IPTables help

Support for security such as Firewalls and securing linux
Post Reply
gwatson
Posts: 4
Joined: 2018/08/10 14:53:02

IPTables help

Post by gwatson » 2018/08/10 15:06:01

I am using the Centos HowTos to setup IPTables on a server - wiki.centos.org/HowTos/Network/IPTables

Setup the myfirewall script as outlined in the above article, but doesnt appear to block attacks. I would like to block all inbound traffic, except for certain ip addresses or subnets

Trying to block inbound access to the server but it I must have missed something as certain attacks are able to bypass the rules, even if I explicitly block the ip address or subnet

Here's what I have for the script, then just run it after its modified

#!/bin/bash
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
iptables -F
#
# Allow SSH connections on tcp port 22
# This is essential when working on remote servers via SSH to prevent locking yourself out of the system
#
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
# Set access for localhost
#
iptables -A INPUT -i lo -j ACCEPT
#
# Accept packets belonging to established and related connections
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Accept packets from trusted IP addresses
iptables -A INPUT -s 209.0.0.0/8 -j DROP
iptables -A INPUT -s 46.17.46.71 -j DROP
iptables -A INPUT -s 85.0.0.0/8 -j DROP
iptables -A INPUT -s 215.0.0.0/8 -j DROP
iptables -A INPUT -s 164.0.0.0/8 -j DROP
iptables -A INPUT -s 37.0.0.0/8 -j DROP
iptables -A INPUT -s 185.0.0.0/8 -j DROP
iptables -A INPUT -s 82.0.0.0/8 -j DROP
iptables -A INPUT -s 212.0.0.0/8 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -s 10.10.10.0/24 -j ACCEPT
iptables -A INPUT -s xxx.143.0.0/16 -j ACCEPT
iptables -A INPUT -s xxx.139.0.0/16 -j ACCEPT


# Save settings
#
/sbin/service iptables save
#
# List rules
#
iptables -L -v


Anyone able to point out where I went wrong? Any assistance would be appreciated

Thanks,

GW

User avatar
TrevorH
Forum Moderator
Posts: 23164
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: IPTables help

Post by TrevorH » 2018/08/10 18:25:07

CentOS 7 uses firewalld by default unless you explicitly turn it off and/or remove it. It will happily let you add iptables rules and then put the setup back to how it was before without telling you. If you run iptables-save and get about 400 lines of output then you're probably using firewalld. To set that up you need to use firewall-cmd not iptables. If you don't like firewalld (I purge it with fire) then you can remove it and install iptables-services instead and go back to the old style.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

gwatson
Posts: 4
Joined: 2018/08/10 14:53:02

Re: IPTables help

Post by gwatson » 2018/08/11 12:07:16

Thank you for the reply.

For some reason it seems like the attacks have subsided - I added three lines to the rules at the bottom and one near the top and it seems the attacks have stopped bypassing the firewall rules

Here's some changes since I posted

Near the top I added ..
iptables -A INPUT -s unknown.Level3.net/8 -j DROP

I added this one because when I looked at Wireshark I was seeing the packets in the trace, but it didnt list the IP address, only the hostname. Is this the proper way to do this? I

At the bottom I added

iptables -A INPUT -s 185.0.0.0/8 -j DROP
iptables -A INPUT -s 209.0.0.0/8 -j DROP
iptables -A INPUT -s 185.107.80.188 -j DROP


Should these drop rules be at the bottom instead of the top, above the accept commands?





iptables -L -v

Chain INPUT (policy DROP 651 packets, 41882 bytes)
pkts bytes target prot opt in out source destination
1493 139K ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
231K 29M ACCEPT all -- lo any anywhere anywhere
356K 78M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 DROP all -- any any unknown.Level3.net/8 anywhere
0 0 DROP all -- any any 217.0.0.0/8 anywhere
100 46303 DROP all -- any any dynamicip-46-0-0-0.pppoe.samara.ertelecom.ru/8 anywhere
2 861 DROP all -- any any ip-195-0-0-0.dsl.scarlet.be/8 anywhere
0 0 DROP all -- any any 46.17.46.71 anywhere
48 22251 DROP all -- any any 0.0.0.85.dynamic.wline.res.cust.swisscom.ch/8 anywhere
0 0 DROP all -- any any 215.0.0.0/8 anywhere
0 0 DROP all -- any any 164-0-0-0.kcell.kz/8 anywhere
159 103K DROP all -- any any 37.0.0.0/8 anywhere
150 113K DROP all -- any any 185.0.0.0/8 anywhere
3 1534 DROP all -- any any 0-0-0-82.static.virginm.net/8 anywhere
1 442 DROP all -- any any 212.0.0.0/8 anywhere
0 0 ACCEPT all -- any any 192.168.110.0/24 anywhere
57049 10M ACCEPT all -- any any 192.168.0.0/24 anywhere
0 0 ACCEPT all -- any any 10.10.10.0/24 anywhere
78 26982 ACCEPT all -- any any unallocated-static.rogers.com/16 anywhere
0 0 ACCEPT all -- any any unallocated-static.rogers.com/16 anywhere

0 0 DROP all -- any any 185.0.0.0/8 anywhere
0 0 DROP all -- any any unknown.Level3.net/8 anywhere
0 0 DROP all -- any any 185.107.80.188 anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 568K packets, 108M bytes)
pkts bytes target prot opt in out source destination

Chain fail2ban-BadBots (0 references)
pkts bytes target prot opt in out source destination

Chain fail2ban-FTP (0 references)
pkts bytes target prot opt in out source destination

Chain fail2ban-SIP (0 references)
pkts bytes target prot opt in out source destination

Chain fail2ban-SSH (0 references)
pkts bytes target prot opt in out source destination

Chain fail2ban-apache-auth (0 references)
pkts bytes target prot opt in out source destination

Chain fail2ban-recidive (0 references)
pkts bytes target prot opt in out source destination

User avatar
TrevorH
Forum Moderator
Posts: 23164
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: IPTables help

Post by TrevorH » 2018/08/11 14:54:15

If you could post those rules using the iptables-save command then they'd be a lot more readable...
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

gwatson
Posts: 4
Joined: 2018/08/10 14:53:02

Re: IPTables help

Post by gwatson » 2018/08/12 11:14:15

Thanks for taking a look TrevorH!

Here's the iptables-save

# Generated by iptables-save v1.4.21 on Sun Aug 12 07:07:06 2018
*filter
:INPUT DROP [226:13583]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [83875:12725031]
:fail2ban-BadBots - [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-SIP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache-auth - [0:0]
:fail2ban-recidive - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH
-A INPUT -j fail2ban-SIP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 209.0.0.0/8 -j DROP
-A INPUT -s 217.0.0.0/8 -j DROP
-A INPUT -s 46.0.0.0/8 -j DROP
-A INPUT -s 195.0.0.0/8 -j DROP
-A INPUT -s 46.17.46.71/32 -j DROP
-A INPUT -s 85.0.0.0/8 -j DROP
-A INPUT -s 215.0.0.0/8 -j DROP
-A INPUT -s 164.0.0.0/8 -j DROP
-A INPUT -s 37.0.0.0/8 -j DROP
-A INPUT -s 185.0.0.0/8 -j DROP
-A INPUT -s 82.0.0.0/8 -j DROP
-A INPUT -s 212.0.0.0/8 -j DROP
-A INPUT -s 192.168.0.0/24 -j ACCEPT
-A INPUT -s 10.10.10.0/24 -j ACCEPT
-A INPUT -s xxx.143.0.0/16 -j ACCEPT
-A INPUT -s xxx.139.0.0/16 -j ACCEPT
-A INPUT -s 185.0.0.0/8 -j DROP
-A INPUT -s 209.0.0.0/8 -j DROP
-A INPUT -s 185.107.80.188/32 -j DROP
-A fail2ban-SIP -j RETURN
-A fail2ban-SSH -j RETURN
COMMIT
# Completed on Sun Aug 12 07:07:06 2018

User avatar
TrevorH
Forum Moderator
Posts: 23164
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: IPTables help

Post by TrevorH » 2018/08/12 11:48:39

So iptables rules are processed from the top down and processing stops as soon as a match occurs and a jump is taken to either DROP, REJECT or ACCEPT. Looking at your rules that means for example, and ssh connection from anywhere will hit rule 3 ( -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT ) and jump out and the packet will be accepted It will never get to the DROP rules that you have there so they will not function. Similarly, if you have an already established connection from one of the ip addresses in your "block list" then it will hit the RELATED,ESTABLISHED rule first and never reach the DROP ones.

If you want to completely drop traffic from a particular ip address/subnet then you will need to move those rules up to the top of the list so they match first. It's also more efficient to use state tracking then packets on already established connections will hit that RELATED,ESTABLISHED rule early on in processing and use less resource.

I also notice that you're dropping packets from a lot of /8 networks. Those are very large blocks of addresses just to be ignoring and - for example - 185.0.0.0/8 covers mutliple countries and probably contains several legitimate ip addresses that you may not want to block at all.

I've left the addresses you're blocking much the same but this set of rules is probably more likely to do what you want.

Code: Select all

# Generated by iptables-save v1.4.21 on Sun Aug 12 07:07:06 2018
*filter
:INPUT DROP [226:13583]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [83875:12725031]
:fail2ban-BadBots - [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-SIP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache-auth - [0:0]
:fail2ban-recidive - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -s 209.0.0.0/8 -j DROP
-A INPUT -m state --state NEW -s 217.0.0.0/8 -j DROP
-A INPUT -m state --state NEW -s 46.0.0.0/8 -j DROP
-A INPUT -m state --state NEW -s 195.0.0.0/8 -j DROP
-A INPUT -m state --state NEW -s 46.17.46.71/32 -j DROP
-A INPUT -m state --state NEW -s 85.0.0.0/8 -j DROP
-A INPUT -m state --state NEW -s 215.0.0.0/8 -j DROP
-A INPUT -m state --state NEW -s 164.0.0.0/8 -j DROP
-A INPUT -m state --state NEW -s 37.0.0.0/8 -j DROP
-A INPUT -m state --state NEW -s 185.0.0.0/8 -j DROP
-A INPUT -m state --state NEW -s 82.0.0.0/8 -j DROP
-A INPUT -m state --state NEW -s 212.0.0.0/8 -j DROP
-A INPUT -m state --state NEW -s 185.107.80.188/32 -j DROP
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-SSH
-A INPUT -j fail2ban-SIP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -s 192.168.0.0/24 -j ACCEPT
-A INPUT -m state --state NEW -s 10.10.10.0/24 -j ACCEPT
-A INPUT --m state --state NEW s xxx.143.0.0/16 -j ACCEPT
-A INPUT -m state --state NEW -s xxx.139.0.0/16 -j ACCEPT
-A fail2ban-SIP -j RETURN
-A fail2ban-SSH -j RETURN
COMMIT
# Completed on Sun Aug 12 07:07:06 2018
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

gwatson
Posts: 4
Joined: 2018/08/10 14:53:02

Re: IPTables help

Post by gwatson » 2018/08/12 13:16:34

I should have mentioned earlier this is an Asterisk PBX running on Centos so there should be very limited inbound traffic, with the exception of a few remote users that are local. I am ok with blocking all of those large subnets.

What I really wanted was to block all inbound traffic and only allow specific IP addresses, or maybe a couple of small subnets. But I kept getting hack attempts and ended up adding the drop lines to try to stop them. The hackers would try to register to port 5060 and fail on 1 attempt and fail2ban would ban them, then I'd go in and add the sbnuet, or IP.

I had the drop lines at the top, and traffic was still getting through, and it didnt seem to stop until I added the 3 drop lines at the bottom, and the extra drop line at the top iptables -A INPUT -s unknown.Level3.net/8 -j DROP. I'm guessing it was this level3 line that killed the last few that were getting through.

For the SSH, I am going to set a source IP to my own subnet so I will block that access once I have everything buttoned up.

Post Reply