Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 years ago.
Improve this question
I have changed ssh default port to 2020, And add iptable rule in order to allow incoming traffic on that port using below command.
iptables -A INPUT -p tcp -m tcp --dport 2020 -j ACCEPT
And i would like to block all other ports on the server. And use below command after allowing ssh. All session are closed. How can i fix it.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
You may need to enable OUTPUT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 2020 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 2020 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP
Related
here is my whitelist allowing wikipedia and rejecting all other sites. Unfortunately this script does not work : I cannot connect to wikipedia. Why ?
Thank you
Allow incoming traffic from established connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow incoming connections from wikipedia
iptables -A INPUT -s 78.109.84.114 -j ACCEPT
Allow outcoming connections from wikipedia
iptables -A OUTPUT -s 78.109.84.114 -j ACCEPT
Drop other incoming connections.
iptables -P INPUT DROP
Drop any transfer of traffic.
iptables -P FORWARD DROP
I think i got your Problem.
Try using iptables -A OUTPUT -d 78.109.84.114 -j ACCEPT instead of
iptables -A OUTPUT -s 78.109.84.114 -j ACCEPT
And if you want to work with the state module then use:
iptables -A OUTPUT -m state --state NEW -d 78.109.84.114 -j ACCEPT
The Problem is, that you create a rule, that says that Traffic that goes into the OUTPUT Chain with the Source Adress 78.109.84.114 is allowed. But what you want is a rule that allows Traffic to Wikipedia outgoing not from Wikipedia.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
I have an iptables firewall with the default INPUT policy set to DROP. I'm using this for slowing down SSH brute force attempts. The problem is that if I leave the last line in, the previous rules don't trigger and all SSH traffic is accepted. If i leave it out, packets from bad IPs get dropped, but I also can't connect to SSH myself. To my understanding, iptables is sequential, so it should only reach the last rule if it hasn't triggered any of the previous rules. What I am trying to say in the last line is "if your IP isn't on the SSH_BRUTEFORCE list, go on through. What am I doing wrong ?
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -N SSHSCAN
iptables -A INPUT -i ens3 -p tcp -m tcp --dport 22 -m state --state NEW -j SSHSCAN
iptables -A SSHSCAN -m recent --set --name SSH_BRUTEFORCE --rsource
iptables -A SSHSCAN -m recent --update --seconds 360 --hitcount 10 --name SSH_BRUTEFORCE --rsource -j LOG --log-prefix "Anti SSH-Bruteforce: " --log-level 2
iptables -A SSHSCAN -m recent --update --seconds 360 --hitcount 10 --name SSH_BRUTEFORCE --rsource -j DROP
iptables -A SSHSCAN -m recent --rcheck --name SSH_BRUTEFORCE -j ACCEPT
You can start with rate-limiting for example:
/usr/sbin/iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
/usr/sbin/iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
If you want to log the drops then
/sbin/iptables -N LOGDROP
/sbin/iptables -A LOGDROP -j LOG
/sbin/iptables -A LOGDROP -j DROP
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j LOGDROP
source is here https://www.rackaid.com/blog/how-to-block-ssh-brute-force-attacks/
Also I would recommend to move the default port to something else and like #larsks suggested I would deny login with password and only accept keys.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I have a NAS server which I should do port forwarding for it in order to make its services accessible from internet. However my ISP is blocking ports, so I've managed to buy myself a cheap Ubuntu VPS to run an OpenVPN server there and then somehow redirect the whole NAS traffic and the required ports to there.
My setup is as the following:
+--------------------------------+
| Raspi |
(192.168.0.101/24)| |(192.168.1.1/24)
(192.168.0.1/24) AP<>=================={wlan0 eth0}================<>NAS (192.168.1.102/24)
| \ / |
| +----------------------+ |
| | iptables and | |
| | routing engine | |
| +-----------+----------+ |
| | |
| {tun0} |
| 10.8.0.6 |
+--------------------------------+
The VPS side is configured correctly I guess, as I am able to SSH into my Raspberry Pi using my VPS IP. That's what I've done there in order to make it work:
iptables -t nat -A PREROUTING -d A.B.C.D -p tcp --dport 22 -j DNAT --to-dest 10.8.0.6:22
iptables -t nat -A POSTROUTING -d 10.8.0.6 -p tcp --dport 22 -j SNAT --to-source 10.8.0.1
My OpenVPN server config:
port X
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
I have also done:
sysctl -w net.ipv4.ip_forward=1
and put DEFAULT_FORWARD_POLICY="ACCEPT" in /etc/default/ufw and also added
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
to
/etc/ufw/before.rules
OpenVPN client config:
client
dev tun
proto udp
remote A.B.C.D X
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
<ca>
XXX
</ca>
<cert>
YYY
</cert>
<key>
ZZZ
</key>
How do I redirect eth0 traffic to tun0 and forward ports Y and Z through the tunnel?
I just know that for the other ports I should reconfigure my VPS accordingly as I did for port 22.
I've managed to redirect the traffic on my Raspi with the following command:
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun0 -j MASQUERADE
When I traceroute out of my NAS it goes through the tunnel. Now I only need to forward ports in this tunnel.
UPDATE (solving the whole project):
I finally found the correct port forwarding commands after hours of searching. I've ran the following commands on my Raspi:
iptables -t nat -I PREROUTING -p tcp -i tun0 -d 10.8.0.6 --dport <port> -j DNAT --to 192.168.1.102:<port>
iptables -I FORWARD -p tcp -i tun0 -d 192.168.1.102 --dport <port> -j ACCEPT
And also these commands on my VPS as I've done at first for port 22 at the beginning of this thread:
iptables -t nat -A PREROUTING -d 217.160.14.45 -p tcp --dport <port> -j DNAT --to-dest 10.8.0.6:<port>
iptables -t nat -A POSTROUTING -d 10.8.0.6 -p tcp --dport <port> -j SNAT --to-source 10.8.0.1
So now I've bypassed the firewall of my ISP and I am able to access my NAS and its services using port forwarding on the VPS side. You can use this as a tutorial :)
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 3 years ago.
Improve this question
on an empty iptables I did:
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
$iptables -P FORWARD DROP
and a few rules for SSH, HTTP and TEAMSPEAK
and when I did iptables-save I got that result that allows some IP
# Generated by iptables-save v1.4.8 on Thu Feb 20 23:55:32 2014
*raw
:PREROUTING ACCEPT [6299:1141558]
:OUTPUT ACCEPT [6172:2577934]
COMMIT
# Completed on Thu Feb 20 23:55:32 2014
# Generated by iptables-save v1.4.8 on Thu Feb 20 23:55:32 2014
*nat
:PREROUTING ACCEPT [328:23247]
:INPUT ACCEPT [170:9752]
:OUTPUT ACCEPT [1190:168880]
:POSTROUTING ACCEPT [717:89971]
COMMIT
# Completed on Thu Feb 20 23:55:32 2014
# Generated by iptables-save v1.4.8 on Thu Feb 20 23:55:32 2014
*mangle
:PREROUTING ACCEPT [6299:1141558]
:INPUT ACCEPT [6299:1141558]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6172:2577934]
:POSTROUTING ACCEPT [5699:2499025]
COMMIT
# Completed on Thu Feb 20 23:55:32 2014
# Generated by iptables-save v1.4.8 on Thu Feb 20 23:55:32 2014
*filter
:INPUT DROP [17:1024]
:FORWARD DROP [0:0]
:OUTPUT DROP [76:11042]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m udp --dport 9987 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCE\
PT
-A OUTPUT -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT\
-A OUTPUT -p udp -m udp --sport 9987 -j ACCEPT
COMMIT
The question is, is it normal? Am I hacked?
If your question is referring to the numbers in square brackets i.e.
*nat
:PREROUTING ACCEPT [328:23247] <-- these numbers
Then no, you haven't been hacked.
Those are packet and byte counters.
A very good tutorial on iptables by Oskar Andreasson is found at: http://www.faqs.org/docs/iptables/index.html
with a page covering what you are asking about at: http://www.faqs.org/docs/iptables/iptables-save.html
Note that iptables-save is made to be used by iptables-resture, hence the complex formatting. Use iptables -S for a more simple form.
Furthermore, I would suggest using a more simple rules such as:
Allow outgoing traffic and continue any already established connections
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P FORWARD DROP
Specific port you want to use for input
iptables -A INPUT -p TCP --dport 22 -m state --state ESTABLISHED,NEW -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -m state --state ESTABLISHED,NEW -j ACCEPT
iptables -A INPUT -p TCP --dport 443 -m state --state ESTABLISHED,NEW -j ACCEPT
iptables -A INPUT -p TCP --dport 9987 -m state --state ESTABLISHED,NEW -j ACCEPT
Of course, run those in a script, otherwise the 'iptables -f' would disconnect your current SSH session.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
I have firewall rule that should accept all the connections, but drop connections from a ssh brute force attack (except 10.0.0.0/8 range). This rule will block an IP if it attempts more than 24 connections per 10minute.
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --dport 22 -s ! 10.0.0.0/8 -m state --state NEW -m recent --set --name SSH
-A INPUT -p tcp --dport 22 -s ! 10.0.0.0/8 -m state --state NEW -m recent --update --seconds 600 --hitcount 25 --rttl --name SSH -j DROP
-A INPUT -j ACCEPT
-A FORWARD -j ACCEPT
COMMIT
It errors out when I try to start iptables as bad arguement.
iptables: Applying firewall rules: Bad argument `10.0.0.0/8'
This was talked before in SF. iptables changed the way it accept parameters. Now the bang should be before the parameter, so your lines becomes this:
-A INPUT -p tcp --dport 22 ! -s 10.0.0.0/8 -m state --state NEW -m recent --set --name SSH
-A INPUT -p tcp --dport 22 ! -s 10.0.0.0/8 -m state --state NEW -m recent --update --seconds 600 --hitcount 25 --rttl --name SSH -j DROP
And yes, every blog in internet is wrong.