You are not logged in.
- Topics: Active | Unanswered
#1 2013-09-09 00:09:25
- kenny96
- Member
- Registered: 2012-08-18
- Posts: 21
IPTABLES configuration
I'm new of iptables and I need a little help to understand how it works.
1) I have read the wiki https://wiki.archlinux.org/index.php/Si … l_Firewall and I have found this part obscure:
SYN scans
In a SYN scan, the port scanner sends SYN packet to every port. Closed ports return a TCP RST packet, or get dropped by a strict firewall.
Open ports return a SYN ACK packet regardless of the presence of a firewall.
The recent module can be used to keep track of hosts with rejected connection attempts and return a TCP RST for any SYN packet they send to open
ports as if the port was closed. If an open port is the first to be scanned, a SYN ACK will still be returned,
so running applications such as ssh on non-standard ports is required for this to work consistently.
First, insert a rule at the top of the TCP chain. This rule responds with a TCP RST to any host that got onto the TCP-PORTSCAN list
in the past sixty seconds. The --update switch causes the recent list to be updated, meaning the 60 second counter is reset.
# iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
Next, the rule for rejecting TCP packets need to be modified to add hosts with rejected packets to the TCP-PORTSCAN list.
# iptables -D INPUT -p tcp -j REJECT --reject-with tcp-rst
# iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rstIf I have a previous rule that send all incoming TCP new connections to TCP chain, why I need to add this last rule?
iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rstIsn't the rule just appended at the beginning of the TCP chain that takes care to reject the packet?
----------------------------------------------------------------
2) If I want to log every dropped connections, do I need to set the default INPUT policy to ACCEPT and put at the end of the INPUT chain the rule to log and drop everything else?
Last edited by kenny96 (2013-09-09 00:18:59)
Offline
#2 2013-09-10 15:14:07
- zepar
- Member
- Registered: 2011-04-08
- Posts: 9
Re: IPTABLES configuration
I also trying to understand the wiki.
Is this ok?
iptables -N TCP
iptables -N UDP
iptables -N LOGDROP
iptables -N LOGACCEPT
iptables -N IN_SSH
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
# Setup rules for accepting TCP traffic
iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
iptables -A TCP -p tcp -s 192.168.1.0/24 --dport ssh -j IN_SSH
iptables -A TCP -p tcp -s 192.168.1.0/24 --dport 80 -j ACCEPT
iptables -A TCP -p tcp -s 192.168.1.0/24 --dport 443 -j ACCEPT
# Setup rules for accepting UDP traffic
iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach
iptables -A UDP -p udp -s 192.168.1.0/24 --dport 137:138 -j ACCEPT
# Setup rules for accepting SSH traffic
iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 4 --seconds 1800 -j DROP
iptables -A IN_SSH -m recent --name sshbf --set -j LOGACCEPT
# Setup rules for LOGDROP
iptables -A LOGDROP -m limit --limit 5/m --limit-burst 10 -j LOG --log-level 6 --log-prefix "[DROP] "
iptables -A LOGDROP -j DROP
# Setup rules for LOGACCEPT
iptables -A LOGACCEPT -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 6 --log-prefix "[ACCEPT] "
iptables -A LOGACCEPT -j ACCEPT
# General sanity checking of traffic in INPUT, and dispatching calls to our "TCP" and "UDP" chains
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j LOGDROP
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach
iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachableOffline
#3 2013-09-10 17:09:04
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: IPTABLES configuration
If I want to log every dropped connection
Then create a new chain called e.g. "droplog", which logs and then drops.
The *default* (i.e. ACCEPT or DROP) is irrelevant to your question.
Offline
#4 2013-09-10 18:58:07
- Kenny94
- Member
- Registered: 2010-12-26
- Posts: 12
Re: IPTABLES configuration
kenny96 wrote:If I want to log every dropped connection
Then create a new chain called e.g. "droplog", which logs and then drops.
The *default* (i.e. ACCEPT or DROP) is irrelevant to your question.
Ok, thanks, and about the first question? can you help me to understand the rules?
If I have this rule:
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCPand the first rule of the TCP chain is:
iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rstwhy I need this one:
iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rstTCP packets meet the first rule, go to the TCP chain and than they meet the TCP-PORTSCAN rule that reject them.
Offline
#5 2013-09-10 19:11:53
- Strike0
- Member
- From: Germany
- Registered: 2011-09-05
- Posts: 1,489
Re: IPTABLES configuration
# iptables -D INPUT -p tcp -j REJECT --reject-with tcp-rst # iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rstIf I have a previous rule that send all incoming TCP new connections to TCP chain, why I need to add this last rule?
It's not appended. The original rule you refer to is deleted with the first line (-D) and replaced with the one you question. It's an optional part of the wiki.
edit: my answer cross-posted with you posting a new rule you use too. Don't post snips of rules here, post the full rules only. next time Noone has an idea which parts of the wiki you followed and which not.
edit2: Apologies - my edit above was out of confusion about the similarity of your names. I reckon Kenny94 and kenny96 are two distinct users .. which I failed to see. So my answer above was for kenny96!
Last edited by Strike0 (2013-09-14 19:11:18)
Offline