Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Custom iptables config
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
kbzium
Tux's lil' helper
Tux's lil' helper


Joined: 31 Jul 2012
Posts: 146

PostPosted: Fri Feb 15, 2013 7:46 pm    Post subject: Custom iptables config Reply with quote

Hello,

what's wrong about this script?
Code:
#!/bin/sh

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

iptables -F

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp ! --syn -m state --state NEW  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync: "
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
 
# block
iptables -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets: "
iptables -A INPUT -f -j DROP

# block
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets: "
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets: "
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan: "
iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
 
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 60 --hitcount 5 --name SSH -j LOG --log-prefix "SSH attack: "
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 5 --name SSH -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 6881 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 6881 -j ACCEPT

iptables -A INPUT  -p icmp -m limit --limit 10/second -j ACCEPT
iptables -A INPUT  -p icmp -j DROP
 
iptables -A INPUT -j LOG --log-prefix "INPUT:  "
iptables -A INPUT -j DROP

/etc/init.d/iptables save


It blocks everything but I believe there's something tiny in it which I cannot see... otherwise it seems good. What's more I would run scripts like
Code:
#!/bin/sh
for i in `wget -O - "http://list.iblocklist.com/?list=bt_level1&fileformat=p2p&archiveformat=gz" | zcat | sed -e 's/.*:\(.*\)-\(.*\)/\1-\2/' | grep "^[0-9]"` ; do
        iptables -A INPUT -m iprange --src-range ${i} -j DROP
        iptables -A OUTPUT -m iprange --dst-range ${i} -j DROP
done


then. Please help me out!

Thank you!
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Fri Feb 15, 2013 9:26 pm    Post subject: Reply with quote

You're trying to counter-productively do too much ;)
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8592

PostPosted: Sat Feb 16, 2013 12:59 am    Post subject: Re: Custom iptables config Reply with quote

kbzium wrote:
what's wrong about this script?
You are invoking iptables repeatedly instead of loading your rules atomically.
Back to top
View user's profile Send private message
imaginasys
Tux's lil' helper
Tux's lil' helper


Joined: 26 Dec 2009
Posts: 83
Location: Québec

PostPosted: Sat Feb 16, 2013 4:28 am    Post subject: Reply with quote

Isn't that list obtained from list.iblocklist.com a little bit long ?
Unless you think the whole world is going to attack your machine,
I'd say you'd better with "app-admin/denyhosts", it would block only bad guys that try to attack you, not the whole world ?

But other than that, your script is very good. I use something similar and I control access from the wan with denyhost on ssh.

Here is my script :
Code:

#!/bin/bash

# My local network
LAN="192.168.1.0/24"

/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT

# Clear tables
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -X

# Default : block anything that want to come in and allow everyting out
/sbin/iptables -P INPUT   DROP
/sbin/iptables -P OUTPUT  ACCEPT
/sbin/iptables -P FORWARD DROP

# Allow loopback traffic
/sbin/iptables -A INPUT  -p ALL -i lo -j ACCEPT

# drop invalid packets to avoid error
/sbin/iptables -A INPUT -m state --state INVALID -j DROP

# Permit traffic initiated by me
/sbin/iptables -A INPUT -p ALL  -m state --state ESTABLISHED,RELATED -j ACCEPT

# Let anything goes on the home network
/sbin/iptables -A INPUT -s $LAN -j ACCEPT

#Ping from the wan limited to 1 by second
/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/s -j ACCEPT

# Little help for IRC
/sbin/iptables -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset

# Allow SSH in
/sbin/iptables -A INPUT -p tcp --dport 22  -m state --state NEW -j ACCEPT

exit


regards,
BT :mrgreen:
Back to top
View user's profile Send private message
Odward
n00b
n00b


Joined: 21 Mar 2012
Posts: 65

PostPosted: Sat Feb 16, 2013 10:09 am    Post subject: Reply with quote

I'm curious if you're asking for feedback about your rules in general, or are you having a specific problem with this set of rules?

Not terribly important at all, but a quick glance shows you have two entries of the same rule
Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


Also you have
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward

That enables ip forwarding (which would be useful if this box was a router) but you have the firewall set to drop all FORWARD.
So 0 should be the appropriate value, not 1.

