# Are this IPTABLES OK???

## lo-jay

Do suffer from dropouts & super bad bandwidth lately.

My ISP claims the prob is not on his side.

Am behind a Tomato router, didn't alt anything there.

Here the iptables:

```
#!/bin/bash

# vars

IPT=/sbin/iptables

# Flush old rules, old custom tables

echo " * flushing old rules"

$IPT --flush

$IPT --delete-chain

# Set default policies for all three default chains

echo " * setting default policies"

$IPT -P INPUT DROP

#$IPT -A FORWARD -o tun0 -j ACCEPT

$IPT -P FORWARD DROP

$IPT -P OUTPUT ACCEPT

# Enable free use of loopback interfaces

echo " * allowing loopback devices"

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A OUTPUT -o lo -j ACCEPT

# All TCP sessions should begin with SYN

$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Allow established and related packets

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -P FORWARD DROP

$IPT -P OUTPUT ACCEPT

# Enable free use of loopback interfaces

echo " * allowing loopback devices"

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A OUTPUT -o lo -j ACCEPT

# All TCP sessions should begin with SYN

$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Allow established and related packets

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open the following ports

echo " * allowing ssh on port 22"

$IPT -A INPUT -p tcp --dport 22  -m state --state NEW -j ACCEPT

echo " * allowing dns on port 53"

$IPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT

echo " * allowing http on port 80"

$IPT -A INPUT -p tcp --dport 80  -m state --state NEW -j ACCEPT

echo " * allowing https on port 443"

$IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

#echo " * Possible YouTube speed help"

#$IPT -A INPUT -s 173.194.55.0/24 -j REJECT

#$IPT -A INPUT -s 206.111.0.0/16 -j REJECT

echo " * allowing udp on port 1194"

$IPT -A INPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT

echo " * allowing udp on port 10010"

$IPT -A INPUT -p udp --dport 10010 -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p udp --dport 10010 -m state --state NEW -j ACCEPT

echo " * allowing udp on port 10020"

$IPT -A INPUT -p udp --dport 10020 -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p udp --dport 10020 -m state --state NEW -j ACCEPT

#echo " * allowing tun"

#$IPT -A INPUT -i tun+ -j ACCEPT

#$IPT -A OUTPUT -o tun+ -j ACCEPT

#$IPT -A FORWARD -i tun+ -j ACCEPT

echo " * allowing ping responses"

$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT

# DROP everything else and Log it

$IPT -A INPUT -j LOG

$IPT -A INPUT -j DROP

#

# Save settings

#

echo " * saving settings"

/etc/init.d/iptables save

```

Cheers!

----------

## PaulBredbury

Two of your rules should be in *this* order:

```
# Allow established and related packets

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# All TCP sessions should begin with SYN

$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
```

You screwed up the copy-paste, some of the rules at your top of your script are duplicated  :Wink: 

----------

## litan

I think this could possibly result in very big log files, if something goes wrong:

```
$IPT -A INPUT -j LOG 
```

Maybe you want to limit a bit:

```
$IPT -A INPUT -m limit --limit 1/sec -j LOG 
```

----------

## lo-jay

ok, now looks like this:

```

#!/bin/bash

# vars

IPT=/sbin/iptables

# Flush old rules, old custom tables

echo " * flushing old rules"

$IPT --flush

$IPT --delete-chain

# Set default policies for all three default chains

echo " * setting default policies"

$IPT -P INPUT DROP

#$IPT -A FORWARD -o tun0 -j ACCEPT

$IPT -P FORWARD DROP

$IPT -P OUTPUT ACCEPT

# Enable free use of loopback interfaces

echo " * allowing loopback devices"

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A OUTPUT -o lo -j ACCEPT

# Allow established and related packets

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# All TCP sessions should begin with SYN

$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Open the following ports

echo " * allowing ssh on port 22"

$IPT -A INPUT -p tcp --dport 22  -m state --state NEW -j ACCEPT

echo " * allowing dns on port 53"

$IPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT

echo " * allowing http on port 80"

$IPT -A INPUT -p tcp --dport 80  -m state --state NEW -j ACCEPT

echo " * allowing https on port 443"

$IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

#echo " * Possible YouTube speed help"

#$IPT -A INPUT -s 173.194.55.0/24 -j REJECT

#$IPT -A INPUT -s 206.111.0.0/16 -j REJECT

echo " * allowing udp on port 1194"

$IPT -A INPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT

echo " * allowing udp on port 10010"

$IPT -A INPUT -p udp --dport 10010 -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p udp --dport 10010 -m state --state NEW -j ACCEPT

echo " * allowing udp on port 10020"

$IPT -A INPUT -p udp --dport 10020 -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p udp --dport 10020 -m state --state NEW -j ACCEPT

#echo " * allowing tun"

#$IPT -A INPUT -i tun+ -j ACCEPT

#$IPT -A OUTPUT -o tun+ -j ACCEPT

#$IPT -A FORWARD -i tun+ -j ACCEPT

echo " * allowing ping responses"

$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT

# DROP everything else and Log it

$IPT -A INPUT -m limit --limit 1/sec -j LOG

$IPT -A INPUT -j DROP

#

# Save settings

#

echo " * saving settings"

/etc/init.d/iptables save

```

anymore stuff wrong - please bring it on guys!

cheers!

----------

## lo-jay

but getting an error now?

```
# /root/rules.sh

 * flushing old rules

 * setting default policies

 * allowing loopback devices

 * allowing ssh on port 22

 * allowing dns on port 53

 * allowing http on port 80

 * allowing https on port 443

 * allowing udp on port 1194

 * allowing udp on port 10010

 * allowing udp on port 10020

 * allowing ping responses

iptables: No chain/target/match by that name.

 * saving settings

 * Saving iptables state ...                 
```

```
#  iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere            

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW

ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http state NEW

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https state NEW

ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn state NEW

ACCEPT     udp  --  anywhere             anywhere             udp dpt:10010 state NEW

ACCEPT     udp  --  anywhere             anywhere             udp dpt:10020 state NEW

ACCEPT     icmp --  anywhere             anywhere             icmp echo-request

DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere            

ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn state NEW

ACCEPT     udp  --  anywhere             anywhere             udp dpt:10010 state NEW

ACCEPT     udp  --  anywhere             anywhere             udp dpt:10020 state NEW

```

any insights?

cheers!!!

----------

## litan

The logging rule is failing, which means you don't have the limit match.

Check if you have support in the iptables command line tool with:

```
# iptables -m limit -h

[...]

limit match options:

--limit avg         max average match rate: default 3/hour

                                [Packets per second unless followed by 

                                /sec /minute /hour /day postfixes]

--limit-burst number      number to match in a burst, default 5

```

and check if you have the kernel module:

```
# lsmod | grep xt_limit

xt_limit                1857  14 

# grep CONFIG_NETFILTER_XT_MATCH_LIMIT /usr/src/linux/.config

CONFIG_NETFILTER_XT_MATCH_LIMIT=m

```

By the way, you have to consider that while limiting the LOG target might prevent log file flooding,

it might also miss some packets which might be interesting to you.

If you don't want to miss some specific packets, you should log them separately, e.g:

```
$IPT -A INPUT -p tcp --dport 22 ! -s ${trusted_host} -m limit --limit 1/sec -j LOG --log-prefix "ssh: "

$IPT -A INPUT -p tcp --dport 22 ! -s ${trusted_host} -j DROP

$IPT -A INPUT -m limit --limit 1/sec -j LOG

$IPT -A INPUT -j DROP  
```

edit: added --log-prefixLast edited by litan on Sat Jan 18, 2014 8:26 pm; edited 1 time in total

----------

## PaulBredbury

More up-to-date is, instead of -m state:

```
$IPT -A INPUT -p tcp -m conntrack --ctstate INVALID -j DROP
```

Then , you don't need all those "-m state --state NEW" checks, since the state can only be NEW.

Don't block icmp unless you actually have a problem you're trying to solve  :Wink: 

----------

## lo-jay

hey,

is this essential???

```
# lsmod | grep xt_limit

xt_limit                1857  14

# grep CONFIG_NETFILTER_XT_MATCH_LIMIT /usr/src/linux/.config

CONFIG_NETFILTER_XT_MATCH_LIMIT=m 
```

i did just recompile my kernel, but it is still not showing up...

where exactly would that option be hiding;-)

cheers,

----------

## mv

 *PaulBredbury wrote:*   

> Don't block icmp

 

I guess this is the origin of the dropouts and bandwidth problems.

----------

## lo-jay

ok,

so how should i alter this line to not block it?

```
$IPT -A INPUT -p ICMP --icmp-type 8 -j ACCEPT 
```

thanks again!

----------

## mv

You should at least allow 'destination-unreachable' 'source-quench' 'time-exceeded' 'parameter-problem' (and perhaps hash-limitted 'echo-reply' and 'echo-request').

As a side note, instead of DROP a (hash-limited) REJECT is a cleaner way: This will actually lower traffic since (at least reasonably written) programs will not repeat their request.

----------

## lo-jay

did put 

```
$IPT -A INPUT -p icmp -j ACCEPT

```

still the same dropouts...

cheers!

----------

## litan

 *lo-jay wrote:*   

> hey,
> 
> is this essential???
> 
> ```
> ...

 

If you can't find the kernel option, it is under

```
Networking support  ---> 

    Networking options  --->

        Network packet filtering framework (Netfilter)  --->

            Core Netfilter Configuration  --->

                < > "limit" match support

```

Is it essential? I guess it kind of depends on your network and your risk tolerance.

If I understand correctly, this is the configuration of a machine

in your local network, right?. One should hope that there are no DoS attacks from the local network, but that's not the only

thing that could go wrong. I think it is enough to forget to allow some traffic or other hickups and your log file

can become very big in a very short time, slowing down your harddrive and possibly filling up your file system,

if you log all dropped packets without limiting.

I would not recommend it.

----------

## lo-jay

ok, gladly followed your advice & compiled it as a module:

```
# find /lib/modules/$(uname -r)/kernel/net -iname '*.ko' 

/lib/modules/3.6.11-gentoo/kernel/net/netfilter/xt_limit.ko

/lib/modules/3.6.11-gentoo/kernel/net/netfilter/ipvs/ip_vs.ko

/lib/modules/3.6.11-gentoo/kernel/net/netfilter/xt_mark.ko

/lib/modules/3.6.11-gentoo/kernel/net/netfilter/ipset/ip_set.ko

/lib/modules/3.6.11-gentoo/kernel/net/netfilter/xt_LOG.ko

/lib/modules/3.6.11-gentoo/kernel/net/ipv4/esp4.ko

/lib/modules/3.6.11-gentoo/kernel/net/ipv4/xfrm4_mode_transport.ko

/lib/modules/3.6.11-gentoo/kernel/net/ipv4/xfrm4_mode_beet.ko

/lib/modules/3.6.11-gentoo/kernel/net/ipv4/xfrm4_mode_tunnel.ko

/lib/modules/3.6.11-gentoo/kernel/net/ipv4/udp_diag.ko

/lib/modules/3.6.11-gentoo/kernel/net/ipv4/xfrm4_tunnel.ko

/lib/modules/3.6.11-gentoo/kernel/net/ipv4/ipcomp.ko

/lib/modules/3.6.11-gentoo/kernel/net/ipv4/ah4.ko

/lib/modules/3.6.11-gentoo/kernel/net/xfrm/xfrm_ipcomp.ko

```

still wondering if there is anyway to strip down my iptables conf ?

thanks again!

----------

## PaulBredbury

 *lo-jay wrote:*   

> still the same dropouts...

 

Show what you've got in the firewall rules. Easy way to show:

```
iptables-save
```

"Dropouts" could also be caused by something else, e.g. incorrect MTU setting on interface.

----------

## lo-jay

here we go

```
iptables-save

# Generated by iptables-save v1.4.20 on Sun Jan 19 14:27:38 2014

*nat

:PREROUTING ACCEPT [3:704]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [5077:278311]

:POSTROUTING ACCEPT [5077:278311]

COMMIT

# Completed on Sun Jan 19 14:27:38 2014

# Generated by iptables-save v1.4.20 on Sun Jan 19 14:27:38 2014

*mangle

:PREROUTING ACCEPT [49899:47444940]

:INPUT ACCEPT [49896:47444236]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [52426:5384762]

:POSTROUTING ACCEPT [52426:5384762]

COMMIT

# Completed on Sun Jan 19 14:27:38 2014

# Generated by iptables-save v1.4.20 on Sun Jan 19 14:27:38 2014

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [2498:200012]

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT

-A INPUT -p udp -m udp --dport 53 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT

-A INPUT -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT

-A INPUT -p udp -m udp --dport 10010 -m state --state NEW -j ACCEPT

-A INPUT -p udp -m udp --dport 10020 -m state --state NEW -j ACCEPT

-A INPUT -i tun+ -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -m limit --limit 1/sec -j LOG

-A INPUT -j DROP

-A FORWARD -i tun+ -j ACCEPT

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT

-A OUTPUT -p udp -m udp --dport 10010 -m state --state NEW -j ACCEPT

-A OUTPUT -p udp -m udp --dport 10020 -m state --state NEW -j ACCEPT

COMMIT

# Completed on Sun Jan 19 14:27:38 2014

```

cheers again!

----------

## PaulBredbury

Get rid of that --tcp-flags FIN,SYN,RST,ACK SYN line, especially with your unresolved dropout issue. As I mentioned earlier, check for INVALID instead, if anything. Here's an example I'm currently playing with, to see what gets caught:

```
$ipt -N invalid

# Reject google (youtube)

$ipt -A invalid -s 173.194.0.0/16 -j REJECT

$ipt -A invalid -s 74.125.0.0/16 -j REJECT

# Drop twitter

$ipt -A invalid -s 199.16.156.0/22 -j DROP

# Drop incapsula

$ipt -A invalid -s 199.83.128.0/21 -j DROP

# Log the remainder

$ipt -A invalid -m limit --limit 1/min --limit-burst 1 -j LOG --log-level warning --log-prefix "invalid: "

$ipt -A invalid -j DROP

$ipt -A INPUT -m conntrack --ctstate INVALID -j invalid
```

But I don't recommend you try anything like the above, until you're resolved the dropouts - which may require analysis using e.g. wireshark.

All that --state NEW checking you've got, is inelegant - I would put that in a chain called "new".

All of your OUTPUT rules at the bottom are useless, because they just ACCEPT, and that's your default policy anyway  :Wink: 

Edit: Changed from 2/sec to 1/min with limit-burstLast edited by PaulBredbury on Sun Feb 02, 2014 11:48 am; edited 2 times in total

----------

## lo-jay

well,

commented some lines out. here the result:

```
# iptables-save

# Generated by iptables-save v1.4.20 on Sun Jan 19 17:02:42 2014

*nat

:PREROUTING ACCEPT [121:9118]

:INPUT ACCEPT [90:4700]

:OUTPUT ACCEPT [12220:709783]

:POSTROUTING ACCEPT [12220:709783]

COMMIT

# Completed on Sun Jan 19 17:02:42 2014

# Generated by iptables-save v1.4.20 on Sun Jan 19 17:02:42 2014

*mangle

:PREROUTING ACCEPT [284085:338108189]

:INPUT ACCEPT [284078:338106700]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [289099:26426757]

:POSTROUTING ACCEPT [289099:26426757]

COMMIT

# Completed on Sun Jan 19 17:02:42 2014

# Generated by iptables-save v1.4.20 on Sun Jan 19 17:02:42 2014

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [49:8005]

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT

-A INPUT -p udp -m udp --dport 53 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT

-A INPUT -p udp -m udp --dport 433 -m state --state NEW -j ACCEPT

-A INPUT -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT

-A INPUT -p udp -m udp --dport 10010 -m state --state NEW -j ACCEPT

-A INPUT -p udp -m udp --dport 10020 -m state --state NEW -j ACCEPT

-A INPUT -i tun+ -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -m limit --limit 1/sec -j LOG

-A INPUT -j DROP

-A FORWARD -i tun+ -j ACCEPT

-A OUTPUT -o lo -j ACCEPT

COMMIT

# Completed on Sun Jan 19 17:02:42 2014

```

should i also get rid of OUTPUT for the loopback line?

ps: thanks a lot  :Smile: 

----------

## PaulBredbury

 *lo-jay wrote:*   

> should i also get rid of OUTPUT for the loopback line?

 

You can.

With the rules you've got, INVALID traffic will mostly be dropped by your rules. Which is more liable than REJECT (which I think Linux would do with them) to cause "dropouts". So your enthusiastic firewalling may be making the situation worse  :Wink: 

----------

