Tag: iptables

iptables allow traceroute / axip / rip protocol

Posted onAuthorPD9QLeave a comment

#!/bin/bash
ipt="/sbin/iptables"
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
# Ampr.org
# Port 520 RIP,Routing protocol
$ipt -A INPUT -p udp --dport 520 -j ACCEPT
# Allow traceroute. Je moet de udp poort 33434 en 33523 niet droppen. Een reject is goed.
# Als je hem dropt wordt een traceroute niet mogelijk
$ipt -A INPUT -p icmp --icmp-type 8 -j ACCEPT
$ipt -A INPUT -p udp --dport 33434:33523 -j REJECT
# Proto 4 = IPv4 encapsulation / Proto 93 = ax.25 / Proto 94 = IPIP
# Hier wordt alles toegelaten van en naar het 44 netwerk.
# Wil je alleen het 44net toelaten
# $ipt –I INPUT –s ACCEPT –s 44.0.0.0/8 –d 44.0.0.0/8
#
$ipt -I INPUT -j ACCEPT -s 44.0.0.0/8 -d 0.0.0.0
$ipt -I INPUT -j ACCEPT -s 0.0.0.0 -d 44.0.0.0/8
$ipt -I FORWARD -j ACCEPT -s 44.0.0.0/8 -d 0.0.0.0/0
$ipt -I FORWARD -j ACCEPT -s 0.0.0.0/0 -d 44.0.0.0/8
$ipt -I INPUT -j ACCEPT --proto 4
$ipt -I INPUT -j ACCEPT --proto 93
$ipt -I INPUT -j ACCEPT --proto 94
$ipt -I FORWARD -j ACCEPT --proto 4
$ipt -I FORWARD -j ACCEPT --proto 94
$ipt -I FORWARD -j ACCEPT --proto 93

 

Allowing traceroutes to succeed with iptables

Posted onAuthorPD9QLeave a comment

Traceroute from Windows machines typically uses ICMP Type 8 packets.  Traceroute from Unixlike machines typically uses UDP packets with sequentially increasing destination ports, from 33434 to 33534.  So your server (the traceroute destination) must not drop incoming ICMP Type 8 or UDP 33434:33534.

Here’s where it gets tricky: it really doesn’t need to accept those packets either, which the vast majority of sites addressing this issue recommends.  It just needs to be able to reject them, which won’t happen if they’re being dropped.  If you implement the typical advice – accepting those packets – traceroute basically ends up sort of working by accident: those ports shouldn’t be in use by any running applications, and since nothing is monitoring them, the server will issue an ICMP Type 3 response (destination unreachable).  However, if you’re accepting packets to these ports, then a rogue application listening on those ports also becomes reachable – which is the sort of thing your firewall should be preventing in the first place.

The good news is, DROP and ACCEPT aren’t your only options – you can REJECT these packets instead, which will do exactly what we want here: allow traceroutes to work properly without also potentially enabling some rogue application to listen on those UDP ports.

So all you really need on your server to allow incoming traceroutes to work properly is:

# allow ICMP Type 8 (ping, ICMP traceroute)
-A INPUT -p icmp --icmp-type 8 -j ACCEPT
# enable UDP traceroute rejections to get sent out
-A INPUT -p udp --dport 33434:33523 -j REJECT

 

ip6tables firewall

Posted onAuthorPD9QLeave a comment

Als je netwerk wordt klaar gemaakt voor ipv6 dan is het noodzakelijk ook een ipv6 firewall op te zetten.
Aangezien iptables alleen werkt met ipv4. Hier hebben we dus ip6tables voor nodig. Nou hier onder een klein voorbeeld van een simpele ip6tabels firewall (etje).

#!/bin/bash

# ip6tables single-host firewall script

# Define your command variables
ipt6="/sbin/ip6tables"

# Flush all rules and delete all chains
$ipt6 -F
$ipt6 -X

# Zero out all counters
$ipt6 -Z

# deny all incoming / Unrestricted outgoing

$ipt6 -P INPUT DROP
$ipt6 -P FORWARD DROP
$ipt6 -P OUTPUT ACCEPT

# Must allow loopback interface
$ipt6 -A INPUT -i lo -j ACCEPT

# Allow return connections
$ipt6 -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Accept all ICMP v6 packets
$ipt6 -A INPUT -p ipv6-icmp -j ACCEPT

# Allow DHCPv6 from LAN only
$ipt6 -A INPUT -m state --state NEW -m udp -p udp 
-s fe80::/10 --dport 546 -j ACCEPT

# Allow connections from SSH clients
$ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

# Allow HTTP and HTTPS traffic
$ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
$ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

Klein maar doeltreffend.

Linux Iptables Blok een compleet land.

Posted onAuthorPD9QLeave a comment

Hier onder een iptables script wat het mogelijk maakt om hele landen te blokken.
Op http://www.ipdeny.com/ipblocks/data/countries staan de landen files die je kunt gebruiken.

#!/bin/bash
# Purpose: Block all traffic from AFGHANISTAN (af) and CHINA (CN). Use ISO code. #
# See url for more info - http://www.cyberciti.biz/faq/?p=3402
# Author: nixCraft <www.cyberciti.biz> under GPL v.2.0+
# -------------------------------------------------------------------------------
ISO="af cn" 
 
### Set PATH ###
IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep
 
### No editing below ###
SPAMLIST="countrydrop"
ZONEROOT="/root/iptables"
DLROOT="http://www.ipdeny.com/ipblocks/data/countries"
 
cleanOldRules(){
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
}
 
# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT
 
# clean old rules
cleanOldRules
 
# create a new iptables list
$IPT -N $SPAMLIST
 
for c  in $ISO
do 
	# local zone file
	tDB=$ZONEROOT/$c.zone
 
	# get fresh zone file
	$WGET -O $tDB $DLROOT/$c.zone
 
	# country specific log message
	SPAMDROPMSG="$c Country Drop"
 
	# get 
	BADIPS=$(egrep -v "^#|^$" $tDB)
	for ipblock in $BADIPS
	do
	   $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
	   $IPT -A $SPAMLIST -s $ipblock -j DROP
	done
done
 
# Drop everything 
$IPT -I INPUT -j $SPAMLIST
$IPT -I OUTPUT -j $SPAMLIST
$IPT -I FORWARD -j $SPAMLIST
 
# call your other iptable script
# /path/to/other/iptables.sh
 
exit 0

Ssh brute force.

Posted onAuthorPD9QLeave a comment

Aangezien ik helemaal gek wordt van die “script kiddies” die aan het hameren zijn op allerlei poorten. Heb ik wat toegevoegd aan de firewall. (Dit is een voorbeeld)

iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 30 --hitcount 4 --rttl --name SSH --rsource -j REJECT --rejec$
iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j LOG --log-pref$
iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j REJECT --rejec$