Find the answer to your Linux question:
Page 2 of 2 FirstFirst 1 2
Results 11 to 18 of 18
Originally Posted by Mouglou Thanks Lazydog! For the first, I see that on a script made by a professional knowledge. It says that we never be contacted by these network ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677

    Quote Originally Posted by Mouglou View Post
    Thanks Lazydog!

    For the first, I see that on a script made by a professional knowledge.
    It says that we never be contacted by these network which are reserved.
    OK, but there are better way of doing this and you have to understand that that person is trying to give you information about how you could do it. There is no reason to list every network in your firewall rules. This is just stupid and anyone telling you this doesn't have a good understanding of IPTABLES and how it works.

    What site was this professional knowledge given on?

    But in the results of the iptables-save command we see that some of this rules was blocked: (by the counters)

    Code:
    [27:1080] -A INPUT -s 72.0.0.0/255.0.0.0 -i eth0 -j DROP
    And you point is? This would have also dropped the same packet;
    Code:
     -A INPUT -i eth0 -j DROP
    And you would not have to write a rule for each address.

    For the ESTABLISHED,RELATED, i must have these settings at the end of my rule to allow the server to send the accepted request of my client.
    Or I can do otherwise?
    As I have already stated you only need one ESTABLISHED,RELATED rule in each Chain.
    The following will catch all ESTABLISHED,RELATED Connection;
    Code:
     -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    I understand what you change here:

    Code:
    -A INPUT -s 192.168.2.240 -p tcp -m tcp --dport 324 -m state --state NEW -j ACCEPT
    -A INPUT -s 192.168.3.12 -p tcp -m tcp --dport 324 -m state --state NEW -j ACCEPT
    -A INPUT -s 192.168.3.11 -p tcp -m tcp --dport 324 -m state --state NEW -j ACCEPT
    -A INPUT -s 192.168.3.10 -p tcp -m tcp --dport 324 -m state --state NEW -j ACCEPT
    I find this better too!
    But can I remove the ESTABLISHED,RELATED setting to all of my rule, even in FORWARD field? (for tcp request only)
    For all you should remove them. What difference does it make if it is a tcp or a udp connection? If it was already allowed the you should not have an issue with the return traffic.

    I don't know the difference... The objective of the firewall is to allow only what we need. And it's what I do. I think!
    I can't make rule which seem like this: (not safe I find!)
    Code:
    iptables -I FORWARD -p tcp -s $LAN_CLT -d $LAN_SRV -j ACCEPT
    iptables -I FORWARD -p tcp -s $LAN_SRV -d $LAN_CLT - -j ACCEPT
    iptables -I FORWARD -p udp -s $LAN_CLT -d $LAN_SRV -j ACCEPT
    iptables -I FORWARD -p udp -s $LAN_SRV -d $LAN_CLT -j ACCEPT
    Maybe you think that I need to make less rules?
    But how? I can't open every port on my servers. So I have to made rules by services...
    You start by blocking/dropping all connection and the only place the rules for packets you require.
    Code:
    -P INPUT DROP
    -P OUTPUT DROP
    -P FORWARD DROP
    
    -A INPUT -j DROP
    -A OUTPUT -j DROP
    -A FORWARD -j DROP
    Next you Allow ESTABLISH and RELATED connection;

    Code:
    -P INPUT DROP
    -P OUTPUT DROP
    -P FORWARD DROP
    
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -j DROP
    -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A OUTPUT -j DROP
    -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A FORWARD -j DROP
    You have to allow the loopback interface to keep the system running so you add the following;

    Code:
    -P INPUT DROP
    -P OUTPUT DROP
    -P FORWARD DROP
    
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -j DROP
    -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A OUTPUT -j DROP
    -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A FORWARD -j DROP
    Now do we want to allow an host on the LAN to be able to connect to the firewall for admin duties? If yes then we could do this;
    <LAN> is the interface that the LAN is connected to
    <Host Address> is the host on that LAN who is allowed to admin the firewall

    Code:
    -P INPUT DROP
    -P OUTPUT DROP
    -P FORWARD DROP
    
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i <LAN> -s <Host Address>--dport 22 -m state --state NEW -j ACCEPT
    -A INPUT -j DROP
    -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A OUTPUT -j DROP
    -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A FORWARD -j DROP
    Now when that host tries to connect to the firewall the ESTABLISHED,RELATED rules is looked at first. Because this is the first packet it will not be in the connection tracking DB so it doesn't match. Next rule is for port 22 and it will match and be accepted. Iptables will place this information into its tracking DB. Now the return packet needs to be sent back and filter through the OUTPUT chain. The firs rule is ESTABLISHED,RELATED so output checks the DB and finds that the connection is an ESTABLISHED connection and allowed the traffic to pass. As the next packet arrives the first rule is applied and it would be found that port 22 from the host is an established connection thus the packet will be allowed without having to read any more rules. This is how the firewall works in a nutshell.

    Now we want to allow connection to our web server so we would do the following;
    <WAN> is the internet facing interface
    <SERV> is the interface the server is connected to

    *NOTE: There is no reason to place this rule onto 2 lines. I just did this to make things simple.
    If you want to know how to place both rules into one then please read this TUTORIAL.

    Code:
    -P INPUT DROP
    -P OUTPUT DROP
    -P FORWARD DROP
    
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i <LAN> -s <Host Address>--dport 22 -m state --state NEW -j ACCEPT
    -A INPUT -j DROP
    -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A OUTPUT -j DROP
    -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A FORWARD -i <WAN> -o <SERV> --dport 80 -m state --state NEW -j ACCEPT
    -A FORWARD -i <WAN> -o <SERV> --dport 443 -m state --state NEW -j ACCEPT
    -A FORWARD -j DROP
    Here the packets will only follow the FORWARD chain as they do not stop at the firewall and only pass through thus the ESTABLISHED,RELATED rule for the FORWARD chain is used and the same process is applied as above for port 22 connection.

    I'm not a specialist in firewall! If you have some better way to show me in the configuration of iptables script I'm ok!
    Above is the proper way of creating your firewall. There are no scripts that will fit everyones needs. If you pull a script from the internet then you have to modify it to fit your needs. They are more of a guide then a 'will fit your needs' type.

    Another thing to think about. All those IP Address ranges you were/are blocking are really being used. With the growth of the internet address space is not unlimited so all available space will be used. The only address space you should never receive traffic from on the internet is the private address space. You can look HERE for information on those spaces.

    I do not write scripts as it is too easy to type something wrong. I maintain my firewall rules by hand and edit the file directly.

    Thanks for your help.
    You are welcome. I hope the above has cleared things up for you.

    Do you have an idea why my router down with Syn-flood attack from LAN?

    Thanks again!
    No , I do not. I would check the logs and see what device is causing you your issues.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  2. #12
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    I see a mistake in my above post it should read as follows:

    Code:
    -P INPUT DROP
    -P OUTPUT DROP
    -P FORWARD DROP
    
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i <LAN> -s <Host Address>--dport 22 -m state --state NEW -j ACCEPT
    -A INPUT -j DROP
    -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A OUTPUT -i lo -j ACCEPT
    -A OUTPUT -j DROP
    -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A FORWARD -i <WAN> -o <SERV> --dport 80 -m state --state NEW -j ACCEPT
    -A FORWARD -i <WAN> -o <SERV> --dport 443 -m state --state NEW -j ACCEPT
    -A FORWARD -j DROP
    


    Not '-A INPUT -i lo -j ACCEPT' as posted in the above post os any other where it migh be wrong.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #13
    Just Joined!
    Join Date
    Aug 2010
    Posts
    22
    Wouah!

    Thanks a again for you help!

    I understand better how it works.
    I find these very intersting. I'm reading your howto!

    I trying to understand how the scripts works cause its doesn't works at all in the same way of my script!!
    It use different table which has been created before, i've more than two networks...
    So i've to works!

    For your mistakes with OUTPUT, I've seen it

    For my router log, its not a high level router! It will be replace during september by one more professionnal.
    I've only this informations about that:

    2010-08-19 15:52:46 - SYN Flood - Source:192.168.1.1,1691,LAN - Destination:66.249.92.104,80,WAN

    The IP address destination change everytime...
    This is the fourth time that I lost internet about that, and the last time, it was the 19th august.

  4. $spacer_open
    $spacer_close
  5. #14
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    OK could host 1925.168.1.1 be compromised? Have some kind of rootkit installed?
    Check this box and see what is running on port 1691.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #15
    Just Joined!
    Join Date
    Aug 2010
    Posts
    22
    I don't have rootkit on my firewall...
    I search and I find rootkit hunter or chkrootkit

    I will install one of this and make a scan...

    The port which is indicated by the log, had change all times...
    Its never the same :s

  7. #16
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Is 192.168.1.1 your firewall? Where is this log you are seeing these entries in?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  8. #17
    Just Joined!
    Join Date
    Aug 2010
    Posts
    22
    Yes 192.168.1.1 is one of the interfaces on my firewall.
    She is only connected to my VPN router.

    I've seen this log in the email that my router send me.

  9. #18
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    OK, look what is being passed over the VPN as that might give you a clue as to why you are seeing SYN traffic.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Page 2 of 2 FirstFirst 1 2

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •