iptables

Discussion in 'Server & Community Management' started by Pyr0x3n, Aug 29, 2013.

  1. What do you think of my iptable setting?

    I intend to add TOR and Proxy filtering also, and cut off big part of the world (China, Eastern Europe, Africa) from my server.

    Improvement?

    Code (Text):
    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [50:6487]
    # INPUT SIDE
    # Accept all loopback input
    -A INPUT -i lo -p all -j ACCEPT
    -A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
     
    # Allow the three way handshake
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
     
    # Reject spoofed packets
    -A INPUT -s 10.0.0.0/8 -j DROP
    -A INPUT -s 169.254.0.0/16 -j DROP
    -A INPUT -s 172.16.0.0/12 -j DROP
    -A INPUT -s 127.0.0.0/8 -j DROP
     
    -A INPUT -s 224.0.0.0/4 -j DROP
    -A INPUT -d 224.0.0.0/4 -j DROP
    -A INPUT -s 240.0.0.0/5 -j DROP
    -A INPUT -d 240.0.0.0/5 -j DROP
    -A INPUT -s 0.0.0.0/8 -j DROP
    -A INPUT -d 0.0.0.0/8 -j DROP
    -A INPUT -d 239.255.255.0/24 -j DROP
    -A INPUT -d 255.255.255.255 -j DROP
     
    # Stop smurf attacks
    -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
    -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
    -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
     
    # Drop all invalid packets
    -A INPUT -m state --state INVALID -j DROP
    -A FORWARD -m state --state INVALID -j DROP
    -A OUTPUT -m state --state INVALID -j DROP
     
    # Drop excessive RST packets to avoid smurf attacks
    -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
     
    # Attempt to block portscans
    # Anyone who tried to portscan us is locked out for an entire day.
    -A INPUT  -m recent --name portscan --rcheck --seconds 86400 -j DROP
    -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
     
    # Once the day has passed, remove them from the portscan list
    -A INPUT  -m recent --name portscan --remove
    -A FORWARD -m recent --name portscan --remove
     
    # These rules add scanners to the portscan list, and log the attempt.
    -A INPUT  -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
    -A INPUT  -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
     
    -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
    -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
     
    # Allow the following ports through from outside
     
     
    # Allow pings through
    -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
     
    # Kill all other input
    -A INPUT -j REJECT
     
     
    # Output side
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
     
    # Allow the following ports through from outside
    # 22000 is my SSH port
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22000 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 25565 -j ACCEPT
     
    # Allout pings out
    -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
     
    # Kill all other output
    -A OUTPUT -j REJECT
     
     
    # FORWARD SIDE
    -A FORWARD -j DROP --reject-with icmp-host-prohibited
    -A FORWARD -j DROP --reject-with icmp-port-unreachable
    -A FORWARD -j DROP
    COMMIT
     
  2. Affixes

    Supporter

    Why would you even block that?
     
  3. TOR and Proxy to avoid banned trying to get in again. Then my servers are mainly build for Scandinavians, I have no player from Asia/Africa/Eastern-Europe, the only "guest" I do have on my logs from those part of the world are hackers...
     
  4. joehot200

    Supporter

    Blocking TOR:

     
  5. Linode wiki copy gj, there's a rouge rule in there too which will fuck you over something chronic.
    Try and find it. :D

    Also a lot of those rules wont work unless the Kernel modules are loaded.

    Also what joehot said.
    Just change your ports and secure your server a little...?
     
  6. rule #2 is wrong and placed at the wrong place place in hierarchy, isn't?
    -A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
    I am learning by try and error...Linux i still a new world for me. All the sources giving some insight on how to do it for the best (or evil .....?!) way are welcome.

    I never use an none 100% understand setup on production, this setup will never reach my boxes until I fully understand what I am doing. Advices are always welcome! I am playing a lot in WM fusion to see how thing react.
     
  7. Well, why do you need all those rules.

    What do you want to accomplish?
     
  8. I'd say: paranoia !?! o_O I'am may be overshooting... But in any cases, thats fun to learn and try.

    Corin, in your opinion, what basic IPtables-rules needs a bungee/spigot box? I know there is always a balance between security (paranoia) and flexibility. I've seem some in your post on best practice (a good wiki IMO!) but I'm sure more rules are needed. Can we summarize in a new wiki?
     
    • Agree Agree x 1
  9. Well that's a tad overparanoid, CookieSlap has an average of 260 players and we rarely get attacks either SSHd side or website side, and even if they did try to attack the website, php is locked down as hell.
    Mostly securing your box relies on you making your configs up to scratch, just simply blocking a country wont cut it.

    You an combine flexibility and security very easily.

    But as for this wiki page, as a collaborative effort on this question; what would you guys like to see in it?
    What rule examples? Anything you want described?