I am trying to set up iptables to allow SSH port only from outside and all traffic from inside. Also, I'm trying to set some rules to prevent some basic DOS attacks. How do I manage the iptables rules properly?
I installed a Debian VM on VirtualBox where I set up a local static ip such as 10.0.2.3/30. I changed the SSH default port from 22 to 2222. I can connect to SSH from outside after setting up port forwarding on VirtualBox using NAT with 127.0.0.1 port 2222 on Host and 10.0.2.3 port 2222 on Client. So far so good.
Now I tried to set up firewall and DOS protection with iptables using the help of this guide such as I wrote the following script also using the kernel settings as described in the article.
sudo iptables -P INPUT DROP
### 1: Drop invalid packets ###
#sudo iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
### 2: Drop TCP packets that are new and are not SYN ###
#sudo iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
### 3: Drop SYN packets with suspicious MSS value ###
sudo iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
### 4: Block packets with bogus TCP flags ###
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
sudo iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
### 6: Drop ICMP (you usually don't need this protocol) ###
sudo iptables -t mangle -A PREROUTING -p icmp -j DROP
### 7: Drop fragments in all chains ###
sudo iptables -t mangle -A PREROUTING -f -j DROP
### 8: Limit connections per source IP ###
sudo iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
### 9: Limit RST packets ###
sudo iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
sudo iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
### 10: Limit new TCP connections per second per source IP ###
sudo iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
sudo iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
### 11: Use SYNPROXY on port 2222 (SSH) (disables connection limiting rule) ###
#sudo iptables -t raw -A PREROUTING -p tcp --dport 2222 -m tcp --syn -j CT --notrack
#sudo iptables -A INPUT -p tcp --dport 2222 -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
sudo iptables -A INPUT -p tcp --dport 2222 -m conntrack --ctstate INVALID -j DROP
### SSH brute-force protection ###
sudo iptables -A INPUT -p tcp --dport 2222 -m conntrack --ctstate NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 2222 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
### Protection against port scanning ###
sudo iptables -N port-scanning
sudo iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
sudo iptables -A port-scanning -j DROP
echo "Allowing traffic from SSH port 2222 and Internet traffic
# Allowing SSH connection from LAN
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
# Allowing Internet traffic
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
### Make the iptables rules persistent after reboot
sudo bash -c "iptables-save > /etc/iptables/rules.v4"
I identified these lines to have an impact on SSH connection from my LAN:
### 1: Drop invalid packets ###
#sudo iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
I cannot connect to SSH when I uncomment these, and I don't understand why.
I figured out that my #1 rule was simply invalid #11 rule. I either had to use one or the other.
Related
Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed last month.
Improve this question
I have this bash script configuring iptables with rules allowing input and output on port 22 and i cant connect on ssh (ssh is configured on port 22 on the server).
I first flush rules, then set default policy to drop, then drop icmp request, then drop xmas and null scan, drop broadcast, allow open connection to receive packets, accept local loop, accept incoming traffic on specified ports, then allow outgoing traffic with specified rules...
#/bin/bash
set -ex
# Flush all existing rules, chains, and tables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# create table
# Not necessary in iptables
# set default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
# Drop all incoming ipv6 traffic
#iptables -A INPUT -p ipv6 -j DROP
# Drop all outgoing ipv6 traffic
#iptables -A OUTPUT -p ipv6 -j DROP
# Drop all forwarded ipv6 traffic
#iptables -A FORWARD -p ipv6 -j DROP
############### INPUT chain
## On drop les requêtes ICMP (votre machine ne répondra plus aux requêtes ping sur votre réseau local).
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
## On accepte le Multicast.
#iptables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT
## On drop les scans XMAS et NULL.
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## Dropper silencieusement tous les paquets broadcastés.
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
## Permettre à une connexion ouverte de recevoir du trafic en entrée.
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
## On accepte la boucle locale en entrée.
iptables -I INPUT -i lo -j ACCEPT
#Server rules
iptables -A INPUT -p tcp -m tcp --sport 22 -i enp53s0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 80 -i enp53s0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 8080 -i enp53s0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 443 -i enp53s0 -j ACCEPT
# Drop invalid packets
iptables -A INPUT -m state --state INVALID -i enp53s0 -j DROP
## On log les paquets en entrée.
iptables -A INPUT -j LOG
############### OUTPUT chain
# Allow outgoing traffic on the loopback interface
iptables -A OUTPUT -o lo -j ACCEPT
## Permettre à une connexion ouverte de recevoir du trafic en sortie.
iptables -A OUTPUT -m conntrack ! --ctstate INVALID -j ACCEPT
# allow outgoing connection for dns requests, time synchro on enp53s0 interface
iptables -A OUTPUT -p udp -m udp --dport 53 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 123 -o enp53s0 -j ACCEPT
# allow connections on source and destination specific ports on enp53s0 interface
iptables -A OUTPUT -p tcp -m tcp --dport 53 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 22 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 8080 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -o enp53s0 -j ACCEPT
# allow ping in output chain
iptables -A OUTPUT -p icmp --icmp-type echo-request -o enp53s0 -j ACCEPT
What am i missing?
Thank you
In the input chain, under #Server rules, you probably need to change --sport 22 to --dport 22. Similarly for the others.
I'm using NAT mode for guest networking. I need my machines to be accessible from outside the guest. I've set up iptables to port forward a specific port on host to port 22 on guest, but this does not seem to work.
I added this rules:
# Port Forwardings
-A PREROUTING -i eth0 -p tcp --dport 9867 -j DNAT --to-destination 192.168.122.136:22
# Forward traffic through eth0 - Change to match you out-interface
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
When I ssh 192.168.122.136 from host it works perfectly, however when I try ssh 192.168.122.136 -p 9867 it shows ssh: connect to host 192.168.122.1 port 9867: Connection refused
I've enabled port forwarding on /etc/ufw/sysctl.conf
using iptables -t nat -L shows that the rule is set up on iptable
DNAT tcp -- anywhere anywhere tcp dpt:9867 to:192.168.122.136:22
Found my answer here. basicly I changed the above to
# connections from outside
iptables -t nat -A PREROUTING -p tcp --dport 9867 -j DNAT --to 192.168.122.136:22
# for local connection
iptables -t nat -A OUTPUT -p tcp --dport 9867 -j DNAT --to 192.168.122.136:22
# Masquerade local subnet
iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -j MASQUERADE
iptables -A FORWARD -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i virbr0 -o eth0 -j ACCEPT
iptables -A FORWARD -i virbr0 -o lo -j ACCEPT
When I clear IPtables and then add the following rules, incoming connections can connect to my KVM VM on port 1234 without any problems.
-A PREROUTING -i br0 -p tcp -m tcp --dport 1234 -j DNAT --to-destination 192.168.122.194:1234
-A FORWARD -d 192.168.122.194/32 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 1234 -j ACCEPT
-A FORWARD -s 192.168.122.194/32 -p tcp -m tcp --sport 1234 -j ACCEPT
-A FORWARD -d 192.168.122.194/32 -p tcp -m tcp --dport 1234 -j ACCEPT
But I also want NAT to work inside my KVM VM's. By default libvirt sets up some rules that provide my VM's with NAT. However when I try sending SIGHUP to libvirt (that's how you ask it to add it's rules to iptables), it adds the following rules to iptables that breaks my port forwarding that I have specified above.
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
I've tried running these commands manually. I can run all of the FORWARD and OUTPUT commands and they do not break my port forwarding. However I can't run any of the POSTROUTING commands manually. I get an error saying: "No chain/target/match by that name."
*These libvirt iptables rules in the last grey section above were obtained by running iptables-save and confirming port forwarding was working, then sending SIGHUP to libvirt, confirming port forwarding was broken, then running iptables-save again and running a diff on the two outputs to find which new iptables rules were added by libvirt.
I just enabled NAT with my own rules. I didn't bother with any of the default libvirt rules.
Adding NAT is as simple as 3 iptables commands.
(where br0 is your internet facing adapter (it could be ppp0 or whatever))
iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
iptables -A FORWARD -i br0 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i virbr0 -o br0 -j ACCEPT
I have the following iptable rules for a new system.
Basically I am trying to allow incoming www, ssl and ssh and allow outgoing ftp,ssh,smtp,dns,www and ssl connections. Plus a special rules for an outgoing mysql connection to a specific mysql server, a DoS attack helper and some dropped packet logging. All other connections I want dropped.
My trouble is, every single time I run the shell script for these rules, I get locked out tighter than a drum. It drops the established ssh session and won't allow me to begin a new one. I have to reboot through a console as even flushing the rules in a console session does not help.
It does not matter if the fallback rules (top three after the flush) are at the beginning or the end. I've tried many ways and I am hoping a new set of eyes may see what I am missing:
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dport 21,22,25,53,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --sport 21,22,25,53,80,443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p tcp -s 172.xxx.xxx.xxx --sport 1024:65535 -d 172.xxx.xxx.xxx --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 172.xxx.xxx.xxx --sport 3306 -d 172.xxx.xxx.xxx --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dport 80,443 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP
Any help would be appreciated. NOTE: I obfuscated the internal IP for posting.
I have setup keepalived, and it works well only when I stop the iptables service. My iptables config like this, Please tell me what rules should added for keepalived
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5666 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 6379 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Just slove this problem these days,Haha
Do:
iptables -I INPUT -d 224.0.0.0/8 -j ACCEPT
iptables -I INPUT -p vrrp -j ACCEPT
You must accept ip protocol 112 (vrrp) and multicast traffic to 224.0.0.18. If you are using auth_type AH then you must accept proto 51
iptables -I INPUT -p 112 -d 224.0.0.18 -j ACCEPT
iptables -I INPUT -p 51 -d 224.0.0.18 -j ACCEPT
to MASTER keepalived machine:
iptables -I OUTPUT -p vrrp -s 192.168.10.1 -d 224.0.0.0/24 -j ACCEPT
to BACKUP keepalived machine:
iptables -I INPUT -p vrrp -s 192.168.10.1 -d 224.0.0.0/24 -j ACCEPT
192.168.10.1 is the master keepalived ip