1 |
Hi, |
2 |
|
3 |
On Tue, 22 Dec 2015 22:45:12 +0100 siefke_listen@×××.de wrote: |
4 |
> i try to run iptables, block bad ips and close the system. |
5 |
> |
6 |
> I want run firewall which block all INPUT, only ALLOW services i defined. |
7 |
> Ipset want to use to block spam ips, make it sure awesome as ever set rules |
8 |
> manuell. |
9 |
> |
10 |
> Im not so sure is okay, i has try and read but at end often i kick me out |
11 |
> from rootserver. So better ask what say profis of Gentoo. |
12 |
> |
13 |
> The Firewall Script > http://pastebin.com/b3305i41 |
14 |
|
15 |
I recommend you to read a good tutorial first, e.g. this one: |
16 |
https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html |
17 |
|
18 |
It is a bit old and isn't an ultimate description of all |
19 |
iptables features (you have manuals for that), but will give you a |
20 |
good understanding of how packet flow works and how they should be |
21 |
processed. |
22 |
|
23 |
I see three main problems with your current rules: |
24 |
|
25 |
1. ESTABLISHED,RELATED packets are not accepted in the INPUT. You |
26 |
will have legitimate traffic blocked because of that. |
27 |
|
28 |
2. Rules are vulnerable to SYN/ACK attack (see manual above on how |
29 |
to fix this). FORWARDed traffic is not protected at all (are tun+ |
30 |
interfaces completely trusted?). |
31 |
|
32 |
3. Rules are far from being optimal, e.g. instead of having many |
33 |
enrtries for each accepted port, you can write just two rules |
34 |
using multiport target: one for tcp and another one for udp. These |
35 |
way your rules will be much faster. Also you should consider proper |
36 |
ordering of rules: those with higher hit rate should go first if |
37 |
this doesn't impact security scheme. |
38 |
|
39 |
There are minor issues of course, like blacklist check late on the |
40 |
rules (it should come one of the first, otherwise blacklisted hosts |
41 |
will be allowed to connect your open services). |
42 |
|
43 |
For remote debugging I recommend a small script like: |
44 |
./iptables-current; sleep 1m; iptables-good |
45 |
|
46 |
where iptables-current is the script with your current rules you |
47 |
want to test and iptables-good are tested rules which work for you. |
48 |
This way if you'll screw up with current rules and remote control |
49 |
well be lost, in a minute good old rules will be applied. Of |
50 |
course, you should terminate this command with ^C if new rules are |
51 |
good, so that old ones will not be fired in a minute. |
52 |
|
53 |
Best regards, |
54 |
Andrew Savchenko |