On 10.09.13 at 13:27, F. Gr. wrote: > I'm newbie about iptables. I use this script > <http://pastebin.ca/2447430> for my system. It is based on > <http://wiki.archlinux.org/index.php/Simple_stateful_firewall>. Now I > want to add an iptables log chain and others. What is the correct > line to start adding the following? > > <script> > ## Logging > $IPT -N LOGDROP > $IPT -A LOGDROP -m limit --limit 5/m --limit-burst 8 -j LOG --log-prefix "IPTables-Dropped: " > $IPT -A LOGDROP -j DROP The position of these lines in script does not matter much, place it anywhere below line 27. > > # log and drop packets that hit this rule > $IPT -A INPUT -m conntrack --ctstate INVALID -j LOGDROP This should replace '$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP' (line 47 in the script) > </script> > > Supposing I want to add the following lines as well, is there any > rules that is superfluous? These rules have to place after or before > the rule "$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP"? > > <script> > # SSH bruteforce attacks > $IPT -N IN_SSH For consistency, place it below the definition on other chains, line 32. > $IPT -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH The ssh connections should be handled before it falls into TCP chain, so place this rule before '$IPT -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP' (line 50). > $IPT -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP > $IPT -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 4 --seconds 1800 -j DROP > $IPT -A IN_SSH -m recent --name sshbf --set -j ACCEPT Same as the LOGDROP chain (see above), anywhere below line 27. > $IPT -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH You don't have to duplicate the rules. > > ## Local Area Network Denial (LAND) attack > # Block all packets from your own IP > $IPT -A INPUT -s 192.168.201.2/32 -j DROP > # Block any packet from local network > $IPT -A INPUT -s 127.0.0.0/8 -j DROP > > # SYN Flood > $IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT > > # SYN packets > # Drop any tcp packet that does not start a connection with a syn flag > $IPT -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP > > # NULL packets > $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP > > # XMAS packets > $IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP > > # Fragments Packet > $IPT -A INPUT -f -j DROP > > # ping of death > $IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT > > # Furtive port scanner > $IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT > </script> I'm not sure about the rest, I think it should go before any rule in INPUT chain with target ACCEPT (in the script that is '$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' on line 43, icmp echo-request (line 41) does not count - it is already handled). The Simple Stateful Firewall article on ArchWiki states that "Dropping all traffic and specifying what is allowed is the best way to make a secure firewall.", so at least some of these rules might be superfluous. > > I don't know how you use the script, but you might consider using the 'iptables-restore' command to switch between multiple iptables configurations. If you still want to use the iptables.service, you can make the file /etc/iptables/iptables.rules a symlink and change its target to change the configuration. You can run 'iptables-save > foo.rules' to save current iptables configuration, edit the file to your liking (adding comments etc.), and finally run 'iptables-restore < foo.rules' to load the saved configuration. Regards, Jakub Klinkovský (Lahwaacz)
Attachment:
pgpHRt2yS89PZ.pgp
Description: PGP signature
