From: Andrew Savchenko <bircoph@gentoo.org>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] IPTABLES
Date: Thu, 24 Dec 2015 15:11:55 +0300 [thread overview]
Message-ID: <20151224151155.3d0987588f1f8cac49897ed6@gentoo.org> (raw)
In-Reply-To: <20151222224512.b877f56012f7f7e014a2a02a@web.de>
[-- Attachment #1: Type: text/plain, Size: 2284 bytes --]
Hi,
On Tue, 22 Dec 2015 22:45:12 +0100 siefke_listen@web.de wrote:
> i try to run iptables, block bad ips and close the system.
>
> I want run firewall which block all INPUT, only ALLOW services i defined.
> Ipset want to use to block spam ips, make it sure awesome as ever set rules
> manuell.
>
> Im not so sure is okay, i has try and read but at end often i kick me out
> from rootserver. So better ask what say profis of Gentoo.
>
> The Firewall Script > http://pastebin.com/b3305i41
I recommend you to read a good tutorial first, e.g. this one:
https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
It is a bit old and isn't an ultimate description of all
iptables features (you have manuals for that), but will give you a
good understanding of how packet flow works and how they should be
processed.
I see three main problems with your current rules:
1. ESTABLISHED,RELATED packets are not accepted in the INPUT. You
will have legitimate traffic blocked because of that.
2. Rules are vulnerable to SYN/ACK attack (see manual above on how
to fix this). FORWARDed traffic is not protected at all (are tun+
interfaces completely trusted?).
3. Rules are far from being optimal, e.g. instead of having many
enrtries for each accepted port, you can write just two rules
using multiport target: one for tcp and another one for udp. These
way your rules will be much faster. Also you should consider proper
ordering of rules: those with higher hit rate should go first if
this doesn't impact security scheme.
There are minor issues of course, like blacklist check late on the
rules (it should come one of the first, otherwise blacklisted hosts
will be allowed to connect your open services).
For remote debugging I recommend a small script like:
./iptables-current; sleep 1m; iptables-good
where iptables-current is the script with your current rules you
want to test and iptables-good are tested rules which work for you.
This way if you'll screw up with current rules and remote control
well be lost, in a minute good old rules will be applied. Of
course, you should terminate this command with ^C if new rules are
good, so that old ones will not be fired in a minute.
Best regards,
Andrew Savchenko
[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2015-12-24 12:12 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-22 21:45 [gentoo-user] IPTABLES siefke_listen
2015-12-24 12:11 ` Andrew Savchenko [this message]
2015-12-24 21:41 ` siefke_listen
2015-12-29 13:09 ` lee
-- strict thread matches above, loose matches on Subject: below --
2009-07-16 3:32 [gentoo-user] iptables Dave
2009-07-16 8:41 ` Marco
2009-07-16 8:43 ` Marco
2009-07-16 13:42 ` Alejandro
2009-07-16 14:55 ` Nevynxxx
2007-01-18 15:58 [gentoo-user] Iptables Fabrício L. Ribeiro
2007-01-18 16:07 ` Daniel Pielmeier
2007-01-18 16:09 ` Nelson, David (ED, PAR&D)
2007-01-19 11:10 ` Alan McKinnon
2007-01-19 12:56 ` Pete Pardoe
2007-01-19 13:33 ` Fabrício L. Ribeiro
2005-08-29 23:44 [gentoo-user] iptables John Dangler
2005-08-30 1:31 ` Holly Bostick
2005-08-30 2:36 ` John Dangler
2005-08-30 3:36 ` John Dangler
2005-08-30 4:54 ` John Dangler
2005-08-30 8:48 ` Hans-Werner Hilse
2005-08-30 9:43 ` Holly Bostick
2005-08-30 9:55 ` Neil Bothwick
2005-08-30 10:13 ` John Dangler
2005-08-30 1:42 ` W.Kenworthy
2005-08-26 3:17 John Dangler
2005-08-26 4:03 ` Eric Crossman
2005-08-26 4:22 ` A. Khattri
2005-08-26 8:49 ` Fernando Meira
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151224151155.3d0987588f1f8cac49897ed6@gentoo.org \
--to=bircoph@gentoo.org \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox