# additions to iptables rules?

## gohmdoree

These are some rules that I'm looking to implement.  Any additions or changes?  Will be a machine with mail, www, and ssh.  Don't want to allow any other kinds of connections, from the outside.  

Any other thoughts?

```

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --update --seconds 60 --hitcount 1 --name ssh_attempt --rsource -j DROP

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name ssh_attempt --rsource

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --name smtp_attempt --rsource -j DROP

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 25 -m state --state NEW -m recent --set --name smtp_attempt --rsource

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 143 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --name imap4_attempt --rsource -j DROP

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 143 -m state --state NEW -m recent --set --name imap4_attempt --rsource

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --name pop3d_attempt --rsource -j DROP

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 110 -m state --state NEW -m recent --set --name pop3d_attempt --rsource

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --name ftp_attempt --rsource -j DROP

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW -m recent --set --name ftp_attempt --rsource

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 15 --name http_attempt --rsource -j DROP

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name http_attempt --rsource

iptables -A INPUT -i eth0 -m state --state INVALID -j DROP

```

----------

## Hu

What is the default policy for INPUT?  You do not show one, so left as-is any non-INVALID non-TCP traffic will hit the default accept rule.

----------

## gohmdoree

that is what i have.  my understanding of that line is that it will only accept established connections from t he machine, and then have all the relevant open ports.  is that incorrect?  this is based off of a tutorial i found somewhere.  well a collection of a few.

are you suggesting i am lacking a default drop all rule?  i have that at the very end.

----------

## d2_racing

This is a script that I use on my laptop :

```

#!/bin/bash

# Constantes

IPT=/sbin/iptables

IPTS="/sbin/iptables-save"

IPTR="/sbin/iptables-restore"

# Interface qui est dans votre réseau

LOCAL_IFACE="eth0"

# Interface Loopback

LO_IFACE="lo"

LO_IP="127.0.0.1"

$IPT -P INPUT ACCEPT

$IPT -P FORWARD ACCEPT

$IPT -P OUTPUT ACCEPT

$IPT -t nat -P PREROUTING ACCEPT

$IPT -t nat -P POSTROUTING ACCEPT

$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT

$IPT -t mangle -P OUTPUT ACCEPT

# Les tables sont effacées.

$IPT -F

$IPT -t nat -F

$IPT -t mangle -F

$IPT -X

$IPT -t nat -X

$IPT -t mangle -X

# Le comportement par défaut est de bloquer le trafic.

$IPT -P INPUT   DROP

$IPT -P OUTPUT  DROP

$IPT -P FORWARD DROP

# Si un packet est invalide, on le drop pour ne pas causer d'erreur

$IPT -A INPUT -i $LOCAL_IFACE -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPT -A INPUT -i $LOCAL_IFACE -m state --state INVALID -j DROP

# Tout le trafic venant de l'interface Loopback est accepté.

$IPT -A INPUT  -p ALL -i $LO_IFACE -j ACCEPT

# On accepte le trafic en entrée si et seulement si il a été initié par notre ordinateur.

$IPT -A INPUT -i $LOCAL_IFACE -p ALL  -m state --state ESTABLISHED,RELATED -j ACCEPT

# On accepte seulement ce type de packet ICMP dans le LAN

$IPT -A INPUT -i $LOCAL_IFACE -p ICMP --icmp-type time-exceeded -j ACCEPT

# On drop les packets de type broadcast

$IPT -A INPUT -i $LOCAL_IFACE -m pkttype --pkt-type broadcast -j DROP

# Si le packet vient d'internet et il y a un problème au niveau des flags, on le drop.

$IPT -A INPUT -i $LOCAL_IFACE -p tcp --tcp-flags ALL NONE -j DROP

$IPT -A INPUT -i $LOCAL_IFACE -p tcp --tcp-flags ALL ALL -j DROP

$IPT -A INPUT -i $LOCAL_IFACE -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

$IPT -A INPUT -i $LOCAL_IFACE -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

$IPT -A INPUT -i $LOCAL_IFACE -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPT -A INPUT -i $LOCAL_IFACE -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

$IPT -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPT -A OUTPUT -m state --state INVALID -j DROP

# On permet le trafic en sortie

$IPT -A OUTPUT -p ALL -s $LO_IP    -j ACCEPT

$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT

```

My defaults policy are DROP

```

$IPT -P INPUT DROP

$IPT -P OUTPUT DROP

$IPT -P FORWARD DROP

```

----------

## d2_racing

When I want to block something, I use these 2 lines :

```

$IPT -I INPUT -i $LOCAL_IFACE -p tcp -s 0/0 --destination-port 22 -m state --state NEW -m recent --set

$IPT -I INPUT -i $LOCAL_IFACE -p tcp -s 0/0 --destination-port 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 3 -j DROP

```

The first one, double check who try to attack you, and the second ban the ip for 10 minutes after 3 attempts.

----------

## d2_racing

How many computers will be attach to this one, because I don't see any output or forward sentence.

----------

## Hu

 *gohmdoree wrote:*   

> are you suggesting i am lacking a default drop all rule?  i have that at the very end.

 Yes, that is what I am saying.  Your final rule only drops INVALID traffic.  It does nothing about NEW traffic, which is much more common.  Unsolicited inbound connection attempts are NEW, not INVALID.

----------

## d2_racing

@gohmdoree, when you rewrite your iptables, you should post your new version so that we can take a look.

----------

## gohmdoree

Thanks for the input so far.  Will post my updated.  

This will be a stand alone box/server.  Will not act as a router.

----------

## gohmdoree

I should include 

```

iptables -A INPUT -i eth0 -m state --state NEW -j DROP 

```

or just do a default drop at the start?  

```

iptables -P INPUT   DROP 

iptables -P OUTPUT  DROP 

```

For some reason I thought I did an initial DROP, while testing it just blocked everything.  Maybe had incorrect subsequent rules.

----------

## gohmdoree

To be thorough, will look at some references tonight and post an updated version.

----------

## Hu

 *gohmdoree wrote:*   

> For some reason I thought I did an initial DROP, while testing it just blocked everything.  Maybe had incorrect subsequent rules.

 Since you have only posted sample iptables commands, but never your full ruleset, it is possible we are critiquing an issue that you have already fixed.  Please post the output of iptables-save when you are ready for the next review.

----------

## gohmdoree

this is what i currently have:

```

*filter

:INPUT ACCEPT [3769936:533652590]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [225683706:56013984899]

[442523466:81897776106] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

[3773:221340] -A INPUT -i eth0 -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --update --seconds 60 --hitcount 1 --name ssh_attempt --rsource -j DROP 

[2752:165964] -A INPUT -i eth0 -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name ssh_attempt --rsource 

[1235778:61419686] -A INPUT -i eth0 -p tcp -m tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --name smtp_attempt --rsource -j DROP 

[3479958:180804528] -A INPUT -i eth0 -p tcp -m tcp --dport 25 -m state --state NEW -m recent --set --name smtp_attempt --rsource 

[7025:408303] -A INPUT -i eth0 -p tcp -m tcp --dport 143 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --name imap4_attempt --rsource -j DROP 

[135823:8146744] -A INPUT -i eth0 -p tcp -m tcp --dport 143 -m state --state NEW -m recent --set --name imap4_attempt --rsource 

[7025:408303] -A INPUT -i eth0 -p tcp -m tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --name pop3d_attempt --rsource -j DROP 

[135823:8146744] -A INPUT -i eth0 -p tcp -m tcp --dport 110 -m state --state NEW -m recent --set --name pop3d_attempt --rsource 

[4567:256788] -A INPUT -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --name ftp_attempt --rsource -j DROP 

[64097:3833752] -A INPUT -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW -m recent --set --name ftp_attempt --rsource 

[23457:1313008] -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 15 --name http_attempt --rsource -j DROP 

[567226:31476063] -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name http_attempt --rsource 

[225591:10279167] -A INPUT -i eth0 -m state --state INVALID -j DROP 

COMMIT

# Completed on Sun Dec 27 22:49:05 2009

```

*** edit *** removed the security, raw and mangled sections since i haven't done anything with that yet.  also removed the drop rules for the international ip blocks

i notice that the beginning of my set is the following:

```

:INPUT ACCEPT [3769936:533652590]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [225683706:56013984899]

```

Last edited by gohmdoree on Tue Jan 05, 2010 9:54 pm; edited 3 times in total

----------

## gohmdoree

i suppose i can remove the first three sections since i am not doing anything with that right now.  the last part was a script i found to block international ip blocks.  

any other thoughts?

----------

## elissoncosta

You added drop rules after of accept.

The networks on the internet that should be blocked continue to access your host.

The drop rules should get first.

--

Elisson Costa

----------

## gohmdoree

so, all of my drop rules should go first?  especially the ones to exclude international blocks?

i've made the adjustment and put all of my drop rules first.

----------

## elissoncosta

Alter the default policy on the table filter for drop all connections not explicitly allowed.

Type:

```
iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
```

then save the rules.

--

Elisson Costa

----------

## d2_racing

Also, I suggest that you write all your rules inside a .sh file, and then later you can run your iptables rules and they will be automatically written.

I use that trick, so all my laptops have the same rules.

----------

## gohmdoree

d2_racing, thanks for the suggestion.  i think i need to do some more education and then add the suggestions here.

----------

## d2_racing

For the record, you can read these 3 wikis :

http://gentoo-quebec.org/wiki/index.php/Utilisation_de_Iptables_pour_d%C3%A9butant

http://gentoo-quebec.org/wiki/index.php/Utilisation_de_Iptables_pour_un_seul_ordinateur

http://gentoo-quebec.org/wiki/index.php/Utilisation_de_Iptables_comme_Firewall/Gateway

It's in French, but you can understand the rules and google translator is your friend too  :Razz: 

----------

## gohmdoree

thanks d2_racing for the links.

----------

## d2_racing

No problem  :Razz: 

----------

