I need some iptables help

antis · 2010-09-30 16:33:51

Hello all,

I'm trying to set up a reasonably secure firewall for my home server and have so far come up with this:

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# SSH
-A INPUT -p tcp -m state --state NEW --dport 22 -s 192.168.0.0/24 -j ACCEPT

# FTP
-A INPUT -p tcp -m state --state NEW --dport 20:21 -j ACCEPT

# SOPCAST
-A INPUT -p tcp -m state --state NEW --dport 8908 -s 192.168.0.0/24 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
#-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

My iptables-skills are next to none so this is mostly copy and paste from other examples but I belive this will block everything except for the ports I have explicitly opened.

Now to the thing I need help with. I am trying to block ip's that make more than three connection attempts to ssh in 10 minutes to keep brute force guys out.
I tried this but it doesn't seem to work:

-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

I can still connect and make as many log in attempts as I want.
What am I doing wrong? I'd rather not install fail2ban or the likes to keep the system as bare as possible.

Last edited by antis (2010-09-30 16:35:13)

fukawi2 · 2010-10-01 00:04:28

You need to make sure those rules go BEFORE the other rule accepting SSH.

ACCEPT is a terminating rule, so once a packet is matched to an ACCEPT target, no further rules will be processed.

antis · 2010-10-02 09:07:48

Thanks for the answer but I think I still am having problems with this. I can't really work it out, but is a rule like this possible to combine with the last rule that says "block everything"?

The thing is that when I include the 2 rate limit rows, and also the accept rule, I can make as many login attempts as I wish. If I remove basically everything and only keep the two rate limit rules it works the way I want. But then ofcourse everything else is left open.

fukawi2 · 2010-10-02 14:14:22

Can you post the raw iptables-save output? It's easier to read

antis · 2010-10-03 12:08:48

I have copied and pasted some more since I last checked this post. Below you'll find the output of iptables-save with some more rules (and my comments).
The same problem is still there though. If I want to block everything by adding

-A INPUT -j REJECT
-A FORWARD -j REJECT

...at the end and only open up specific ports, I just can't implement the rate limit feature as I would like.
If you don't feel like putting effort into this it is quite alright. I realize that I will have to do some studying regarding this.

# Generated by iptables-save v1.4.2 on Sun Oct  3 13:58:58 2010
*filter
:INPUT ACCEPT [1205347:1604731177]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7433:879644]
:FTP - [0:0]
:FTP_BLACKLIST - [0:0]
:SSH - [0:0]
:SSH_BLACKLIST - [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -d 127.0.0.0/8 -i ! lo -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 

# NFS related. Only allow local network.
-A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m tcp --dport 8908 -j ACCEPT 
-A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT 
-A INPUT -s 192.168.0.0/24 -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT 
-A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT 
-A INPUT -s 192.168.0.0/24 -p udp -m state --state NEW -m udp --dport 2049 -j ACCEPT 
-A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m tcp --dport 32765:32769 -j ACCEPT 
-A INPUT -s 192.168.0.0/24 -p udp -m state --state NEW -m udp --dport 32765:32769 -j ACCEPT 

-A INPUT -i wlan0 -p tcp -m state --state NEW -m tcp --dport 22 -j SSH 
-A INPUT -i wlan0 -p tcp -m state --state NEW -m tcp --dport 20:21 -j FTP 
-A OUTPUT -j ACCEPT 

# Some chinese guy that never gives up
-A INPUT -s 211.144.112.20/32 -j DROP

# FTP and SSH blacklist chain copied from http://www.briandowney.net/blog/2009/08/20/firewalling-brute-force-attempts-with-iptables/
-A FTP -m recent --update --seconds 300 --name FTP_COUNTER --rsource -j REJECT --reject-with icmp-port-unreachable 
-A FTP -m recent --rcheck --seconds 600 --hitcount 3 --name FTP --rsource -j FTP_BLACKLIST 
-A FTP -m recent --rcheck --seconds 2 --name FTP --rsource -j LOG --log-prefix "Added: " 
-A FTP -m recent --update --seconds 2 --name FTP --rsource -j REJECT --reject-with icmp-port-unreachable 
-A FTP -m recent --remove --name FTP_COUNTER --rsource -j LOG --log-prefix "Removed: " 
-A FTP -m recent --set --name FTP --rsource -j ACCEPT 
-A FTP_BLACKLIST -m recent --set --name FTP_COUNTER --rsource -j LOG --log-prefix "Blocked: " 
-A FTP_BLACKLIST -j REJECT --reject-with icmp-port-unreachable 
-A SSH -m recent --update --seconds 300 --name SSH_COUNTER --rsource -j REJECT --reject-with icmp-port-unreachable 
-A SSH -m recent --rcheck --seconds 600 --hitcount 3 --name SSH --rsource -j SSH_BLACKLIST 
-A SSH -m recent --rcheck --seconds 2 --name SSH --rsource -j LOG --log-prefix "Added: " 
-A SSH -m recent --update --seconds 2 --name SSH --rsource -j REJECT --reject-with icmp-port-unreachable 
-A SSH -m recent --remove --name SSH_COUNTER --rsource -j LOG --log-prefix "Removed: " 
-A SSH -m recent --set --name SSH --rsource -j ACCEPT 
-A SSH_BLACKLIST -m recent --set --name SSH_COUNTER --rsource -j LOG --log-prefix "Blocked: " 
-A SSH_BLACKLIST -j REJECT --reject-with icmp-port-unreachable 
COMMIT
# Completed on Sun Oct  3 13:58:58 2010

Last edited by antis (2010-10-03 12:09:25)

saline · 2010-10-03 17:53:05

antis wrote:

The same problem is still there though. If I want to block everything by adding
-A INPUT -j REJECT
-A FORWARD -j REJECT
...at the end and only open up specific ports, I just can't implement the rate limit feature as I would like.
# Generated by iptables-save v1.4.2 on Sun Oct  3 13:58:58 2010
*filter
:INPUT ACCEPT [1205347:1604731177]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7433:879644]

Those rules do nothing, as the output of iptables-save shows: your default chain policies are to accept packets. Try:

-P INPUT REJECT
-P FORWARD REJECT

or, better, use DROP.

Also, read the wiki and the iptables manpage.

fukawi2 · 2010-10-03 22:06:46

How are you testing? If you're testing by SSH'ing from the local machine, then the '-i lo' rule will accept the traffic before anything else...

Arch Linux

#1 2010-09-30 16:33:51

I need some iptables help

#2 2010-10-01 00:04:28

Re: I need some iptables help

#3 2010-10-02 09:07:48

Re: I need some iptables help

#4 2010-10-02 14:14:22

Re: I need some iptables help

#5 2010-10-03 12:08:48

Re: I need some iptables help

#6 2010-10-03 17:53:05

Re: I need some iptables help

#7 2010-10-03 22:06:46

Re: I need some iptables help

Board footer