View previous topic :: View next topic |
Author |
Message |
kbzium Tux's lil' helper
Joined: 31 Jul 2012 Posts: 146
|
Posted: Fri Feb 15, 2013 7:46 pm Post subject: Custom iptables config |
|
|
Hello,
what's wrong about this script?
Code: | #!/bin/sh
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync: "
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# block
iptables -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets: "
iptables -A INPUT -f -j DROP
# block
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets: "
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets: "
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan: "
iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 60 --hitcount 5 --name SSH -j LOG --log-prefix "SSH attack: "
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 5 --name SSH -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 6881 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 6881 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 10/second -j ACCEPT
iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -j LOG --log-prefix "INPUT: "
iptables -A INPUT -j DROP
/etc/init.d/iptables save |
It blocks everything but I believe there's something tiny in it which I cannot see... otherwise it seems good. What's more I would run scripts like
Code: | #!/bin/sh
for i in `wget -O - "http://list.iblocklist.com/?list=bt_level1&fileformat=p2p&archiveformat=gz" | zcat | sed -e 's/.*:\(.*\)-\(.*\)/\1-\2/' | grep "^[0-9]"` ; do
iptables -A INPUT -m iprange --src-range ${i} -j DROP
iptables -A OUTPUT -m iprange --dst-range ${i} -j DROP
done |
then. Please help me out!
Thank you! |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21631
|
Posted: Sat Feb 16, 2013 12:59 am Post subject: Re: Custom iptables config |
|
|
kbzium wrote: | what's wrong about this script? | You are invoking iptables repeatedly instead of loading your rules atomically. |
|
Back to top |
|
|
imaginasys Tux's lil' helper
Joined: 26 Dec 2009 Posts: 83 Location: Québec
|
Posted: Sat Feb 16, 2013 4:28 am Post subject: |
|
|
Isn't that list obtained from list.iblocklist.com a little bit long ?
Unless you think the whole world is going to attack your machine,
I'd say you'd better with "app-admin/denyhosts", it would block only bad guys that try to attack you, not the whole world ?
But other than that, your script is very good. I use something similar and I control access from the wan with denyhost on ssh.
Here is my script :
Code: |
#!/bin/bash
# My local network
LAN="192.168.1.0/24"
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
# Clear tables
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -X
# Default : block anything that want to come in and allow everyting out
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
# Allow loopback traffic
/sbin/iptables -A INPUT -p ALL -i lo -j ACCEPT
# drop invalid packets to avoid error
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
# Permit traffic initiated by me
/sbin/iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
# Let anything goes on the home network
/sbin/iptables -A INPUT -s $LAN -j ACCEPT
#Ping from the wan limited to 1 by second
/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/s -j ACCEPT
# Little help for IRC
/sbin/iptables -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
# Allow SSH in
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
exit |
regards,
BT |
|
Back to top |
|
|
Odward n00b
Joined: 21 Mar 2012 Posts: 65
|
Posted: Sat Feb 16, 2013 10:09 am Post subject: |
|
|
I'm curious if you're asking for feedback about your rules in general, or are you having a specific problem with this set of rules?
Not terribly important at all, but a quick glance shows you have two entries of the same rule
Code: | iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
Also you have
Code: | echo 1 > /proc/sys/net/ipv4/ip_forward |
That enables ip forwarding (which would be useful if this box was a router) but you have the firewall set to drop all FORWARD.
So 0 should be the appropriate value, not 1.
Again though, be more specific if you're actually having a problem or experiencing something unexpected. |
|
Back to top |
|
|
kbzium Tux's lil' helper
Joined: 31 Jul 2012 Posts: 146
|
Posted: Sat Feb 16, 2013 1:46 pm Post subject: |
|
|
When I input your config bad things, i suppose happen, and internet connection is down (need to flush tables)
Code: | kboom kboom # #!/bin/bash
kboom kboom #
kboom kboom # # My local network
kboom kboom # LAN="192.168.1.0/24"
kboom kboom #
kboom kboom # /sbin/iptables -P INPUT ACCEPT
kboom kboom # /sbin/iptables -P FORWARD ACCEPT
kboom kboom # /sbin/iptables -P OUTPUT ACCEPT
kboom kboom # /sbin/iptables -t nat -P PREROUTING ACCEPT
iptables v1.4.16.3: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
kboom kboom # /sbin/iptables -t nat -P POSTROUTING ACCEPT
iptables v1.4.16.3: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
kboom kboom # /sbin/iptables -t nat -P OUTPUT ACCEPT
iptables v1.4.16.3: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
kboom kboom # /sbin/iptables -t mangle -P PREROUTING ACCEPT
iptables v1.4.16.3: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
kboom kboom # /sbin/iptables -t mangle -P OUTPUT ACCEPT
iptables v1.4.16.3: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
kboom kboom #
kboom kboom # # Clear tables
kboom kboom # /sbin/iptables -F
kboom kboom # /sbin/iptables -t nat -F
iptables v1.4.16.3: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
kboom kboom # /sbin/iptables -t mangle -F
iptables v1.4.16.3: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
kboom kboom # /sbin/iptables -X
kboom kboom # /sbin/iptables -t nat -X
iptables v1.4.16.3: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
kboom kboom # /sbin/iptables -t mangle -X
iptables v1.4.16.3: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
kboom kboom #
kboom kboom # # Default : block anything that want to come in and allow everyting out
kboom kboom # /sbin/iptables -P INPUT DROP
kboom kboom # /sbin/iptables -P OUTPUT ACCEPT
kboom kboom # /sbin/iptables -P FORWARD DROP
kboom kboom #
kboom kboom # # Allow loopback traffic
kboom kboom # /sbin/iptables -A INPUT -p ALL -i lo -j ACCEPT
kboom kboom #
kboom kboom # # drop invalid packets to avoid error
kboom kboom # /sbin/iptables -A INPUT -m state --state INVALID -j DROP
WARNING: The state match is obsolete. Use conntrack instead.
iptables: Protocol wrong type for socket.
kboom kboom #
kboom kboom # # Permit traffic initiated by me
kboom kboom # /sbin/iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
WARNING: The state match is obsolete. Use conntrack instead.
iptables: Protocol wrong type for socket.
kboom kboom #
kboom kboom # # Let anything goes on the home network
kboom kboom # /sbin/iptables -A INPUT -s $LAN -j ACCEPT
kboom kboom #
kboom kboom # #Ping from the wan limited to 1 by second
kboom kboom # /sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/s -j ACCEPT
kboom kboom #
kboom kboom # # Little help for IRC
kboom kboom # /sbin/iptables -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
iptables: No chain/target/match by that name.
kboom kboom #
kboom kboom # # Allow SSH in
kboom kboom # /sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
WARNING: The state match is obsolete. Use conntrack instead.
iptables: Protocol wrong type for socket.
kboom kboom #
kboom kboom # exit
|
The whole thing about this huge list (3mln entries?) is that I wanted to have something similiar to peerblock (former peer guardian) to protect my privacy somehow. Is it possible to have it on gentoo too? Possibly through some native mechs like this one (iptables).
The config was actually written by my college who's kind of into Gentoo for many years . Though I don't know whats wrong about it. The other thing is that I'm behind a normal router. |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Sat Feb 16, 2013 3:08 pm Post subject: |
|
|
kbzium wrote: | ptables v1.4.16.3: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) |
So take a look:
Code: | zgrep NF_NAT /proc/config.gz |
You need to fix your kernel config. Then google for some iptables intro docs. |
|
Back to top |
|
|
kbzium Tux's lil' helper
Joined: 31 Jul 2012 Posts: 146
|
Posted: Sat Feb 16, 2013 7:48 pm Post subject: |
|
|
Looks empty:
Code: | kboom@kboom ~ $ zgrep NF_NAT /proc/config.gz
kboom@kboom ~ $
|
Okay, I'll do it. Hope it helps
Thanks for now! |
|
Back to top |
|
|
|