Block IP address which matches a rule - iptables

The following will drop packets which contain the string specified:
iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string --string "therichsheickc#yahoo.com"
The string is one which a botnet spammer uses (from 1000's upon 1000's of ip addresses) to hammer my email servers constantly. This rule is somewhat effective, but doesn't stop the connections. I'd like it to -j DROP the IP as well after a match. Can I do this in iptables without going to userspace?

This particular scanner always greet with EHLO 192.168.2.33. Use these rules to stop them:
iptables -t raw -A PREROUTING -i eth+ -p tcp --dport 25 -m string --string "192.168.2.33" --algo bm -m recent --set --name SBOT
iptables -I INPUT -i eth+ -p tcp --dport 25 -m recent --rcheck --name SBOT -j REJECT --reject-with tcp-reset
or maybe this will help :
iptables -A FORWARD -m string --algo bm --string "therichsheickc#yahoo.com" -j DROP

Related

ssh blocked by iptables even if port 22 is open [closed]

Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed last month.
Improve this question
I have this bash script configuring iptables with rules allowing input and output on port 22 and i cant connect on ssh (ssh is configured on port 22 on the server).
I first flush rules, then set default policy to drop, then drop icmp request, then drop xmas and null scan, drop broadcast, allow open connection to receive packets, accept local loop, accept incoming traffic on specified ports, then allow outgoing traffic with specified rules...
#/bin/bash
set -ex
# Flush all existing rules, chains, and tables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# create table
# Not necessary in iptables
# set default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
# Drop all incoming ipv6 traffic
#iptables -A INPUT -p ipv6 -j DROP
# Drop all outgoing ipv6 traffic
#iptables -A OUTPUT -p ipv6 -j DROP
# Drop all forwarded ipv6 traffic
#iptables -A FORWARD -p ipv6 -j DROP
############### INPUT chain
## On drop les requêtes ICMP (votre machine ne répondra plus aux requêtes ping sur votre réseau local).
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
## On accepte le Multicast.
#iptables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT
## On drop les scans XMAS et NULL.
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## Dropper silencieusement tous les paquets broadcastés.
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
## Permettre à une connexion ouverte de recevoir du trafic en entrée.
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
## On accepte la boucle locale en entrée.
iptables -I INPUT -i lo -j ACCEPT
#Server rules
iptables -A INPUT -p tcp -m tcp --sport 22 -i enp53s0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 80 -i enp53s0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 8080 -i enp53s0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 443 -i enp53s0 -j ACCEPT
# Drop invalid packets
iptables -A INPUT -m state --state INVALID -i enp53s0 -j DROP
## On log les paquets en entrée.
iptables -A INPUT -j LOG
############### OUTPUT chain
# Allow outgoing traffic on the loopback interface
iptables -A OUTPUT -o lo -j ACCEPT
## Permettre à une connexion ouverte de recevoir du trafic en sortie.
iptables -A OUTPUT -m conntrack ! --ctstate INVALID -j ACCEPT
# allow outgoing connection for dns requests, time synchro on enp53s0 interface
iptables -A OUTPUT -p udp -m udp --dport 53 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 123 -o enp53s0 -j ACCEPT
# allow connections on source and destination specific ports on enp53s0 interface
iptables -A OUTPUT -p tcp -m tcp --dport 53 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 22 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 8080 -o enp53s0 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -o enp53s0 -j ACCEPT
# allow ping in output chain
iptables -A OUTPUT -p icmp --icmp-type echo-request -o enp53s0 -j ACCEPT
What am i missing?
Thank you
In the input chain, under #Server rules, you probably need to change --sport 22 to --dport 22. Similarly for the others.

iptables and password protection

I am trying to find the way to block all web-pages that I browse that use plaintext password for their logins with iptables.
Here is the command I tried, something it wrong with it. How do I enter this command? This is for educational purpose only. Say, if I use "password" for all my logins.
Thanks.
nata#nata-VirtualBox:~$ iptables -A OUTPUT -s match --string "password" --dport 80 -p tcp -j DROP
iptables v1.4.12: unknown option "--string"
Try `iptables -h' or 'iptables --help' for more information.
nata#nata-VirtualBox:~$ iptables -A OUTPUT -m string --string "password" --dport 80 -p tcp -j DROP
string: Could not determine whether revision 1 is supported, assuming it is.
iptables v1.4.12: unknown option "--dport"
Try `iptables -h' or 'iptables --help' for more information.
Try with this:
iptables -A OUTPUT -p tcp --dport 80 -m string --string password --algo bm -j DROP
To get help on a specific match, you can do:
iptables -m Match-Name --help

iptable rule on OpenWRT for all remaining ports

Ok, I'm working with an OpenWRT router. I have the following iptable rules:
iptables -t nat -I prerouting_rule -m mac --mac-source $2 -p tcp --dport 80 -j DNAT --to-destination $3:80;
iptables -t nat -I prerouting_rule -m mac --mac-source $2 -p tcp --dport 443 -j DNAT --to-destination $3:80;
These rules effectively redirect traffic on ports 80 and 443 to a specific destination ip address for a specific requesting MAC address.
I'd like to add another rule (or set of rules if necessary) that will drop traffic on all other ports for this specific MAC without breaking these 2 rules.
My version of iptables is: v1.4.10
Any pointers would be greatly appreciated!
EV
iptables -t nat -A prerouting_rule -m mac --mac-source $2 -j DROP
generally: use -A instead -I, append is more "human"
edit:
you should filter out pacakages in the filter tables ;)
iptables -A FORWARD -m mac --mac-source $2 --dport 80 -j ACCEPT
iptables -A FORWARD -m mac --mac-source $2 --dport 443 -j ACCEPT
iptables -A FORWARD -m mac --mac-source $2 -j DROP
i forgot that not all tables can do anything...

How to allow mail through iptables?

I'm securing my server (with iptables) so that only http and ssh ports are open and that is fine, although I use the mail command (server: CentOS 6.2) in some applications and it does not get through now thanks to iptables blocking everything.
What ports do I allow it access to?
Mail usage: echo "{{message}}" | mail -s "{{subject}}" me#mail.com
I've tried the standard mail port 25, but I have had no success with that.
Here is the current setup:
iptables --flush
iptables -P INPUT DROP
iptables -P OUTPUT DROP
# incoming ssh
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# outgoing ssh
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
#HTTP
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# mail (does not work)
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
(EDIT) ANSWER: The working iptables rule:
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
The OUTPUT commands should also refer to --dport, not --sport. You'll also want to allow NEW outgoing packets in order to initiate the connection to the SMTP server.
In general, however, since OUTPUT controls only those packets that your own system generates, you can set the OUTPUT policy to ACCEPT unless you need to prevent the generation of outgoing packets.
Two more comments:
1. Jay D's suggestion to "allow everything and then start blocking specific traffic" is insecure. Never configure iptables this way because you'd have to know in advance which ports an attacker might use and block them all individually. Always use a whitelist instead of a blacklist if you can.
2. A hint from the trenches: when you're debugging iptables, it's often helpful to -Insert and -Append log messages at the beginning and end of each chain, then clear the counters, and run an experiment. (In your case, issue the mail command.) Then check the counters and logs to understand how the packet(s) migrated through the chains and where they may have been dropped.

Iptables setting multiple multiports in one rule

The multiport extension has a limit (15) for the ports that can be specified.
But I need to specify much more port numbers in a single rule, so I tried to use several multiport in one rule like:
iptables -A INPUT -p tcp -m multiport --destination-ports 59100 -m multiport --destination-ports 3000 -m state --state NEW -j REJECT --reject-with tcp-reset
The result of iptables -L INPUT -n is
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 59100 multiport dports 3000 state NEW reject-with tcp-reset
But it turns out that both of the ports are not rejected when I try to connect from a client.
The version is v1.4.2-rc1.
Is there a workaround, or what should I do when I need to specify more than 15 ports in one rule.
As a workaround to this limitation, I use two rules to cover all the cases.
For example, if I want to allow or deny these 18 ports:
465,110,995,587,143,11025,20,21,22,26,80,443,3000,10000,7080,8080,3000,5666
I use the below rules:
iptables -A INPUT -p tcp -i eth0 -m multiport --dports 465,110,995,587,143,11025,20,21,22,26,80,443 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -m multiport --dports 3000,10000,7080,8080,3000,5666 -j ACCEPT
The above rules should work for your scenario also. You can create another rule if you hit 15 ports limit on both first and second rule.
You need to use multiple rules to implement OR-like semantics, since matches are always AND-ed together within a rule. Alternatively, you can do matching against port-indexing ipsets (ipset create blah bitmap:port).
Only one rule:
sudo iptables -A INPUT -i enp1s0 -p tcp -m multiport --dports 0:8080 -j REJECT
(enp0 is my interface; change this with your interface name)
As far as i know, writing multiple matches is logical AND operation; so what your rule means is if the destination port is "59100" AND "3000" then reject connection with tcp-reset; Workaround is using -mport option. Look out for the man page.
enable_boxi_poorten
}
enable_boxi_poorten() {
SRV="boxi_poorten"
boxi_ports="427 5666 6001 6002 6003 6004 6005 6400 6410 8080 9321 15191 16447 17284 17723 17736 21306 25146 26632 27657 27683 28925 41583 45637 47648 49633 52551 53166 56392 56599 56911 59115 59898 60163 63512 6352 25834"
case "$1" in
"LOCAL")
for port in $boxi_ports; do $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport $port -j ACCEPT -m comment --comment "boxi specifieke poorten";done
# multiports gaat maar tot 15 maximaal :((
# daarom maar for loop maken
# $IPT -A tcp_inbound -p TCP -s $LOC_SUB -m state --state NEW -m multiport --dports $MULTIPORTS -j ACCEPT -m comment --comment "boxi specifieke poorten"
echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}"
;;
"WEB")
for port in $boxi_ports; do $IPT -A tcp_inbound -p TCP -s 0/0 --dport $port -j ACCEPT -m comment --comment "boxi specifieke poorten";done
echo "${RED}Allowing $SRV for all hosts.....${NORMAL}"
;;
*)
for port in $boxi_ports; do $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport $port -j ACCEPT -m comment --comment "boxi specifieke poorten";done
echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}"
;;
esac
}