUSTED chain
iptables -A FIREWALL -j TRUSTED
# Send all through the FIREWALL chain
iptables -A INPUT -j FIREWALL
iptables -A FORWARD -j LOG_DROP_FWD
iptables -A OUTPUT -j FIREWALL
# IMPORTANT Send all DROP package from FIREWALL chain to the badguys list - port scan
iptables -A FIREWALL -t filter -i eth0 -j LOG_DROP_BADEND -m recent --set --name badguys
# Allow inbound ssh traffic
iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -i eth0 -p udp -m multiport --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow ftp inbound and outbound traffic
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 1024:65535 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow inbound http,https traffic
iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -i eth0 -p udp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow outbound tcp and udp traffic
iptables -A TRUSTED -o eth0 -p tcp -m tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A TRUSTED -o eth0 -p udp -m udp -m state --state NEW,ESTABLISHED -j ACCEPT
# IMPORTANT Send all DROP package from FIREWALL chain to the badguys list - port scan
#iptables -A FIREWALL -t filter -i eth0 -j LOG_DROP_BADEND -m recent --set --name badguys
# End message
echo " [End iptables rules setting]"
Bookmarks