Again though, be more specific if you're actually having a problem or experiencing something unexpected.
Back to top
View user's profile Send private message
kbzium
Tux's lil' helper
Tux's lil' helper


Joined: 31 Jul 2012
Posts: 146

PostPosted: Sat Feb 16, 2013 1:46 pm    Post subject: Reply with quote

When I input your config bad things, i suppose happen, and internet connection is down (need to flush tables)
Code:
kboom kboom # #!/bin/bash
kboom kboom #
kboom kboom # # My local network
kboom kboom # LAN="192.168.1.0/24"
kboom kboom #
kboom kboom # /sbin/iptables -P INPUT ACCEPT
kboom kboom # /sbin/iptables -P FORWARD ACCEPT
kboom kboom # /sbin/iptables -P OUTPUT ACCEPT
kboom kboom # /sbin/iptables -t nat -P PREROUTING ACCEPT
iptables v1.4.16.3: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
kboom kboom # /sbin/iptables -t nat -P POSTROUTING ACCEPT
iptables v1.4.16.3: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
kboom kboom # /sbin/iptables -t nat -P OUTPUT ACCEPT
iptables v1.4.16.3: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
kboom kboom # /sbin/iptables -t mangle -P PREROUTING ACCEPT
iptables v1.4.16.3: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
kboom kboom # /sbin/iptables -t mangle -P OUTPUT ACCEPT
iptables v1.4.16.3: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
kboom kboom #
kboom kboom # # Clear tables
kboom kboom # /sbin/iptables -F
kboom kboom # /sbin/iptables -t nat -F
iptables v1.4.16.3: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
kboom kboom # /sbin/iptables -t mangle -F
iptables v1.4.16.3: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
kboom kboom # /sbin/iptables -X                                                                                                                                                                                         
kboom kboom # /sbin/iptables -t nat -X                                                                                                                                                                                 
iptables v1.4.16.3: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)                                                                                                               
Perhaps iptables or your kernel needs to be upgraded.                                                                                                                                                                   
kboom kboom # /sbin/iptables -t mangle -X                                                                                                                                                                               
iptables v1.4.16.3: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)                                                                                                             
Perhaps iptables or your kernel needs to be upgraded.                                                                                                                                                                   
kboom kboom #                                                                                                                                                                                                           
kboom kboom # # Default : block anything that want to come in and allow everyting out                                                                                                                                   
kboom kboom # /sbin/iptables -P INPUT   DROP                                                                                                                                                                           
kboom kboom # /sbin/iptables -P OUTPUT  ACCEPT                                                                                                                                                                         
kboom kboom # /sbin/iptables -P FORWARD DROP                                                                                                                                                                           
kboom kboom #                                                                                                                                                                                                           
kboom kboom # # Allow loopback traffic                                                                                                                                                                                 
kboom kboom # /sbin/iptables -A INPUT  -p ALL -i lo -j ACCEPT                                                                                                                                                           
kboom kboom #                                                                                                                                                                                                           
kboom kboom # # drop invalid packets to avoid error                                                                                                                                                                     
kboom kboom # /sbin/iptables -A INPUT -m state --state INVALID -j DROP                                                                                                                                                 
WARNING: The state match is obsolete. Use conntrack instead.                                                                                                                                                           
iptables: Protocol wrong type for socket.                                                                                                                                                                               
kboom kboom #                                                                                                                                                                                                           
kboom kboom # # Permit traffic initiated by me                                                                                                                                                                         
kboom kboom # /sbin/iptables -A INPUT -p ALL  -m state --state ESTABLISHED,RELATED -j ACCEPT
WARNING: The state match is obsolete. Use conntrack instead.
iptables: Protocol wrong type for socket.
kboom kboom #
kboom kboom # # Let anything goes on the home network
kboom kboom # /sbin/iptables -A INPUT -s $LAN -j ACCEPT
kboom kboom #
kboom kboom # #Ping from the wan limited to 1 by second
kboom kboom # /sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/s -j ACCEPT
kboom kboom #
kboom kboom # # Little help for IRC
kboom kboom # /sbin/iptables -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
iptables: No chain/target/match by that name.
kboom kboom #
kboom kboom # # Allow SSH in
kboom kboom # /sbin/iptables -A INPUT -p tcp --dport 22  -m state --state NEW -j ACCEPT
WARNING: The state match is obsolete. Use conntrack instead.
iptables: Protocol wrong type for socket.
kboom kboom #
kboom kboom # exit


The whole thing about this huge list (3mln entries?) is that I wanted to have something similiar to peerblock (former peer guardian) to protect my privacy somehow. Is it possible to have it on gentoo too? Possibly through some native mechs like this one (iptables).

The config was actually written by my college who's kind of into Gentoo for many years :). Though I don't know whats wrong about it. The other thing is that I'm behind a normal router.
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sat Feb 16, 2013 3:08 pm    Post subject: Reply with quote

kbzium wrote:
ptables v1.4.16.3: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)

So take a look:
Code:
zgrep NF_NAT /proc/config.gz

You need to fix your kernel config. Then google for some iptables intro docs.
Back to top
View user's profile Send private message
kbzium
Tux's lil' helper
Tux's lil' helper


Joined: 31 Jul 2012
Posts: 146

PostPosted: Sat Feb 16, 2013 7:48 pm    Post subject: Reply with quote

Looks empty:
Code:
kboom@kboom ~ $ zgrep NF_NAT /proc/config.gz
kboom@kboom ~ $


Okay, I'll do it. Hope it helps :)

Thanks for now!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum