| 1 |
Hi, |
| 2 |
|
| 3 |
On Tue, 22 Dec 2015 22:45:12 +0100 siefke_listen@×××.de wrote: |
| 4 |
> i try to run iptables, block bad ips and close the system. |
| 5 |
> |
| 6 |
> I want run firewall which block all INPUT, only ALLOW services i defined. |
| 7 |
> Ipset want to use to block spam ips, make it sure awesome as ever set rules |
| 8 |
> manuell. |
| 9 |
> |
| 10 |
> Im not so sure is okay, i has try and read but at end often i kick me out |
| 11 |
> from rootserver. So better ask what say profis of Gentoo. |
| 12 |
> |
| 13 |
> The Firewall Script > http://pastebin.com/b3305i41 |
| 14 |
|
| 15 |
I recommend you to read a good tutorial first, e.g. this one: |
| 16 |
https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html |
| 17 |
|
| 18 |
It is a bit old and isn't an ultimate description of all |
| 19 |
iptables features (you have manuals for that), but will give you a |
| 20 |
good understanding of how packet flow works and how they should be |
| 21 |
processed. |
| 22 |
|
| 23 |
I see three main problems with your current rules: |
| 24 |
|
| 25 |
1. ESTABLISHED,RELATED packets are not accepted in the INPUT. You |
| 26 |
will have legitimate traffic blocked because of that. |
| 27 |
|
| 28 |
2. Rules are vulnerable to SYN/ACK attack (see manual above on how |
| 29 |
to fix this). FORWARDed traffic is not protected at all (are tun+ |
| 30 |
interfaces completely trusted?). |
| 31 |
|
| 32 |
3. Rules are far from being optimal, e.g. instead of having many |
| 33 |
enrtries for each accepted port, you can write just two rules |
| 34 |
using multiport target: one for tcp and another one for udp. These |
| 35 |
way your rules will be much faster. Also you should consider proper |
| 36 |
ordering of rules: those with higher hit rate should go first if |
| 37 |
this doesn't impact security scheme. |
| 38 |
|
| 39 |
There are minor issues of course, like blacklist check late on the |
| 40 |
rules (it should come one of the first, otherwise blacklisted hosts |
| 41 |
will be allowed to connect your open services). |
| 42 |
|
| 43 |
For remote debugging I recommend a small script like: |
| 44 |
./iptables-current; sleep 1m; iptables-good |
| 45 |
|
| 46 |
where iptables-current is the script with your current rules you |
| 47 |
want to test and iptables-good are tested rules which work for you. |
| 48 |
This way if you'll screw up with current rules and remote control |
| 49 |
well be lost, in a minute good old rules will be applied. Of |
| 50 |
course, you should terminate this command with ^C if new rules are |
| 51 |
good, so that old ones will not be fired in a minute. |
| 52 |
|
| 53 |
Best regards, |
| 54 |
Andrew Savchenko |
Archives