Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HOWTO: Quick/Simple Personal Firewall
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
MdaG
l33t
l33t


Joined: 09 Nov 2004
Posts: 945
Location: Stockholm, Sverige

PostPosted: Mon Apr 25, 2005 4:55 pm    Post subject: Reply with quote

Whenever I try to run the script I can't access the internet... I didn't dare save it since I'm not sure I would be able to revert the change.
Back to top
View user's profile Send private message
equaeghe
Guru
Guru


Joined: 22 Feb 2005
Posts: 482

PostPosted: Wed May 11, 2005 9:11 pm    Post subject: Reply with quote

I used (part of) the script and it seems to work nicely,
but I have some remaining questions about logging
(I use "$IPTABLES -A INPUT -i $INET_IF -j LOG"):
* does this logging line log only dropped incoming packets?
* where is everything logged to (nothing to be found in /var/log/)?

Erik
Back to top
View user's profile Send private message
bienchen
Apprentice
Apprentice


Joined: 14 Sep 2004
Posts: 261
Location: Hamburg, Germany

PostPosted: Sun May 18, 2008 10:54 am    Post subject: Reply with quote

Hi there,

so, I just copied&pasted the rules from this howto and everything seems to work fine...but when I throw an "iptables -L" I get teh following:
Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


From how I understand this whole iptables issue, I would have expected no rule accepting each protocol from anywhere in chain INPUT...or do I misinterpret the output?

greetings,

bienchen
Back to top
View user's profile Send private message
mephist0
Tux's lil' helper
Tux's lil' helper


Joined: 19 Sep 2005
Posts: 94
Location: Germany, near Frankfurt/Main

PostPosted: Tue Jan 26, 2010 6:27 pm    Post subject: Reply with quote

Wonderful HowTo !!!!

Thank you very much!!

But how do prevent the logs from iptables to be shown in dmesg?
_________________
There is only one God, and his name is Death. And there is only one thing we say to Death: 'Not today!'

Fotoblog
Back to top
View user's profile Send private message
d2_racing
Bodhisattva
Bodhisattva


Joined: 25 Apr 2005
Posts: 13047
Location: Ste-Foy,Canada

PostPosted: Tue Jan 26, 2010 9:59 pm    Post subject: Reply with quote

I would like to know that too, because right now, I long only what is critial and that's all.

I don't want to spam my dmesg :P
Back to top
View user's profile Send private message
Mike Hunt
Watchman
Watchman


Joined: 19 Jul 2009
Posts: 5287

PostPosted: Sat Mar 13, 2010 11:15 pm    Post subject: Reply with quote

I'm not a big iptables expert but I can offer this. Hopefully it's close enough.

Do you have something like this?
Code:
iptables -A INPUT -i lo -j ACCEPT

That would produce this output:
Code:
ACCEPT     all  --  anywhere             anywhere

But you should probably have that for some ipc's, etc...

The others do what they say.

This one is for established, related, therefore permitted incoming connections. Required by networking that needs both ways traffic, like file sharing, etc...
Code:
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED


The icmp ones are all described in RFC's see: here for RFC references such as RFC792 for detailed descriptions.

The tcp dpt ones are the explicitly opened ports allowed in the iptables config, i.e. 22 (ssh) in the above posted case.
Note that opening port 22 like that may leave you vulnerable to brute force attacks see /var/log/messages. Therefore be sure to use strong passwords on your box.
Back to top
View user's profile Send private message
d2_racing
Bodhisattva
Bodhisattva


Joined: 25 Apr 2005
Posts: 13047
Location: Ste-Foy,Canada

PostPosted: Sun Mar 14, 2010 4:00 am    Post subject: Reply with quote

For the brute force ssh attack, you can ban the ip after 3 or 10 attempts, so you have something to work for sure.
Back to top
View user's profile Send private message
Mike Hunt
Watchman
Watchman


Joined: 19 Jul 2009
Posts: 5287

PostPosted: Sun Mar 14, 2010 4:54 am    Post subject: Reply with quote

Yes like this, you need "recent" and "state" match support enabled in the kernel Core Netfilter Configuration enabled for it to work:
Code:
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state ESTABLISHED -m recent --update --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset


Alternatively you can use a non standard port number for ssh and tweak the Port setting in /etc/ssh/sshd_config and /etc/ssh/ssh_config
or use ssh -p number ... and scp -P number ... commands.
Back to top
View user's profile Send private message
d2_racing
Bodhisattva
Bodhisattva


Joined: 25 Apr 2005
Posts: 13047
Location: Ste-Foy,Canada

PostPosted: Sun Mar 14, 2010 3:42 pm    Post subject: Reply with quote

In fact, many peoples use port TCP 6888 for ssh just to be sure that they think that's a bitorrent port :P
Back to top
View user's profile Send private message
dwbowyer
Apprentice
Apprentice


Joined: 18 Apr 2008
Posts: 154

PostPosted: Sat Apr 03, 2010 11:00 pm    Post subject: New script Reply with quote

Hello all,

I've been working a script to generate iptables rules, with a few features to them that I want/need. Gentoo docs provide
a limited and simple set of rules that worked well for a home router http://www.gentoo.org/doc/en/home-router-howto.xml
(In fact that was how I found Gentoo 3yrs ago while using Ubuntu. Gentoo's great, easy to understand documentation is
the primary reason I had for trying Gentoo). However, the existing guide didn't really teach me what the rules did,
or how they might compare to other rulesets. I know there are automatic tools out there, but I wanted to learn how to
do it myself with just iptables, and not add a layer of configuring some other tool.

Since my ISP and many others have monthly usage limits, the first reason I had for getting into this project was
a monthly usage counter. Anyway, I've found just a few topics in the forums to help expand my knowlege, and after a bit
of googling too, I got down to experimenting, testing and refining...

.. and I present here, my quite usable work in progress.

The script generates rules simple enough for a home PC (or home router), but is well on it's way to being acceptable for
a full server setup, whether for a simple FTP, http, or even an ISPs needs. I'm willing to accept any input for feature
requests, advice or comments.

firewall.sh v0.1.0.

Features:
Separate config file
----To separate user modified paramaters and documentation from the script itself
Default DROP policies
----Unlike the home-router-howto, only ACCEPT what we specifically want
Simple logging options
----Currently for INVALID packets, will add more later.
Monthly usage counters
----Pretty output to make it clear, plus easily support automatic printing and resetting of the needed counters with cron or atd in one line
(Still working to improve on that one)
Multiple NIC support
----For more than one lan, net NIC -- just add to a single variable.
(Default routes, bridging and load balancing NOT yet added.)
Thoroughly documented
----For those new to iptables, wanting to learn more.


Code:

#!/bin/bash
# Distributed under the terms of the GNU General Public License v2
# Our complete stateful firewall script.  This firewall can be customized for
# a laptop, workstation, router or even a server. :)
USAGE() {
    echo "USAGE: firewall.sh start|stop|counter|counter-reset"
}

confscript="${HOME}/bin/firewall.config"
source $confscript

#### NOTE: Functions used here not merely reduce redunancy of script, but mainly
####    to ensure that "iptables -L" and "iptable -S" produce consistent and
####   nicely aligned output

    # If changes are made to /etc/sysctl.conf, then opts are persistent across boots
    # Done here simply for completion's sake
function configure {
    # Explicitly disable ECN
    if [ -e /proc/sys/net/ipv4/tcp_ecn ]
    then
   echo 0 > /proc/sys/net/ipv4/tcp_ecn
    fi
    # Disable spoofing on all interfaces
    for x in ${LOOP} ${LAN} ${WAN}
    do
   echo 1 > /proc/sys/net/ipv4/conf/"${x}"/rp_filter
    done
}

    # Monthly usage counters, Totaling all Inbound and Outbound Imternet traffic
    # All the following rules, not having a target -- are passthrough -- counting packets/bytes, but not
    # having any affect on packet destiny. Thus, the final rule is the sum of the preceeding rules.
    # Specifically excluding INVALID packets and the LOOP interface.
    # VARIABLE $1 is name of an interface IE eth0 eth1
function AddMonthlyCounter() {
    # Eventually rules can easily be inserted to count traffic for specific services.
    iptables -N "${1}-Cnt"
    iptables -A "${1}-Cnt" -i ${1}   -m comment --comment "subTOTAL ${1} INPUT /DOWLOAD "
    iptables -A "${1}-Cnt" -o ${1}   -m comment --comment "subTOTAL ${1} OUTPUT/UPLOAD  "
    iptables -A "${1}-Cnt"      -m comment --comment "   TOTAL ${1} BANDWIDTH      "
}

    # Simply causes jump (Within the generated rules) to the above generated Counter rule chains,
    # then returns
function IncCounters() {
    iptables -A INPUT   -i ${1} -j "${1}-Cnt"
    iptables -A OUTPUT  -o ${1} -j "${1}-Cnt"
}

    # continuing established and related connections, for the given interface
function ServicesContinue() {
    iptables -A INPUT   -i ${1} -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT  -o ${1} -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i ${1} -m state --state ESTABLISHED,RELATED -j ACCEPT
}

    # opening NEW connections
function ServicesNew() {
   TARGET="$1"   # either "INPUT -i", "OUTPUT -o", or "FORWARD -i"
   IF="$2"      # the interface to make rule for
   shift      # strip the target
   shift      # strip the interface
   SERVICES="$*"   # anything else should be services/ports
   
   # Three options exist for NEW traffic, accept all NEW traffic, deny all, or allow by ports and services
   # A for loop here would create a rule for each client service opened, do I want that? We'll give it a try.
   if [ "${SERVICES}" == "ALL" ]
   then
       iptables -A ${TARGET} ${IF} -m state --state NEW -j ACCEPT
   elif [ "${SERVICES}" == "NONE" ]
   then
       echo "No NEW \"${TARGET}\" connections allowed!"
   else
       for OPEN in ${SERVICES}
       do
      iptables -A ${TARGET} ${IF} -p tcp --dport ${OPEN} -m state --state NEW -j ACCEPT
      iptables -A ${TARGET} ${IF} -p udp --dport ${OPEN} -m state --state NEW -j ACCEPT
       done
   fi
}

case "$1" in
# BEGIN firewall.sh start
"start")
    if [ configure ]
    then
   echo "Starting firewall..."
    else
   echo "Failed to modify /proc settings" && exit 1
    fi
    # Default policies are to block all traffic, silently
    iptables -P INPUT   DROP
    iptables -P OUTPUT  DROP
    iptables -P FORWARD DROP

    if [ "$LOG" ]
    then
   # Logging are passthrough rules and we want to catch all
   iptables -A INPUT  -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-uid
   iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-uid
   # and what to do after logging
   iptables -A INPUT  -m state --state INVALID -j DROP
   iptables -A OUTPUT -m state --state INVALID -j DROP
    fi

    # Some people use ( ! -i ${WAN} ) below, but I prefer naming the interface(s) to open, each as a
    # separate rule, not one(s) NOT to open. It makes the iptables counters more useful, as we can see
    # how much traffic we are getting on EACH interface, rather than ALL opened interfaces (or rather
    # all interfaces we HAVEN'T kept closed). Also enables there to be more than one WAN without jumping
    # through more hoops

    # Note that using (iptables -L -v), the counters for these 2 lines should, by definition, match.
    iptables -A INPUT   -i ${LOOP} -j ACCEPT
    iptables -A OUTPUT  -o ${LOOP} -j ACCEPT


    for IFACE in ${WAN} ${LAN}
    do
   AddMonthlyCounter $IFACE
    done

    if [ "$ROUTER" ]
    then
   # We're a router of some kind, enable IP forwarding
        echo 1 > /proc/sys/net/ipv4/ip_forward
        if [ "$NAT" = "dynamic" ]
   then
       # Dynamic IP address, use masquerading
       echo "Enabling masquerading (dynamic ip)..."
       iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
       # Only "dynamic NAT tested, as I have not got static IP. Can someone reprort success of static NAT?
       # The rule should be good, but just need to verify that all conditional code works.
   elif [ "$NAT" != "" ]
   then
       # Static IP, use SNAT
       echo "Enabling SNAT (static ip)..."
       iptables -t nat -A POSTROUTING -o ${WAN} -j SNAT --to ${LAN}
   fi
    fi

