# IPtables, problems, rules not working, help ! [solved]

## Keiko

Hia,

I've been palying with iptables, and at one point seemed to have a working configuration, however today as been a real nightmare, i've been working with it all day, but i've hit some problems, and i'm getting really frustrated, i really need some advise if someone can help me.

1. Firstly, my script seems to block some ports when its running, but when i run "iptables -L" i get, the following, which suggest no rules are set, but my default rules specify, everything is    dropped for the INPUT chains, i dont understand why this is:

-----------------------------------------------

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination   

--------------------------------------------------

2. I have also added the following rule, (which i found online today), this should refuse an ssh conection, if an ssh connection as already been established with 120 seconds, to help stop / slow brute force attacks, for a period this seems to work, but doesn't do anything now, i can connection, and then connect immediatley afterwards... not what i want, can someone please check that the following will actually work.

----------------------------------------------------------

# Allow SSH connections through to this machine.

 iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT

# But only allow one ssh connection per every 120 seconds, to slow down brute force attacks.

 iptables -p tcp --dport 22 -m recent --update --seconds 120 -j DROP

 iptables -p tcp --dport 22 --tcp-flags SYN,ACK,RST, SYN -m state --state NEW -m recent --set -j ACCEPT

-------------------------------------------------------------------------------------------------------------------------------

3. This is where my problems really began, i wanted to improove on what i had, with securing ssh, specifically i wanted to ban an ip address, that had 5 failed logon attempts with ssh within a period of ten minuites, i'm not bothered wether the ban is tempoary or permanent for now (as long as its reversable somehow), to achive this i installed net-analyzer/file2ban from portage, and configured it as best i could, with resources i found online, but all though, it placed an entry in the log, saying my 'test-machines-ip' was banned, i could still connect, and to further upset me, my earlier rule didn't work either, so i could simply siter there trying many, many combinations of username ./ passwords, with little re-curse, completley the opposite of what i wanted.

So, my basic request is that, i would like someone to point to where i've gone wrong with the above, if thats okay ?

and now for the biggie... i'm not too keen on realling on program after program, what i would really like is for my firewall script itself to handle the 'banning' of ip addresses, but i'm totally lost on achieving this, i've downloaded the fail2ban sourcecode, but couldn't dicifer it, and i've spent hours and hours, researching and come up with nothing, now i'm worse off then where i started, and my heads about to explode with frustration..

I'd really love it if someoen could help me get, my iptables to only allow a single ssh connection every 120 seconds (perhaps per ip address), but if anyone can help me work towards a banning method thats part of my firewall script, then that would be wonderfull.

Thats about it, if you require any more information, let me know and i'll post whatever you need.

Thank You ! ,Keiko.Last edited by Keiko on Wed Mar 22, 2006 8:36 am; edited 1 time in total

----------

## Jfr0

I am new to IPtables also, buti'll give it a shot 

1) after you run your script do a /etc/init.d/iptables save to save the rules.

2) if  iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT is the first rule then its going to accept all port 22 traffic before you have a chance to do the second part.  I think you should remove this rule.  

3) Not sure about this program.  could have something to do with 2 ?

I think you will need a program to do the banning.

----------

## Keiko

Hia Jfr0,

Thanks for your reply, i'm having trouble with understanding how to get IPtables to listen to my rules, at all, the stuff i've read just confusess the hell out of me, or is totally un-seable, doesn't work.

I've tried so much in the last couple of days, i think i've totally runied the whole thing and need to start again, the right way.

If you dont mind, could you give me bullet points of what i have to do, i have support in my kernel but other then that, assume nothing, as i've obviously missed something, it worked earlier on, and now doesn't do anything, i think i've overwirtten a needed config file or something by mistake... so i just need to start all over again with just iptables. My rules are very basic, but to get it working, i dont mind stripping it to just setting the default polacies to DROP, so if its okay can you give me a list on the steps, please.

Thank you, Keiko.

----------

## magic919

I'll post the link to the site that helped me with IPtables and blocking (sshblack) bruteforce attempts.

http://www.pettingers.org/code/firewall.html

----------

## Keiko

Hia magic919,

Thanks, i'll work through it.

The biggest probelm, i'm havin is not understanding the material enough, so that i can interpret what i need and what i dont properly, i see so many how to's which go thoruhg things, but they end up with something i dont want, so i try to follow there instructions but end up with a configuration i want, in this case its cost me, as i've ended up lost.

Just gunna grab a break from the PC, then i'll try and go through everything again, from emerge iptables to hopefully a working firewall, i think i'll follow this to the letter, and try and tune it to my needs afterwards.

Thanks guys i'll keep you posted.

Keiko.

----------

## Keiko

Hia,

Excellent news to report, its working !

I followd th einstructions on that site, and when that worked, i used the 'code' parts of my first attempted script to tun it into a script and run it via /etc/conf.d/local.start, and its working.

I now have a base where i can start from, i'll refresh on what i've read on iptables now and improove my file further, thanks.

Keiko

----------

## Keiko

- DAMIT -

The excitement as wained... i've just re-wrote all of my earlier commands into a new script, basiclaly to make it more legible and to record notes, but iptables doesn't seem to like it, i dont understnad why all the commands are the same, its virtually identical to the commands i used to create my other, only difference is that, this time i just created the script, instead of inputing the commands and then using iptables-save.

Can someone help me get me iptables to work with my new script please.

I'll attach my new script here, i've tried to get it to work, but i dont understand why it fails, when i try iptables-restore with it, its say such and such a line as failed, but when checking that line corresponds to something like iptables -P INPUT, and other seemling perfect commands.

So, can someoen help me again please, Thanks Keiko..

===================================================================================================

My new script is bellow:

===================================================================================================

 #!/sbin/runscript

  depend() {

   need net

  }

  start() {

   ebegin "Starting firewall"

#----------------------------------- This Script -----------------------------------------------------#

#

# This is my iptables firewall script, it contains the rules that will correctly configure iptables.

#

# This script was created from a very good guide on "http://www.pettingers.org/code/firewall.html" and with

# support and help from various people.

#

# Created on 06/03/2006 by Keiko.

#

#

# If you want this script to automatically setup iptables when you boot your computer (Gentoo), ensure it is

# named firewall-rules and place it into your /etc/init.d/ directory. 

# Now using your preffered editor open /etc/conf.d/local.start and add the following line (without quotes)

# "/etc/init.d/firewall-rules start" these rules will then be passed to iptables upon boot.

# To test that the rules have been passed to iptables correctly as super user (root) type the following in a

# terminal (without quotes) "iptables -L" this will list the rules and chains that iptables is using.

#

#------------------------------------------------------------------------------------------------------#

# The defaul policy of the INPUT chain is now changed, to allo all packets to enter, this is only temporary

# however and will be changed later.

	iptables -P INPUT ACCEPT 

# We will now flush (delete) any rules for the chains, which could affect the new rules we are going to implement.

	iptables -F INPUT

	iptables -F OUTPUT

	iptables -F FORWARD

# We are going to create five custom chains. We will use these as targets for our new rules.

	iptables -N SPAM

	iptables -N WEB

	iptables -N BLACKLIST

	iptables -N THRU

	iptables -N LOGDROP

#---------------------------------------- The Rules-----------------------------------------------------#

# The following rule will allow in any packets which are part of a related or established connection, this

# avoids having to explitley open all ports (which could be many) for programs such as bittorrent clients

# which usually open more ports when a connection as been established, this is generally safe, as the 

# connection as had to pass through all of our other rules to become established.

	iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# This rule allows in all packets from the localhost interface.

	iptables -A INPUT -i -j ACCEPT

# The next rule will send any packets coming in from port 25 to our SPAM custom chain, to be checked, if

# the originating ip address is one known to the system as a spammer's address.

	iptables -A INPUT -i -eth0 -p tcp -m tcp --dport 25 -j SPAM

# The following rule does the same thing but checks for wbe hackers instead of spammers via the WEB custom chain,

# the "tcp-flags" are optional, in this case, they are set to look for new connections with "SYN,RST,ACK SYN".

	iptables -A INPUT - eth0 -p tcp -m tcp --dport 80 -j --tcp-flags SYN,RST,ACK SYN WEB

# The next rule, ensures that any packets that have gotten through the above rules will be jumped to our 

# "general blacklist" the BLACKLIST custom chain.

	iptables -A INPUT -j BLACKLIST

# Simirly this rule will jump any packets that have gotten through the BLACKLIST chain to our THRU custom chain.

# The THRU custom chain, is used to allow packets in if they are explictley allowed, such as form trusted hosts.

	iptables -A INPUT -j THRU

# Next we will create a log entry for the logging daemon each time we drop a packet, however to reduce the riks of

# denial-of-service attacks this logging will be restricted to one entry per second. The log level 7, means that,

# the priority will be set to debug, so these log entries can be exported to a file with syslog / syslog-ng by

# matching "facility(kernel) and level(debug).

	iptables -A INPUT -m limit --limit 1/sec -j LOG --log-prefix "drop_packet" --log-level 7

# We are now going to setup some rules, that will explictley allow packets into particular ports to ensure

# the services we run (i.e webserver, mail server, ssh server) will continue to fuction.

# - NOTE - By default only port 22 will be open for ssh, other populor service ports are included bellow for

# 	   completness and will need to be un-commented  (remove the preceding #) if you require them open.

# We will allow pings (ICMP type 8) but limit there use to one every 30 seconds.

	iptables -A -P icmp -m limit --limit 2/min -m icmp --icmp-type 8 -j ACCEPT

# FTP (tcp port 21)

#	

#	iptables -A THRU -i eth0 -p tcp --dport 21 -j ACCEPT

# SSH (tcp port 22)

	iptables -A THRU -i eth0 -p tcp --dport 22 -j ACCEPT

# SMTP (tcp port 25)

#

#	iptables -A THRU -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT

# HTTP (tcp port 80)

#

#	iptables -A THRU -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT

# POP3 (tcp port 110)

#

#	iptables -A THRU -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT

# If you require to find out what port number your particular service uses, a complete listing of ports and services

# can be found here:  http://www.iana.org/assignments/port-numbers

# We will now add our final rule to the INPUT chain, which will drop all packets, that havn't been accepted

# via any of the previous rules, we will also now change the default policy for INPUT to DROP.

	iptables -A INPUT -j DROP

	iptables -P INPUT DROP

# We will alos set the default policy for the FORWARD chain to DROP, as it should not be used, in this configuration.

	iptables -P FORWARD DROP

# The following rules are for our final custom chain LOGDROP. These will place descriptive annotations

# on the log entries, to aid with log analysis later on.

	iptables -A LOGDROP -p tcp -m tcp --dport 22 -m limit --limit 1/sec -j LOG --log-prefix "ssh_blacklist" --log-level 7

	iptables -A LOGDROP -p tcp -m tcp --dport 25 -m limit --limit 1/sec -j LOG --log-prefix "spam_blacklist" --log-level 7

	iptables -A LOGDROP -p tcp -m tcp --dport 80 -m limit --limit 1/sec -j LOG --log-prefix "ssh_blacklist" --log-level 7

# The following line specifies how we will respond to packets that have gone through the LOGDROP custom chain.

	iptables -A LOGDROP -j REJECT --reject-with icmp-host-prohibited

#

#

# - NOTE -  To make use of our various blacklists, you can manually add rules to the respective chain, such

# as the following examples:

#

#	iptables -A BLACKLIST 192.168.254.5 -j LOGDROP

#	iptables -A BLACKLIST 192.168.220.9/24 -p tcp --dport 22 -j LOGDROP

#	iptables -A SPAM scum.spammers.org -j LOGDROP

#	iptables -A WEB script.kiddies.com -j LOGDROP

#

#	

#--------------------------------------- End of Configuration----------------------------------------------#

   eend $?

  }

  stop() {

   ebegin "Stopping firewall"

   eend $?

  }

----------

## magic919

A useful point to mention is you don't really need to set these up every time you boot.  Set them up, do the save, or just /etc/init.d/iptables stop if you've saved before.  Then you just need /etc/init.d/iptables start and it will load the saved tables at boot.

----------

## Keiko

Hia,

Thanks thats a good tip, i was even going to create an init script...lol, i'm having problems with iptables accepting my new script, dealing with it in another thread now, i think, well hope it will be sorted soon, then i can play with the script more and improove it.

My local.start failed last time actually, so its nice to now i dont have to bother with it, thanks.

Keiko.

----------

