You are not logged in.
Hello
I've just read the arch wiki about Iptables I made some rules and add some of other sites but I still ain't 100% convinced that they are very strong and reliable. If anyone would be so kind to give me feedback about them I would appreciate that a lot.
I'm going to use them on my home server (but I want them to be very strong).
I use port 5000 to experiment with reverse proxied python apps.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
# Allow HTTP and HTTPS connections.
# Port 5000 is for reverse proxied python apps
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 5000 -j ACCEPT
-A OUTPUT -p tcp --dport 5000 -j ACCEPT
# Allow DNS
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
#Block mysql other then 192.168.0.0
-A INPUT -p tcp -s 192.168.0.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow SSH connections
# The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#Block DDoS
#maximum 25 connection per minute
-A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
-A INPUT -p tcp --dport 443 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
#Block Syn-flood packets
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Syn scans blocking
-I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-reset
-D INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-reset
-I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
-D INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
-D INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
# Drop everything else
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
EDIT:
I've read about port knocking to, I think this is quite a good security measure but not many people use it why is that?
Greetings
Last edited by sevaho (2016-12-01 11:01:30)
Offline
You are ignoring the existence of ipv6 so you are wide open to anyone on the outside using ipv6
Last edited by Mr.Elendig (2016-12-01 11:27:57)
Evil #archlinux@libera.chat channel op and general support dude.
. files on github, Screenshots, Random pics and the rest
Offline
please post iptables --list so we can see the effect of those rules easier.
Does this machine function as a webserver ?
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline
Good remark Mr.Elendig. I don't use Ipv6 and I have disabled it.
Yes Lone_Wolf mostly as webserver but also as ssh tunnelling server. I also have Owncloud and python apps that I want to deploy.
So I wanted to deploy my iptables but got some errors; I needed to comment these rules otherwise it didn't want to work.
Commented rules:
#-D INPUT -p tcp -j REJECT --reject-with tcp-reset
#-D INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
#-D INPUT -j REJECT --reject-with icmp-proto-unreachable
iptables --list output:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp echo-request ctstate NEW
UDP udp -- anywhere anywhere ctstate NEW
TCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:commplex-main
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:mysql state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http limit: avg 25/min burst 100
ACCEPT tcp -- anywhere anywhere tcp dpt:https limit: avg 25/min burst 100
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
REJECT tcp -- anywhere anywhere recent: SET name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
REJECT udp -- anywhere anywhere recent: SET name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:commplex-main
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
Chain TCP (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere recent: UPDATE seconds: 60 name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
Chain UDP (1 references)
target prot opt source destination
REJECT udp -- anywhere anywhere recent: UPDATE seconds: 60 name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable
Greetings
Last edited by sevaho (2016-12-01 12:25:26)
Offline
I'm not an expert, but I think that if you set the default policy for the OUTPUT chain to ACCEPT, the OUTPUT chain should contain rules that tell which packets should be dropped. In particular, rules like
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
are redundant.
Offline
Stop blocking (most) icmp - it is needed for Path MTU discovery.
Edit: Better URL.
Last edited by brebs (2016-12-01 20:27:47)
Offline
Yes saaker you are totally right, I've fixed it.
Thank you brebs I've added a rule:
# Accept ICMP
iptables -A INPUT -p icmp -j ACCEPT
thank you all already for the feedback
Offline