From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 545251384B4 for ; Thu, 24 Dec 2015 12:12:30 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1854321C00C; Thu, 24 Dec 2015 12:12:19 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C5E87E080E for ; Thu, 24 Dec 2015 12:12:17 +0000 (UTC) Received: from localhost (unknown [91.246.102.95]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: bircoph) by smtp.gentoo.org (Postfix) with ESMTPSA id 0401A340775 for ; Thu, 24 Dec 2015 12:12:15 +0000 (UTC) Date: Thu, 24 Dec 2015 15:11:55 +0300 From: Andrew Savchenko To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] IPTABLES Message-Id: <20151224151155.3d0987588f1f8cac49897ed6@gentoo.org> In-Reply-To: <20151222224512.b877f56012f7f7e014a2a02a@web.de> References: <20151222224512.b877f56012f7f7e014a2a02a@web.de> X-Mailer: Sylpheed 3.4.3 (GTK+ 2.24.20; i686-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA512"; boundary="Signature=_Thu__24_Dec_2015_15_11_55_+0300_DgxCheXQhM1O4Cx7" X-Archives-Salt: d3bd8764-248e-41eb-a7ce-9d1b53b018cf X-Archives-Hash: ddf6f3bf589b81d6a1a86d2b04d6d302 --Signature=_Thu__24_Dec_2015_15_11_55_+0300_DgxCheXQhM1O4Cx7 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, On Tue, 22 Dec 2015 22:45:12 +0100 siefke_listen@web.de wrote: > i try to run iptables, block bad ips and close the system.=20 >=20 > I want run firewall which block all INPUT, only ALLOW services i defined. > Ipset want to use to block spam ips, make it sure awesome as ever set rul= es=20 > manuell. >=20 > Im not so sure is okay, i has try and read but at end often i kick me out > from rootserver. So better ask what say profis of Gentoo.=20 >=20 > The Firewall Script > http://pastebin.com/b3305i41 I recommend you to read a good tutorial first, e.g. this one: https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html It is a bit old and isn't an ultimate description of all iptables features (you have manuals for that), but will give you a good understanding of how packet flow works and how they should be processed. I see three main problems with your current rules: 1. ESTABLISHED,RELATED packets are not accepted in the INPUT. You will have legitimate traffic blocked because of that. 2. Rules are vulnerable to SYN/ACK attack (see manual above on how to fix this). FORWARDed traffic is not protected at all (are tun+ interfaces completely trusted?). 3. Rules are far from being optimal, e.g. instead of having many enrtries for each accepted port, you can write just two rules using multiport target: one for tcp and another one for udp. These way your rules will be much faster. Also you should consider proper ordering of rules: those with higher hit rate should go first if this doesn't impact security scheme. There are minor issues of course, like blacklist check late on the rules (it should come one of the first, otherwise blacklisted hosts will be allowed to connect your open services). For remote debugging I recommend a small script like: ./iptables-current; sleep 1m; iptables-good where iptables-current is the script with your current rules you want to test and iptables-good are tested rules which work for you. This way if you'll screw up with current rules and remote control well be lost, in a minute good old rules will be applied. Of course, you should terminate this command with ^C if new rules are good, so that old ones will not be fired in a minute. Best regards, Andrew Savchenko --Signature=_Thu__24_Dec_2015_15_11_55_+0300_DgxCheXQhM1O4Cx7 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJWe+ELAAoJEPZTWjO6HuSNY2QQALvg9jvpIkf9sTbvrTXM8viA z6T7wVnwTNpYCROpNdLmCChX+EOQr9wLVLv/m6aR/VofXZAHk7roOGFHrkuGZPTo lvatkHoIgNICNG7aGyx6uqvKDZp/EaXN8qO/gHHENtx+LvP0iKzDGOQlClaN/Q1R M3lx++jRW2DbXbrTrmrTmRGU96NYHIyow0Q17vcYdNuDpaCVGr+T+KqPHkzedouL LXt1IwpuTqsLp40CeknmNMLb9Mb6dEUpI8FHREMLAZ4o7cHb/ekiL/XElmF0xVYU OuWsBuE80wyTVp5GOKG9Aw4wLF/aZbDgEU59Pij6/nVddz/3ds2FvG7vKdhIIXH1 oZFAO/zQnU/ek5k3XH6aolif+1u1hBKbVw/UIcyE0EX6kmIXM+N693i1YLKV0j0/ U+j55CuO9Z1cKIZAZIyTa61A2zZw/04jhyYT8EJInwGPa+YgXU76nSVmHmPm4tx0 m/UKPev78PWLztwntJOSenddJpbHXfCz9LoBQtk+xdsdpq38y8/paP9D5c2fLZrR i3GT8TPBFcafUQVdm7SNB8RCQvNujrrEDnsv5RLoYiti6PrYG+HXDoZY+rDHz8J5 vrVZzC83JtuLKuWhuFg9kBca1dL4Ic6URHdjv9YuAv3PQYzg/fxp1q1tv89hTwcS zcS+7eWXf136rTrHKSXG =eC90 -----END PGP SIGNATURE----- --Signature=_Thu__24_Dec_2015_15_11_55_+0300_DgxCheXQhM1O4Cx7--