Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 18th March 2009, 18:05
giganet giganet is offline
Senior Member
 
Join Date: Aug 2007
Location: California
Posts: 243
Thanks: 116
Thanked 1 Time in 1 Post
Send a message via AIM to giganet
Question IPTables-Blocklist (Questions)

Hello HTF Group...

Today I finally got around to working with the HowTo: http://howtoforge.com/blocking-ip-ad...-with-iptables

My first question pertains to after the blocklist script runs.
The first thing the script does after using 'wget' to download the current Country IP Blocks is to run 'iptables -F' which purges IPTables of any current rules.

The issue I have is I also utilize the following IPTables rules to try and provide some security to SSH access and then additional rules to also close unused ports.

SSH Protection
Code:
iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 54000 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force"
iptables -A INPUT -p tcp --dport 54000 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
 
THE WHITELIST
iptables -A SSH_WHITELIST -s 65.197.209.0/25 -m recent --remove --name SSH -j ACCEPT
 
BLOCKING RULES
iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROPBLOCKING RULES
CLOSE UNUSED PORTS
Code:
iptables -A INPUT -p tcp --dport 444:53999 -j DROP
iptables -A INPUT -p tcp --dport 54001:60000 -j DROP
After the script is finished running I have to re-enter the SSH protection and close unused ports rules manually.

Can I add these lines at the base of the script as such to automate this as follows?
BLOCKLIST BASH SCRIPT
Code:
GAMA.ORG###
###PUT HERE COMA SEPARATED LIST OF COUNTRY CODE###
COUNTRIES="A1,A2,AD,AE,AF,AG,AI,AL,AM,AN,AO,AP,AQ,AR,AS,AT,AU,AW,AX,AZ,BA,BB,BD,BE,BF,BG,BH,BI,BJ,BM,BN,BO,BR,BS,BT,BV,,BW,BY,BZ,CA,CC,CD,CF,CG,CH,CI,CK,CL,CM,CN,CO,CR,CU,CV,CX,CY,CZ,DE,DJ,DK,DM,DO,DZ,EC,EE,EG,EH,ER,ES,ET,EU,FI,FJ,FK,FM,FO,FR,GA,GB,GD,GE,GF,GG,GH,GI,GL,GM,GN,GP,GQ,GR,GS,GT,GU,GW,GY,HK,HM,HN,HR,HT,HU,ID,IE,IL,IM,IN,IO,IQ,IR,IS,IT,JE,JM,JO,JP,KE,KG,KH,KI,KM,KN,KP,KR,KW,KY,KZ,LA,LB,LC,LI,LK,LB,LC,LI,LK,LR,LS,LT,LU,LV,LY,MA,MC,MD,ME,MG,MH,MK,ML,MM,MO,MP,MQ,MR,MS,MT,MU,MV,MW,MX,MY,MZ,NA,NC,NE,NF,NF,NI,NL,NO,NP,NR,NU,NZ,OM,PA,PE,PF,PG,PH,PK,PL,PM,PN,PR,PS,PT,PW,PY,QA,RE,RO,RS,RU,RW,SA,SB,SC,SD,SE,SG,SH,SI,SJ,SK,SL,SM,SN,SO,SR,ST,SV,SY,SZ,TC,TD,TF,TG,TH,TJ,TK,TL,TM,TN,TO,TR,TT,TV,TW,TZ,UA,UG,UM,UY,UZ,VA,VC,VE,VG,VI,VN,VU,WF,WS,YE,YT,ZA,ZM,ZW"
WORKDIR="/root"
#######################################
cd $WORKDIR
wget -c --output-document=iptables-blocklist.txt http://blogama.org/country_query.php?country=$COUNTRIES
if [ -f iptables-blocklist.txt ]; then
  iptables -F
  BLOCKDB="iptables-blocklist.txt"
  IPS=$(grep -Ev "^#" $BLOCKDB)
  for i in $IPS
  do
    iptables -A INPUT -s $i -j DROP
    iptables -A OUTPUT -d $i -j DROP
  done
fi
rm $WORKDIR/iptables-blocklist.txt
do
iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 54000 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force"
iptables -A INPUT -p tcp --dport 54000 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
iptables -A SSH_WHITELIST -s 65.197.209.0/25 -m recent --remove --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --dport 444:53999 -j DROP
iptables -A INPUT -p tcp --dport 54001:60000 -j DROP
done
Would this be correct and acceptible?

One last thing I have issue with after the script runs- all services seems to function on the server afterwards however from the CLI I am unable to ping the world.
The server returns:
Code:
root@giganetwireless:/home/bender# ping yahoo.com
ping: unknown host yahoo.com
I do notice though now that after sending E-Mails from the server I receive: Delayed Mail (still being retried)
I am however able to receive in-bound E-Mail to this server...

The results of 'hostname -f && hostname' are following:
Code:
 
root@giganetwireless:/home/bender#  hostname -f localhost.localdomain
 
root@giganetwireless:/home/bender# hostname giganetwireless.net
netstat -tap Lines Of Interest
Code:
tcp6       0      0 [UNKNOWN]:953           *:*                     LISTEN     6261/named
tcp6       0      0 *:smtp                  *:*                     LISTEN     6211/master
getnameinfo failed
getnameinfo failed
tcp6       0      0 [UNKNOWN]:pop3          [UNKNOWN]:54015         TIME_WAIT  -
tail -f /var/log/mail.log Output
Code:
Mar 15 21:18:47 giganetwireless postfix/smtp[25481]: 4B7EB1C882BA: to=<web_admin@giganetwireless.com>, relay=none, delay=1122, delays=1122/0.01/0/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=giganetwireless.com type=MX: Host not found, try again)
Mar 15 21:18:47 giganetwireless postfix/smtp[25482]: DCA081C882B7: to=<web_admin@giganetwireless.com>, relay=none, delay=4721, delays=4721/0.01/0/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=giganetwireless.com type=MX: Host not found, try again)
Mar 15 21:18:47 giganetwireless postfix/smtp[25484]: 76CBB1C882AD: to=<web_admin@giganetwireless.com>, relay=none, delay=8322, delays=8322/0.02/0/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=giganetwireless.com type=MX: Host not found, try again)
Thanking you in advance for your time and help.

Best Regards
Reply With Quote
Sponsored Links
  #2  
Old 19th March 2009, 17:00
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

Quote:
Originally Posted by giganet View Post
Would this be correct and acceptible?
I think this should work.

Regarding the connection problem: I guess this is related to your firewall problem. Please modify the script and try again.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
giganet (19th March 2009)
  #3  
Old 19th March 2009, 17:29
giganet giganet is offline
Senior Member
 
Join Date: Aug 2007
Location: California
Posts: 243
Thanks: 116
Thanked 1 Time in 1 Post
Send a message via AIM to giganet
Default

Hi Falko, thank you for the reply...

I did find that the DNS numbers used in 'resolv.conf' were in the same network as some of the blocked country numbers, after changing the DNS numbers I can ping the world now.

The issue I am trying to resolve with this presently is that when I attempt to run 'apt-get update' apt snags on the following:
Code:
0% [Connecting to us.archive.ubuntu.com (91.189.88.45)] [Connecting to security.ubuntu.com (91.189.88.37)]
The above IP originates from the U.K., Canonical

Presently in 'apt' my 'sources.list' is as follows:
Code:
# deb http://us.archive.ubuntu.com/ubuntu/ gutsy main restricted
# deb http://us.archive.ubuntu.com/ubuntu/ gutsy-updates main restricted
# deb http://us.archive.ubuntu.com/ubuntu gutsy-security main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://us.archive.ubuntu.com/ubuntu/ gutsy main restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ gutsy main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://us.archive.ubuntu.com/ubuntu/ gutsy-updates main restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ gutsy-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## universe WILL NOT receive any review or updates from the Ubuntu security
## team.
deb http://us.archive.ubuntu.com/ubuntu/ gutsy universe
deb-src http://us.archive.ubuntu.com/ubuntu/ gutsy universe
deb http://us.archive.ubuntu.com/ubuntu/ gutsy-updates universe
deb-src http://us.archive.ubuntu.com/ubuntu/ gutsy-updates universe
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://us.archive.ubuntu.com/ubuntu/ gutsy multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ gutsy multiverse
deb http://us.archive.ubuntu.com/ubuntu/ gutsy-updates multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ gutsy-updates multiverse
## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
# deb http://us.archive.ubuntu.com/ubuntu/ gutsy-backports main restricted universe multiverse
# deb-src http://us.archive.ubuntu.com/ubuntu/ gutsy-backports main restricted universe multiverse
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository. This software is not part of Ubuntu, but is
## offered by Canonical and the respective vendors as a service to Ubuntu
## users.
# deb http://archive.canonical.com/ubuntu gutsy partner
# deb-src http://archive.canonical.com/ubuntu gutsy partner
deb http://security.ubuntu.com/ubuntu gutsy-security main restricted
deb-src http://security.ubuntu.com/ubuntu gutsy-security main restricted
deb http://security.ubuntu.com/ubuntu gutsy-security universe
deb-src http://security.ubuntu.com/ubuntu gutsy-security universe
deb http://security.ubuntu.com/ubuntu gutsy-security multiverse
deb-src http://security.ubuntu.com/ubuntu gutsy-security multiverse
What would the U.S. sources URL be for the security?

BTW: the OS is UBUNTU 7.10

Thank you

Best Regards
Reply With Quote
  #4  
Old 20th March 2009, 05:41
giganet giganet is offline
Senior Member
 
Join Date: Aug 2007
Location: California
Posts: 243
Thanks: 116
Thanked 1 Time in 1 Post
Send a message via AIM to giganet
Thumbs up Issue solved

ISSUE SOLVED

I had to open a few ports which I had closed down and also set new DNS numbers in resolv.conf and VIOLA!

Thank you Falko

Best Regards
Reply With Quote
  #5  
Old 25th March 2009, 16:50
adam0x54 adam0x54 is offline
Junior Member
 
Join Date: Jun 2008
Posts: 13
Thanks: 0
Thanked 1 Time in 1 Post
Default

A suggestion here...

instead of blacklisting ports why dont you whitelist ports and make a default drop policy?


-Adam
Reply With Quote
The Following User Says Thank You to adam0x54 For This Useful Post:
giganet (25th March 2009)
  #6  
Old 25th March 2009, 22:14
giganet giganet is offline
Senior Member
 
Join Date: Aug 2007
Location: California
Posts: 243
Thanks: 116
Thanked 1 Time in 1 Post
Send a message via AIM to giganet
Red face

Hi Adam...

Thank you for the reply.

Excuse my ignorance, but in short detail what measures would I take to implement a port whitelist including DROP policy?

Once again, thank you for sharing your knowlege too!

Best Regards
Reply With Quote
  #7  
Old 25th March 2009, 23:39
adam0x54 adam0x54 is offline
Junior Member
 
Join Date: Jun 2008
Posts: 13
Thanks: 0
Thanked 1 Time in 1 Post
Default

The default policy should drop everything except what is allowed in the iptables
ex. ssh, http,https and dns. Everything else should be dropped. Do a netstat and see what ports you are using.

Default drop policy:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

Here is a great place to start:

http://www.redhat.com/docs/en-US/Red...-iptables.html
Reply With Quote
  #8  
Old 27th October 2009, 02:23
glennbb glennbb is offline
Junior Member
 
Join Date: Oct 2009
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Question What ports?

Quote:
Originally Posted by giganet View Post
ISSUE SOLVED

I had to open a few ports which I had closed down and also set new DNS numbers in resolv.conf and VIOLA!

I'm having the same issue on one of my machines here. Would you mind elaborating on what ports you had to open to get this to work? (I already have 80 open)

Thanks

Glenn
Reply With Quote
  #9  
Old 28th October 2009, 00:15
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

To what service (web server, FTP server, mail server, etc.) are you referring?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #10  
Old 28th October 2009, 02:03
glennbb glennbb is offline
Junior Member
 
Join Date: Oct 2009
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default Aptitude...

Aptitude; I've been having similar problems with updates and was wondering what ports poster giganet opened to solve his problem.

Glenn
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables gateway with one lan adapter tsmr Installation/Configuration 1 7th August 2008 12:02
IPtables rule to let PPTP access LAN brianwebb01 Installation/Configuration 0 1st May 2008 21:23
Match IP with MAC using iptables for squid block cooljai Server Operation 0 30th August 2007 18:30
About iptables rules satimis Technical 0 24th August 2007 17:32
The Perfect Xen 3.0 Setup For Debian | IPTABLES rocket30 HOWTO-Related Questions 7 25th July 2006 14:18


All times are GMT +2. The time now is 16:12.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.