    # We ought not control a LAN interface and services provided on such if we are not a ROUTER,
    # so following code could be moved inside the above ROUTER if, but maybe I'm wrong in some cases
    if [ "$TRUSTED_LAN" ]
    then
   for IFACE in ${LAN}
   do
       IncCounters $IFACE
       iptables -A INPUT   -i ${IFACE} -j ACCEPT
       iptables -A OUTPUT  -o ${IFACE} -j ACCEPT
       iptables -A FORWARD -i ${IFACE} -j ACCEPT
   done
    else
   # I have not yet tested this section of rule generation, as I do trust my LAN, but
   # It should work. Anyone care to experiment?
   for IFACE in ${LAN}
   do
       IncCounters $IFACE
       ServicesContinue ${IFACE}
       # You may opt to replace the following with individual lines to specific interfaces:
       # if, for instance, you wished to open a service for a particular subnet, connected to some
       # interfaces, but not others. (Place them ouside the loop)
       ServicesNew "INPUT -i" ${IFACE} ${SERVICES_LAN}

       # What sort of NEW OUTPUT from our firewall/router/server to our LAN would we want blocked?
       ServicesNew "OUTPUT -o" ${IFACE} ALL

       # And just to be clear, we open port above to NEW connections for services the router/firewall
       # PROVIDES to the lan. and below FORWARD services passing THROUGH the router.
       ServicesNew "FORWARD -i" ${IFACE} ${SERVICES_CLIENT}
   done
    fi

    # Implicitly, only external network connections make it to these rules.
    for IFACE in ${WAN}
    do
   IncCounters $IFACE
   ServicesContinue ${IFACE}
   # Note that from the internet we only FORWARD related and established connections,
   # so those are taken care of above.

   # The next line enables public access to certain services, for
   # those services listed in the configuration
   ServicesNew "INPUT -i" ${IFACE} ${SERVICES_WAN}

   # outgoing NEW connections
   ServicesNew "OUTPUT -o" ${IFACE} ${SERVICES_CLIENT}
    done

    # For some reason, bash is not interpeting "FALSE" as bool FALSE, nor "TRUE" as bool true, and I have to
    # actually test against value
    if [ ${STEALTHED} == FALSE ]
    then
   echo "Rejecting all unwanted inbound connections..."
   # NOT stealthed, by design.
   for CLOSED in ${WAN}
   do
       iptables -A INPUT -p tcp -i ${CLOSED} -j REJECT --reject-with tcp-reset
       iptables -A INPUT -p udp -i ${CLOSED} -j REJECT --reject-with icmp-port-unreachable
   done
    fi

    # Leaving these here as a reminder to work on rules that limit connection attempts
    # and traffic volume per time period
    #   iptables -A INPUT -p ICMP -m limit --limit 1/s -j ACCEPT
    #   iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
    ;;
### END "firewall.sh start"

"stop")
    echo "Stopping firewall..."
    iptables -F
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    # Turn off NAT/masquerading, if any
    iptables -t nat -F POSTROUTING
    for IFACE in ${WAN} ${LAN}
    do
   # All rules must be flushed and references to chain must be deleted
   # before the chain can be deleted
   iptables -X "${IFACE}-Cnt"
    done
    ;;

"counter")
    for IFACE in ${WAN} ${LAN}
    do
   date && iptables -v -L ${IFACE}-Cnt
    done
    ;;

"counter-reset")
    for IFACE in ${WAN} ${LAN}
    do
   date && iptables -v -L eth0-Cnt -Z
    done
    ;;


*)
    USAGE
    ;;
esac


Code:

# firewall.config

# The machine's loopback device, needed for some local programs to talk to each other)
LOOP="lo"

# The next two may have more than one interface, separated by spaces
# While most home PCs, even home networks would have only one interface at most
# of each kind # I want the script to be extensible to use in a larger network
# without modification. The script may be complicated to a new user, but the
# rules genterated should be simple and easy to read
# LAN (connection(s) to a network)
# WAN (connection(s) to the Internet)
LAN="eth1"
WAN="eth0"

# If you're a router (and thus should forward IP packets between interfaces),
# you want ROUTER="TRUE"; otherwise, ROUTER="FALSE"
ROUTER="TRUE"

# Change this next line to the static IP of your WAN interface for static SNAT, or
# "dynamic" if you have a dynamic IP.  If you don't do routing and thus don't need any NAT,
# set NAT to "" to disable it.
#NAT="1.2.3.4"
NAT="dynamic"
#NAT=""

# Do we trust our internal LAN users?
TRUSTED_LAN="TRUE"

# Do we log? Currently, just for dropped invalid packets.
LOG="TRUE"

# IF you want to just drop all unwanted connection attempts to be stealthed,
STEALTHED="TRUE"
# or have packets not specifically processed to be rejected. Some people suggest that
# being stealthed when IP address is known to be active actually encourages hacking attempts.
# However, using Shields Up! at https://www.grc.com/x/ne.dll?bh0bkyd2 informs me that
# while most ports read closed, certain MS Windows ports read as stealthed (because they aren't
# used under Linux). That could effectively tell someone we aren't using Windows, and why
# would we want to give them ANY info that could identify our system and how to attack it?
#STEALTHED="FALSE"

# Change this line so that it lists the assigned numbers or symbolic names (from
# /etc/services) of all the services that you'd like to provide to the general
# public. If you don't want any services enabled, set it to "NONE"
# Common services in the following line, consult /etc/services for a more complete list
#SERVICES_WAN="ftp ssh telnet smtp tftp http pop3 ntp rsync"
#SERVICES_WAN="NONE"
# DO NOT SET SERVICES_WAN="ALL" unless you are emulating a Microsoft Network
SERVICES_WAN="bittorrent"

# for bittorrent below 2 lines were added to the end of /etc/services
#echo "bittorrent   6881/tcp         # bittorrent Protocol" >> /etc/services
#echo "bittorrent   6881/udp         # bittorrent Protocol" >> /etc/services
# Otherwise, specify the port number, "6881", or range "6881:6889"


# AS above, but services would only be opened for ${LAN} interfaces
SERVICES_LAN="ntp distcc"
#SERVICES_LAN="NONE"
# DO NOT SET SERVICES_LAN="ALL" unless you are emulating a Microsoft Network

# Outbound services we'll be using as a client, not providing as a server
# Some IMPORTANT INFO HERE: due to how this script is written, it supports
# a paranoid level of firewalling including checking outbound connections.
# For most peeople that is not necessary or wanted so the DEFAULT IE
SERVICES_CLIENT="ALL"
# WILL OPEN NEW OUTBOUND CONNECTIONS FOR ALL PORTS
# The following line will actually BLOCK ALL NEW OUTBOUND CLIENT CONNECTIONS
#SERVICES_CLIENT="NONE"
# That would be useful for instance for public access computers that need to
# assume local users are not to be trusted (Public Library, Prisons, kiosks),
# or for use with dynamic iptables scripts that would open those ports only if
# certain conditions are met. Example, a net cafe could offer free use of computers
# for local-only usage IE word processing. But if service is paid for, then open
# the given system for full or limited internet usage, or local network gaming, etc.

# PLEASE NOTE that ANY other OPTIONS specified will ensure that ONLY those services
# listed will be able to establish NEW outgoing connections. Some spyware/worms/viruses
# once infecting a computer will "dial home". So for extra security, limiting outbound
# NEW connections to just the services/ports users actually use makes sense. This is true
# even on the average desktop PC, (unlike the above NONE option). But you BETTER know what
# services are used directly, and also which provide support services in the background.
# Luckily, if you are running Gentoo, you should, or know how to find out.
# I, myself am not quite there yet. (Not that paranoid)
#SERVICES_CLIENT="ftp http pop3 ntp irc https submission rsync pop3s bittorent svn"

# FOR completion's sake an option for services PROVIDED BY our LAN, for our LAN.
# Not used/implemented yet.
# For instance, if we had an HTTP server behind our firewall (rather that on it), and wanted
# access to that service, or wanted to have the help of others on our network for distributed compiling.
#SERVICES_CLIENT_LAN="distcc"


Some notes:

I have to note however that my ISP (Comcast) seems to count MUCH less traffic than is counted by my rules. I assume this
is because my script rules counts packet size and the ISP only counts the size of the contents of packets
(IE filesize, not transmission size). Then again I KNOW I download more than their monthly reports say I do.
Perhaps they don't count anything that might be cached on their servers?

Both due to the fact that so many of the rules have similar form, and so that the printing out of the rules using
"iptables -L" and "iptables -S" will be clear and easy to read, I use functions in the script. Also, minor changes
in one location can affect all similar generated rules.

Working toward supporting multiple interfaces for local network and internet connections (the script should do so),
although I don't currently use more than one of each. However, bridging and load balancing are not yet included,
and likely won't be included without help from users that actually have such a setup.

Rate Limiting connections or traffic are the goal of dynamic rules, that I want to work on soon.

In theory, the fewer rules a packet has to test against the lower the overhead of running the firewall. That's
probably why a lot of scripts use " [ ! WAN ] ACCEPT " setups to accept LAN and loopback traffic at the same time.
My thinking is, rules to accept loopback traffic could be near the end of the chains since few packets would
ever reach those rules. Furthermore, I might work on adding a config option to allow users to decide if LAN or WAN
rules should be added to chains first. That way if nearly all traffic is one or the other the majority of packets
would be caught in the first few rules.
Back to top
View user's profile Send private message
dwbowyer
Apprentice
Apprentice


Joined: 18 Apr 2008
Posts: 154

PostPosted: Sat Apr 03, 2010 11:07 pm    Post subject: Reply with quote

Example output of "iptables -L -v"
Code:

Chain INPUT (policy DROP 926 packets, 184K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1077 79652 LOG        all  --  any    any     anywhere             anywhere            state INVALID LOG level warning ip-options uid prefix `DROP INVALID '
 1077 79652 DROP       all  --  any    any     anywhere             anywhere            state INVALID
    8   756 ACCEPT     all  --  lo     any     anywhere             anywhere           
30755   18M eth1-Cnt   all  --  eth1   any     anywhere             anywhere           
30755   18M ACCEPT     all  --  eth1   any     anywhere             anywhere           
 744K  508M eth0-Cnt   all  --  eth0   any     anywhere             anywhere           
 737K  508M ACCEPT     all  --  eth0   any     anywhere             anywhere            state RELATED,ESTABLISHED
 1681  102K ACCEPT     tcp  --  eth0   any     anywhere             anywhere            tcp dpt:bittorrent state NEW
 4120  389K ACCEPT     udp  --  eth0   any     anywhere             anywhere            udp dpt:bittorrent state NEW

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1496  241K ACCEPT     all  --  eth1   any     anywhere             anywhere           
 1505 1486K ACCEPT     all  --  eth0   any     anywhere             anywhere            state RELATED,ESTABLISHED

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  262 31912 LOG        all  --  any    any     anywhere             anywhere            state INVALID LOG level warning ip-options uid prefix `DROP INVALID '
  262 31912 DROP       all  --  any    any     anywhere             anywhere            state INVALID
    8   756 ACCEPT     all  --  any    lo      anywhere             anywhere           
18010   44M eth1-Cnt   all  --  any    eth1    anywhere             anywhere           
18010   44M ACCEPT     all  --  any    eth1    anywhere             anywhere           
 816K  556M eth0-Cnt   all  --  any    eth0    anywhere             anywhere           
 792K  555M ACCEPT     all  --  any    eth0    anywhere             anywhere            state RELATED,ESTABLISHED
24505 1584K ACCEPT     all  --  any    eth0    anywhere             anywhere            state NEW

Chain eth0-Cnt (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 744K  508M            all  --  eth0   any     anywhere             anywhere            /* subTOTAL eth0 INPUT /DOWLOAD  */
 816K  556M            all  --  any    eth0    anywhere             anywhere            /* subTOTAL eth0 OUTPUT/UPLOAD   */
1560K 1065M            all  --  any    any     anywhere             anywhere            /*    TOTAL eth0 BANDWIDTH       */

Chain eth1-Cnt (2 references)
 pkts bytes target     prot opt in     out     source               destination         
30755   18M            all  --  eth1   any     anywhere             anywhere            /* subTOTAL eth1 INPUT /DOWLOAD  */
18010   44M            all  --  any    eth1    anywhere             anywhere            /* subTOTAL eth1 OUTPUT/UPLOAD   */
48765   61M            all  --  any    any     anywhere             anywhere            /*    TOTAL eth1 BANDWIDTH       */


"iptables -S -v"
Code:

-P INPUT DROP -c 963 189188
-P FORWARD DROP -c 0 0
-P OUTPUT DROP -c 0 0
-N eth0-Cnt
-N eth1-Cnt
-A INPUT -m state --state INVALID -c 1101 80911 -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-uid
-A INPUT -m state --state INVALID -c 1101 80911 -j DROP
-A INPUT -i lo -c 8 756 -j ACCEPT
-A INPUT -i eth1 -c 59714 38784970 -j eth1-Cnt
-A INPUT -i eth1 -c 59714 38784970 -j ACCEPT
-A INPUT -i eth0 -c 757143 514201777 -j eth0-Cnt
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -c 750282 513513461 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 6881 -m state --state NEW -c 1714 103913 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 6881 -m state --state NEW -c 4184 395215 -j ACCEPT
-A FORWARD -i eth1 -c 2051 352749 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -c 1991 1934757 -j ACCEPT
-A OUTPUT -m state --state INVALID -c 266 33089 -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-uid
-A OUTPUT -m state --state INVALID -c 266 33089 -j DROP
-A OUTPUT -o lo -c 8 756 -j ACCEPT
-A OUTPUT -o eth1 -c 36037 82036208 -j eth1-Cnt
-A OUTPUT -o eth1 -c 36037 82036208 -j ACCEPT
-A OUTPUT -o eth0 -c 833369 572271923 -j eth0-Cnt
-A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -c 808368 570656922 -j ACCEPT
-A OUTPUT -o eth0 -m state --state NEW -c 25001 1615001 -j ACCEPT
-A eth0-Cnt -i eth0 -m comment --comment "subTOTAL eth0 INPUT /DOWLOAD " -c 757143 514201777
-A eth0-Cnt -o eth0 -m comment --comment "subTOTAL eth0 OUTPUT/UPLOAD  " -c 833369 572271923
-A eth0-Cnt -m comment --comment "   TOTAL eth0 BANDWIDTH      " -c 1590512 1086473700
-A eth1-Cnt -i eth1 -m comment --comment "subTOTAL eth1 INPUT /DOWLOAD " -c 59714 38784970
-A eth1-Cnt -o eth1 -m comment --comment "subTOTAL eth1 OUTPUT/UPLOAD  " -c 36037 82036208
-A eth1-Cnt -m comment --comment "   TOTAL eth1 BANDWIDTH      " -c 95751 120821178


"firewall counter"
Code:

Sat Apr  3 16:06:00 PDT 2010
Chain eth0-Cnt (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 775K  520M            all  --  eth0   any     anywhere             anywhere            /* subTOTAL eth0 INPUT /DOWLOAD  */
 855K  592M            all  --  any    eth0    anywhere             anywhere            /* subTOTAL eth0 OUTPUT/UPLOAD   */
1630K 1112M            all  --  any    any     anywhere             anywhere            /*    TOTAL eth0 BANDWIDTH       */
Sat Apr  3 16:06:00 PDT 2010
Chain eth1-Cnt (2 references)
 pkts bytes target     prot opt in     out     source               destination         
80856   56M            all  --  eth1   any     anywhere             anywhere            /* subTOTAL eth1 INPUT /DOWLOAD  */
48606  105M            all  --  any    eth1    anywhere             anywhere            /* subTOTAL eth1 OUTPUT/UPLOAD   */
 129K  161M            all  --  any    any     anywhere             anywhere            /*    TOTAL eth1 BANDWIDTH       */

Back to top
View user's profile Send private message
lennarts
n00b
n00b


Joined: 11 Apr 2007
Posts: 5
Location: Denmark

PostPosted: Tue Apr 27, 2010 2:58 pm    Post subject: Reply with quote

My box is behind the firewall of my router so I do not need another firewall - however ssh access is possible and it is rather annoing with alle those attacks so Mikes 2 lines just make it.

[quote="Mike Hunt"]Yes like this, you need "recent" and "state" match support enabled in the kernel Core Netfilter Configuration enabled for it to work:
Code:
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state ESTABLISHED -m recent --update --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset


It is too restrictive in my environment so I have extended the last line by allowing access from within and allowing just one error from outside:
Code:

iptables -A INPUT -p tcp --dport 22 ! -s 192.168.1.0/24 -i eth0 -m state --state ESTABLISHED -m recent --update --seconds 60 --hitcount 3  -j REJECT --reject-with tcp-reset
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum