I had a DDOS today on a webserver running debian sequeeze and blocked various IP-Adresses in iptables like so:
iptables -A INPUT -s 169.50.5.42 -j DROP
But it seems to not being dropping the traffic from these ip.
Listing all rules with iptables -L gives the following output:
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
fail2ban-pureftpd tcp -- anywhere anywhere multiport dports ftp
fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps
DROP all -- 169.50.5.42-static.reverse.softlayer.com anywhere
DROP all -- 169.50.5.45-static.reverse.softlayer.com anywhere
DROP all -- 169.50.5.37-static.reverse.softlayer.com anywhere
DROP all -- 169.50.5.36-static.reverse.softlayer.com anywhere
DROP all -- 169.50.5.38-static.reverse.softlayer.com anywhere
DROP all -- 169.50.5.39-static.reverse.softlayer.com anywhere
DROP all -- 169.50.5.45-static.reverse.softlayer.com anywhere
DROP all -- 169.50.5.42-static.reverse.softlayer.com anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-dovecot-pop3imap (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-pureftpd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-ssh (1 references)
target prot opt source destination
DROP all -- 43.229.53.60 anywhere
RETURN all -- anywhere anywhere
Is there something that i missed?
I can answer myself. Apparently it needs some time to apply all changes internally. After one minute or so the rules are working.
Related
I am running Ubuntu 16.04 on a remote server. I wish to setup apache.
I just did a fresh install. I set up ufw and allowed all relevant ports, I believe. Apache is running, I checked that it is listening to port 80 and 443, I believe. I can ssh into the server just fine. When I type the ip address in my browser the connection is refused.
Please help.
Relevant info I believe will help:
IP tables:
jpp#server:~$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references)
target prot opt source destination
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:7822
ACCEPT udp -- anywhere anywhere udp dpt:7822
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:http /* 'dapp_Apache' */
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:https /* 'dapp_Apache%20Secure' */
ACCEPT tcp -- anywhere anywhere multiport dports 5000:5003
ACCEPT udp -- anywhere anywhere multiport dports 5000:5003
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
Apache status:
jpp#server:~$ sudo systemctl status apache2
● apache2.service - LSB: Apache2 web server
Loaded: loaded (/etc/init.d/apache2; bad; vendor preset: enabled)
Drop-In: /lib/systemd/system/apache2.service.d
└─apache2-systemd.conf
Active: active (exited) since Tue 2020-06-30 19:48:29 EDT; 1h 40min ago
Docs: man:systemd-sysv-generator(8)
Jun 30 19:48:29 server systemd[1]: Starting LSB: Apache2 web server...
Jun 30 19:48:29 server systemd[1]: Started LSB: Apache2 web server.
Jun 30 21:18:35 server systemd[1]: Started LSB: Apache2 web server.
Jun 30 21:18:46 server systemd[1]: Started LSB: Apache2 web server.
ufw status:
jpp#server:~$ sudo ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
22/tcp ALLOW Anywhere
7822 ALLOW Anywhere
80 ALLOW Anywhere
80/tcp ALLOW Anywhere
Apache ALLOW Anywhere
443 ALLOW Anywhere
443/tcp ALLOW Anywhere
Apache Secure ALLOW Anywhere
5000:5003/tcp ALLOW Anywhere
5000:5003/udp ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
7822 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
Apache (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
Apache Secure (v6) ALLOW Anywhere (v6)
5000:5003/tcp (v6) ALLOW Anywhere (v6)
5000:5003/udp (v6) ALLOW Anywhere (v6)
I am trying to use this tutorial to connect to the internet from the BeagleBone Black: https://elementztechblog.wordpress.com/2014/12/22/sharing-internet-using-network-over-usb-in-beaglebone-black/
The IpTables steps do not seem to yield the correct configuration. For example:
iptables --table nat -A POSTROUTING -o wlp2s0 -j MASQUERADE
creates the following configuration:
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- localhost/16 anywhere
MASQUERADE all -- anywhere anywhere
Why do I have anywhere as destination when I clearly specify wlp2s0 ? Can anyone please help ?
iptables -t nat -L doesn't seem to show additional information like interfaces.
While it's meant to be for save/restore and machine-readable, I much prefer the output of iptables-save due to its completeness.
In your case this should show you the complete configuration for the "nat" table:
iptables-save -t nat
I'm trying to put a new rule into iptables. What I would like is to put the rule into the penultimate line number (ie just before the DENY ALL statement). eg.
[vagrant#controller ~]$ sudo iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
2 ACCEPT icmp -- anywhere anywhere
3 ACCEPT all -- anywhere anywhere
4 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
5 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
then,
sudo iptables -I INPUT 5 -t filter -d 192.168.33.10 -m state --state NEW -j ACCEPT
would be:
[vagrant#controller ~]$ sudo iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
2 ACCEPT icmp -- anywhere anywhere
3 ACCEPT all -- anywhere anywhere
4 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
5 ACCEPT all -- anywhere 192.168.33.10 state NEW
6 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
the issue is that I can not figure out how I can automate this with salt without explicitly knowing what the last line number is? Is there a way of running a command in salt stack and use the result of that command as a variable for the jinja template?
sudo iptables -L INPUT --line-numbers | tail -n1 | awk '{print $1}'
I'm not aware of any simple way to do this the way its described above. Some of the work-arounds that come to mind:
Define the last rule such that it depends on (i.e. requires) the one you need to insert. Salt would then make sure that they are in the right order.
Create an additional iptables chain. Insert a jump to the new chain somewhere into the original config, then alter the rules in the chain as needed. This gives you a lot of flexibility.
Write a shell-script which does what you want and call it with cmd.run. Quite inelegant but requires fewer changes to other parts of the config.
Neither of those options is perfect and may not suit your use-case. However, combining the first to methods will get you pretty far and also result in an over all cleaner setup.
I am using Red Hat 4.4.7-4 . I have installed Apache Server using
yum install httpd
/etc/init.d/httpd start
/etc/init.d/httpd status
httpd (pid 1371) is running...
This machine can be accesses through a VPN client using ssh terminal. When I hit
http://ip address:80
in a browser, the page doesnt load. I get the following error:
This Page Cannot Be Displayed
The system cannot communicate with the external server ( 173.39.232.226 ). The Internet server may be busy, may be permanently down, or may be unreachable because of network problems.
Please check the spelling of the Internet address entered. If it is correct, try this request later.
If you have questions, or feel this is an error, please contact your corporate network administrator and provide the codes shown below.
Notification codes: (1, GATEWAY_TIMEOUT, 173.39.232.226)
Also, below is the output of iptables
[root#blended-services-demo html]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:http
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
You probalby need to enable access to your server on port 80 as it is currently being blocked by iptables.
sudo /sbin/iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
This will insert the rule into your iptables configuration at the start. Once you have done this and tested that it works then you should save the configuration so that it it is used next time the service starts,
sudo /sbin/service iptables save
this will write the current configuration to /etc/sysconfig/iptables.
if this dont solve your problem, i suggest you take a look here:
apache not accepting incoming connections from outside of localhost
I installed OpenStack on RHEL6 using DevStack and had it running nicely. One day one of our "system administrators" noticed that iptables was running on the system and decided to turn it off (chkconfig iptables off). He then restarted the server and didn't tell me for a couple days. After he told me I quickly checked to see if I could access my instances. While Horizon was accessible, since nothing is being blocked, and I could access my instances from the Console, these instances could not access the network. After this I tried to access the instances from the server via SSH. The private IP was not accessible.
I then tried to restart iptables, which came up... and blocked the horizon dashboard. So I then attempted to restart all the open stack services... still no access to Horizon or any of the instances, but at least now my IPTables was populated with nova rules
Chain INPUT (policy ACCEPT)
target prot opt source destination
nova-api-INPUT all -- anywhere anywhere
nova-network-INPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere multiport dports https
ACCEPT tcp -- anywhere anywhere multiport dports http
Chain FORWARD (policy ACCEPT)
target prot opt source destination
nova-filter-top all -- anywhere anywhere
nova-api-FORWARD all -- anywhere anywhere
nova-network-FORWARD all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
nova-filter-top all -- anywhere anywhere
nova-api-OUTPUT all -- anywhere anywhere
nova-network-OUTPUT all -- anywhere anywhere
Chain nova-api-FORWARD (1 references)
target prot opt source destination
Chain nova-api-INPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere devcloud.camb.comdev.ca tcp dpt:8775
Chain nova-api-OUTPUT (1 references)
target prot opt source destination
Chain nova-api-local (1 references)
target prot opt source destination
Chain nova-filter-top (2 references)
target prot opt source destination
nova-api-local all -- anywhere anywhere
nova-network-local all -- anywhere anywhere
Chain nova-network-FORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain nova-network-INPUT (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
Chain nova-network-OUTPUT (1 references)
target prot opt source destination
Chain nova-network-local (1 references)
target prot opt source destination
None of these rules allows allow remote access to Horizon, and they don't even allow local access to the instances that should be running. On top of that, before iptables was turned off I was able to allow Apache HTTPD to listen on any port, but that functionality seems to be stopped now as well.
Right now, the only thing I can think of is starting fresh because I don't have a clue where to look. I've been reading up on iptables and OpenStack and how they work together but haven't been able to find any solution. Can anyone point me in a direction that might help?
I had considered adding rules to the IPtables rules directly, but these would be overridden by nova anytime a change is made or it is restarted which would make this impossible to maintain.
I had same issue. I logged in the console and found that INPUT and FORWARD policies were set to drop. To fix this issue:
$ sudo iptables -A INPUT ACCEPT
$ sudo iptables -A FORWARD ACCEPT
then I could ssh and open the dashboard.