Securing the box using iptables and the 'recent' module
This guide aims to protect your box against the newbie hacker. Its an updated version of
the MythBox SD guide, with additions which utilise the iptables 'recent' module in order to:
- blacklist IP addresses which send martian packets, and
- limit the number of SSH connections that can be made within a given timeframe to prevent brute-force attacks
Given that the task of network routing has been delegated to the ubiqitous broadband router, the rule list is much shorter.
Contained in the list includes rules to filter out portscanners and flood attacks, logging any such activity.
The following rules should be typed as root. Once complete you can save your configuration by typing:
/etc/init.d/iptables save .
# Flush the firewall rules.
iptables -F
# Allow good icmp traffic, filter the bad.
iptables -N ICMPFILTER
iptables -A ICMPFILTER -m conntrack --ctstate NEW -p icmp --icmp-type time-exceeded -j RETURN
iptables -A ICMPFILTER -m conntrack --ctstate NEW -p icmp --icmp-type destination-unreachable -j RETURN
iptables -A ICMPFILTER -p icmp -j DROP
# Prevent portscanners (including SYN flooding by limiting bursting).
iptables -N FILTERSCANNERS
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
iptables -A FILTERSCANNERS -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FILTERSCANNERS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
iptables -A FILTERSCANNERS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FILTERSCANNERS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
iptables -A FILTERSCANNERS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FILTERSCANNERS -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j RETURN
# We aren't carrying out routing so set the forwarding chain's policy to drop.
iptables -P FORWARD DROP
# Make the default policy on the input chain to drop. Allow establish,related connects through
# straight away to avoid any DoS caused from the recent module
iptables -P INPUT DROP
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# If we have a blacklisted IP, and they're back, reset the 60 second timer and drop
iptables -A INPUT -m recent --update --seconds 60 -j DROP
# If we have an invalid packet, or a martian packet, drop it and add the source IP to the
# blacklist.
iptables -A INPUT -m conntrack --ctstate INVALID -m recent --set -j DROP
iptables -A INPUT -i eth0 -d 127.0.0.0/8 -m recent --set -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -m recent --set -j DROP
# Allow downloads from Vuze or similar.
iptables -A INPUT -m multiport --dports <download_port_1>,<download_port_2> -p tcp -j ACCEPT
iptables -A INPUT -m multiport --dports <download_port_1>,<download_port_2> -p udp -j ACCEPT
# Apply our filters.
iptables -A INPUT -j ICMPFILTER
iptables -A INPUT -j FILTERSCANNERS
# Accept traffic from the loopback device.
iptables -A INPUT -i lo -j ACCEPT
# New request to port 22 is logged to the recent SSH list. If its the 5th time that this IP has
# connected in 3 minutes, it gets dropped.
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 180 --hitcount 5 --name SSH -j DROP
# Accept traffic from our whitelist.
iptables -A INPUT -m multiport --dports http,https,ssh -p tcp -m conntrack --ctstate NEW -s <allowed_http_ip_1> -j ACCEPT
iptables -A INPUT -m mac --mac-source <good_mac_1> -m conntrack --ctstate NEW -s <good_ip_1> -j ACCEPT
iptables -A INPUT -m mac --mac-source <good_mac_2> -m conntrack --ctstate NEW -s <good_ip_2> -j ACCEPT
Troubleshooting:
- I'm getting errors such as 'iptables: No chain/target/match by that name'!
Check through your kernel config. This error usually occurs because you are trying to use an
iptables module which isn't supported by your kernel. E.g 'limit' or 'mac' modules. By
executing each of the above calls to iptables one at a time, you should be able to narrow down the problematic
match rule. Once found, add this module to your kernel and retry running the iptables calls one at a time until things work.
|