You are not logged in.
Hello all,
I'm trying to set up a reasonably secure firewall for my home server and have so far come up with this:
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# SSH
-A INPUT -p tcp -m state --state NEW --dport 22 -s 192.168.0.0/24 -j ACCEPT
# FTP
-A INPUT -p tcp -m state --state NEW --dport 20:21 -j ACCEPT
# SOPCAST
-A INPUT -p tcp -m state --state NEW --dport 8908 -s 192.168.0.0/24 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
#-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
My iptables-skills are next to none so this is mostly copy and paste from other examples but I belive this will block everything except for the ports I have explicitly opened.
Now to the thing I need help with. I am trying to block ip's that make more than three connection attempts to ssh in 10 minutes to keep brute force guys out.
I tried this but it doesn't seem to work:
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
I can still connect and make as many log in attempts as I want.
What am I doing wrong? I'd rather not install fail2ban or the likes to keep the system as bare as possible.
Last edited by antis (2010-09-30 16:35:13)
Offline
You need to make sure those rules go BEFORE the other rule accepting SSH.
ACCEPT is a terminating rule, so once a packet is matched to an ACCEPT target, no further rules will be processed.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
Thanks for the answer but I think I still am having problems with this. I can't really work it out, but is a rule like this possible to combine with the last rule that says "block everything"?
The thing is that when I include the 2 rate limit rows, and also the accept rule, I can make as many login attempts as I wish. If I remove basically everything and only keep the two rate limit rules it works the way I want. But then ofcourse everything else is left open.
Offline
Can you post the raw iptables-save output? It's easier to read
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
I have copied and pasted some more since I last checked this post. Below you'll find the output of iptables-save with some more rules (and my comments).
The same problem is still there though. If I want to block everything by adding
-A INPUT -j REJECT
-A FORWARD -j REJECT
...at the end and only open up specific ports, I just can't implement the rate limit feature as I would like.
If you don't feel like putting effort into this it is quite alright. I realize that I will have to do some studying regarding this.
# Generated by iptables-save v1.4.2 on Sun Oct 3 13:58:58 2010
*filter
:INPUT ACCEPT [1205347:1604731177]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7433:879644]
:FTP - [0:0]
:FTP_BLACKLIST - [0:0]
:SSH - [0:0]
:SSH_BLACKLIST - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -i ! lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# NFS related. Only allow local network.
-A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m tcp --dport 8908 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p udp -m state --state NEW -m udp --dport 2049 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m tcp --dport 32765:32769 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p udp -m state --state NEW -m udp --dport 32765:32769 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m state --state NEW -m tcp --dport 22 -j SSH
-A INPUT -i wlan0 -p tcp -m state --state NEW -m tcp --dport 20:21 -j FTP
-A OUTPUT -j ACCEPT
# Some chinese guy that never gives up
-A INPUT -s 211.144.112.20/32 -j DROP
# FTP and SSH blacklist chain copied from http://www.briandowney.net/blog/2009/08/20/firewalling-brute-force-attempts-with-iptables/
-A FTP -m recent --update --seconds 300 --name FTP_COUNTER --rsource -j REJECT --reject-with icmp-port-unreachable
-A FTP -m recent --rcheck --seconds 600 --hitcount 3 --name FTP --rsource -j FTP_BLACKLIST
-A FTP -m recent --rcheck --seconds 2 --name FTP --rsource -j LOG --log-prefix "Added: "
-A FTP -m recent --update --seconds 2 --name FTP --rsource -j REJECT --reject-with icmp-port-unreachable
-A FTP -m recent --remove --name FTP_COUNTER --rsource -j LOG --log-prefix "Removed: "
-A FTP -m recent --set --name FTP --rsource -j ACCEPT
-A FTP_BLACKLIST -m recent --set --name FTP_COUNTER --rsource -j LOG --log-prefix "Blocked: "
-A FTP_BLACKLIST -j REJECT --reject-with icmp-port-unreachable
-A SSH -m recent --update --seconds 300 --name SSH_COUNTER --rsource -j REJECT --reject-with icmp-port-unreachable
-A SSH -m recent --rcheck --seconds 600 --hitcount 3 --name SSH --rsource -j SSH_BLACKLIST
-A SSH -m recent --rcheck --seconds 2 --name SSH --rsource -j LOG --log-prefix "Added: "
-A SSH -m recent --update --seconds 2 --name SSH --rsource -j REJECT --reject-with icmp-port-unreachable
-A SSH -m recent --remove --name SSH_COUNTER --rsource -j LOG --log-prefix "Removed: "
-A SSH -m recent --set --name SSH --rsource -j ACCEPT
-A SSH_BLACKLIST -m recent --set --name SSH_COUNTER --rsource -j LOG --log-prefix "Blocked: "
-A SSH_BLACKLIST -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sun Oct 3 13:58:58 2010
Last edited by antis (2010-10-03 12:09:25)
Offline
The same problem is still there though. If I want to block everything by adding
-A INPUT -j REJECT -A FORWARD -j REJECT
...at the end and only open up specific ports, I just can't implement the rate limit feature as I would like.
# Generated by iptables-save v1.4.2 on Sun Oct 3 13:58:58 2010 *filter :INPUT ACCEPT [1205347:1604731177] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [7433:879644]
Those rules do nothing, as the output of iptables-save shows: your default chain policies are to accept packets. Try:
-P INPUT REJECT
-P FORWARD REJECT
or, better, use DROP.
Also, read the wiki and the iptables manpage.
Offline
How are you testing? If you're testing by SSH'ing from the local machine, then the '-i lo' rule will accept the traffic before anything else...
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline