Myth BOX
The home of guides for Myth TV, IPTables, and other linux based phenomena. 		 
HD version
Preamble
Home
News
Spec
General guides
Partitioning
Firewall
Other
Useful links
SD version
Preamble
Functionality
Hardware
Software
Screenshots
Gallery
General guides
DVB Card
Myth TV
Broadband modem
Wireless network
Firewall
Network shares
Network IDS
Extra security
Streaming
Gensplash
EPIA specific guides
TV-Out cables
Audio/USB cables
Backplate
Wireless network
EPIA Kernel
Openchrome drivers
Surround sound
VPN
Online store
Prebuilt mythbox
Other
Useful links

Ads
Wireless cards, TV cards, harddrives



Cable components




Securing the box using iptables and the 'recent' module

This guide aims to protect your box against the newbie hacker. Its an updated version of the MythBox SD guide, with additions which utilise the iptables 'recent' module in order to:
  • blacklist IP addresses which send martian packets, and
  • limit the number of SSH connections that can be made within a given timeframe to prevent brute-force attacks
Given that the task of network routing has been delegated to the ubiqitous broadband router, the rule list is much shorter. Contained in the list includes rules to filter out portscanners and flood attacks, logging any such activity.

The following rules should be typed as root. Once complete you can save your configuration by typing: /etc/init.d/iptables save.

# Flush the firewall rules.
iptables -F 

# Allow good icmp traffic, filter the bad.
iptables -N ICMPFILTER
iptables -A ICMPFILTER -m state --state NEW -p icmp --icmp-type time-exceeded -j RETURN
iptables -A ICMPFILTER -m state --state NEW -p icmp --icmp-type destination-unreachable -j RETURN
iptables -A ICMPFILTER -p icmp -j DROP

# Prevent portscanners (including SYN flooding by limiting bursting).
iptables -N FILTERSCANNERS
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FILTERSCANNERS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
iptables -A FILTERSCANNERS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FILTERSCANNERS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
iptables -A FILTERSCANNERS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FILTERSCANNERS -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j RETURN

# We aren't carrying out routing so set the forwarding chain's policy to drop.
iptables -P FORWARD DROP

# Make the default policy on the input chain to drop. Allow establish,related connects through
# straight away to avoid any DoS caused from the recent module
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# If we have a blacklisted IP, and they're back, reset the 60 second timer and drop
iptables -A INPUT -m recent --update --seconds 60 -j DROP

# If we have an invalid packet, or a martian packet, drop it and add the source IP to the
# blacklist.
iptables -A INPUT -m state --state INVALID -m recent --set -j DROP
iptables -A INPUT -i eth0 -d 127.0.0.0/8 -m recent --set -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -m recent --set -j DROP

# Allow downloads from Vuze or similar.
iptables -A INPUT -m multiport --dports <download_port_1>,<download_port_2> -p tcp -j ACCEPT
iptables -A INPUT -m multiport --dports <download_port_1>,<download_port_2> -p udp -j ACCEPT

# Apply our filters.
iptables -A INPUT -j ICMPFILTER
iptables -A INPUT -j FILTERSCANNERS

# Accept traffic from the loopback device.
iptables -A INPUT -i lo -j ACCEPT

# New request to port 22 is logged to the recent SSH list. If its the 5th time that this IP has
# connected in 3 minutes, it gets dropped.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 5 --name SSH -j DROP

# Accept traffic from our whitelist.
iptables -A INPUT -m multiport --dports http,https,ssh -p tcp -m state --state NEW -s <allowed_http_ip_1> -j ACCEPT
iptables -A INPUT -m mac --mac-source <good_mac_1> -m state --state NEW -s <good_ip_1> -j ACCEPT
iptables -A INPUT -m mac --mac-source <good_mac_2> -m state --state NEW -s <good_ip_2> -j ACCEPT