# Custom iptables config

## kbzium

Hello,

what's wrong about this script?

```
#!/bin/sh

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

iptables -F

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp ! --syn -m state --state NEW  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync: "

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

 

# block

iptables -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets: "

iptables -A INPUT -f -j DROP

# block

iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets: "

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP 

iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets: "

iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan: "

iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP 

iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

 

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 60 --hitcount 5 --name SSH -j LOG --log-prefix "SSH attack: "

iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 5 --name SSH -j DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 6881 -j ACCEPT

iptables -A INPUT -p udp -m udp --dport 6881 -j ACCEPT

iptables -A INPUT  -p icmp -m limit --limit 10/second -j ACCEPT

iptables -A INPUT  -p icmp -j DROP

 

iptables -A INPUT -j LOG --log-prefix "INPUT:  "

iptables -A INPUT -j DROP

/etc/init.d/iptables save
```

It blocks everything but I believe there's something tiny in it which I cannot see... otherwise it seems good. What's more I would run scripts like

```
#!/bin/sh

for i in `wget -O - "http://list.iblocklist.com/?list=bt_level1&fileformat=p2p&archiveformat=gz" | zcat | sed -e 's/.*:\(.*\)-\(.*\)/\1-\2/' | grep "^[0-9]"` ; do

        iptables -A INPUT -m iprange --src-range ${i} -j DROP

        iptables -A OUTPUT -m iprange --dst-range ${i} -j DROP

done
```

then. Please help me out!

Thank you!

----------

## PaulBredbury

You're trying to counter-productively do too much  :Wink: 

----------

## Hu

 *kbzium wrote:*   

> what's wrong about this script?

 You are invoking iptables repeatedly instead of loading your rules atomically.

----------

## imaginasys

Isn't that list obtained from list.iblocklist.com a little bit long ? 

Unless you think the whole world is going to attack your machine, 

I'd say you'd better with "app-admin/denyhosts", it would block only bad guys that try to attack you, not the whole world ?

But other than that, your script is very good.  I use something similar and I control access from the wan with denyhost on ssh.

Here is my script :

```

#!/bin/bash

# My local network

LAN="192.168.1.0/24"

/sbin/iptables -P INPUT ACCEPT

/sbin/iptables -P FORWARD ACCEPT

/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -t nat -P PREROUTING ACCEPT

/sbin/iptables -t nat -P POSTROUTING ACCEPT

/sbin/iptables -t nat -P OUTPUT ACCEPT

/sbin/iptables -t mangle -P PREROUTING ACCEPT

/sbin/iptables -t mangle -P OUTPUT ACCEPT

# Clear tables

/sbin/iptables -F

/sbin/iptables -t nat -F

/sbin/iptables -t mangle -F

/sbin/iptables -X

/sbin/iptables -t nat -X

/sbin/iptables -t mangle -X

# Default : block anything that want to come in and allow everyting out

/sbin/iptables -P INPUT   DROP

/sbin/iptables -P OUTPUT  ACCEPT

/sbin/iptables -P FORWARD DROP

# Allow loopback traffic

/sbin/iptables -A INPUT  -p ALL -i lo -j ACCEPT

# drop invalid packets to avoid error

/sbin/iptables -A INPUT -m state --state INVALID -j DROP

# Permit traffic initiated by me

/sbin/iptables -A INPUT -p ALL  -m state --state ESTABLISHED,RELATED -j ACCEPT

# Let anything goes on the home network

/sbin/iptables -A INPUT -s $LAN -j ACCEPT

#Ping from the wan limited to 1 by second

/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/s -j ACCEPT

# Little help for IRC

/sbin/iptables -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset

# Allow SSH in

/sbin/iptables -A INPUT -p tcp --dport 22  -m state --state NEW -j ACCEPT

exit
```

regards,

              BT    :Mr. Green: 

----------

## Odward

I'm curious if you're asking for feedback about your rules in general, or are you having a specific problem with this set of rules?

Not terribly important at all, but a quick glance shows you have two entries of the same rule

```
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
```

Also you have

```
echo 1 > /proc/sys/net/ipv4/ip_forward
```

That enables ip forwarding (which would be useful if this box was a router) but you have the firewall set to drop all FORWARD.

So 0 should be the appropriate value, not 1.

Again though, be more specific if you're actually having a problem or experiencing something unexpected.

----------

## kbzium

When I input your config bad things, i suppose happen, and internet connection is down (need to flush tables)

```
kboom kboom # #!/bin/bash 

kboom kboom # 

kboom kboom # # My local network 

kboom kboom # LAN="192.168.1.0/24" 

kboom kboom # 

kboom kboom # /sbin/iptables -P INPUT ACCEPT 

kboom kboom # /sbin/iptables -P FORWARD ACCEPT 

kboom kboom # /sbin/iptables -P OUTPUT ACCEPT 

kboom kboom # /sbin/iptables -t nat -P PREROUTING ACCEPT 

iptables v1.4.16.3: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

kboom kboom # /sbin/iptables -t nat -P POSTROUTING ACCEPT 

iptables v1.4.16.3: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

kboom kboom # /sbin/iptables -t nat -P OUTPUT ACCEPT 

iptables v1.4.16.3: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

kboom kboom # /sbin/iptables -t mangle -P PREROUTING ACCEPT 

iptables v1.4.16.3: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

kboom kboom # /sbin/iptables -t mangle -P OUTPUT ACCEPT 

iptables v1.4.16.3: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

kboom kboom # 

kboom kboom # # Clear tables 

kboom kboom # /sbin/iptables -F 

kboom kboom # /sbin/iptables -t nat -F 

iptables v1.4.16.3: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

kboom kboom # /sbin/iptables -t mangle -F 

iptables v1.4.16.3: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

kboom kboom # /sbin/iptables -X                                                                                                                                                                                         

kboom kboom # /sbin/iptables -t nat -X                                                                                                                                                                                  

iptables v1.4.16.3: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)                                                                                                                

Perhaps iptables or your kernel needs to be upgraded.                                                                                                                                                                   

kboom kboom # /sbin/iptables -t mangle -X                                                                                                                                                                               

iptables v1.4.16.3: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)                                                                                                             

Perhaps iptables or your kernel needs to be upgraded.                                                                                                                                                                   

kboom kboom #                                                                                                                                                                                                           

kboom kboom # # Default : block anything that want to come in and allow everyting out                                                                                                                                   

kboom kboom # /sbin/iptables -P INPUT   DROP                                                                                                                                                                            

kboom kboom # /sbin/iptables -P OUTPUT  ACCEPT                                                                                                                                                                          

kboom kboom # /sbin/iptables -P FORWARD DROP                                                                                                                                                                            

kboom kboom #                                                                                                                                                                                                           

kboom kboom # # Allow loopback traffic                                                                                                                                                                                  

kboom kboom # /sbin/iptables -A INPUT  -p ALL -i lo -j ACCEPT                                                                                                                                                           

kboom kboom #                                                                                                                                                                                                           

kboom kboom # # drop invalid packets to avoid error                                                                                                                                                                     

kboom kboom # /sbin/iptables -A INPUT -m state --state INVALID -j DROP                                                                                                                                                  

WARNING: The state match is obsolete. Use conntrack instead.                                                                                                                                                            

iptables: Protocol wrong type for socket.                                                                                                                                                                               

kboom kboom #                                                                                                                                                                                                           

kboom kboom # # Permit traffic initiated by me                                                                                                                                                                          

kboom kboom # /sbin/iptables -A INPUT -p ALL  -m state --state ESTABLISHED,RELATED -j ACCEPT 

WARNING: The state match is obsolete. Use conntrack instead.

iptables: Protocol wrong type for socket.

kboom kboom # 

kboom kboom # # Let anything goes on the home network 

kboom kboom # /sbin/iptables -A INPUT -s $LAN -j ACCEPT 

kboom kboom # 

kboom kboom # #Ping from the wan limited to 1 by second 

kboom kboom # /sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/s -j ACCEPT 

kboom kboom # 

kboom kboom # # Little help for IRC 

kboom kboom # /sbin/iptables -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset 

iptables: No chain/target/match by that name.

kboom kboom # 

kboom kboom # # Allow SSH in 

kboom kboom # /sbin/iptables -A INPUT -p tcp --dport 22  -m state --state NEW -j ACCEPT 

WARNING: The state match is obsolete. Use conntrack instead.

iptables: Protocol wrong type for socket.

kboom kboom # 

kboom kboom # exit

```

The whole thing about this huge list (3mln entries?) is that I wanted to have something similiar to peerblock (former peer guardian) to protect my privacy somehow. Is it possible to have it on gentoo too? Possibly through some native mechs like this one (iptables).

The config was actually written by my college who's kind of into Gentoo for many years  :Smile: . Though I don't know whats wrong about it. The other thing is that I'm behind a normal router.

----------

## PaulBredbury

 *kbzium wrote:*   

> ptables v1.4.16.3: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)

 

So take a look:

```
zgrep NF_NAT /proc/config.gz
```

You need to fix your kernel config. Then google for some iptables intro docs.

----------

## kbzium

Looks empty:

```
kboom@kboom ~ $ zgrep NF_NAT /proc/config.gz

kboom@kboom ~ $ 

```

Okay, I'll do it. Hope it helps  :Smile: 

Thanks for now!

----------

