iptables help please

5 posts / 0 new
Last post
#1 Thu, 07/10/2008 - 15:08
velvetpixel

iptables help please

Since upgrading my VPS from CentOS 5.1 to 5.2 I am getting some errors in messages that look like they are iptables related.

If anybody could help comment on my iptables rules to let me know if I have them set up incorrectly I would appreciate it Smile

This is on a OpenVZ VPS at a remote data center and not a box on my lan.

The xx.xx.xx.xx is my static IP for my home office.

The chain banished is IPs of crackers that were repeatedly trying to get in my system and their source IPs are set to deny.

Run chain banished Always Accept If input interface is lo Accept If protocol is TCP and TCP flags ACK (of ACK) are set Accept If state of connection is ESTABLISHED Accept If state of connection is RELATED Accept If protocol is TCP and source port is 53 Accept If protocol is UDP and source port is 53 Accept If protocol is ICMP and ICMP type is echo-reply Accept If protocol is ICMP and ICMP type is destination-unreachable Accept If protocol is ICMP and ICMP type is source-quench Accept If protocol is ICMP and ICMP type is time-exceeded Accept If protocol is ICMP and ICMP type is parameter-problem Accept If protocol is ICMP and ICMP type is echo-request Drop If protocol is TCP and destination port is ftp Accept If protocol is TCP and source is xx.xx.xx.xx and destination port is ssh Drop If protocol is TCP and destination port is ssh Accept If protocol is TCP and destination port is 25 Accept If protocol is TCP and destination port is 80 Accept If protocol is TCP and source is xx.xx.xx.xx and destination port is 110 Drop If protocol is TCP and destination port is 110 Accept If protocol is TCP and destination port is 113 Accept If protocol is TCP and source is xx.xx.xx.xx and destination port is 143 Drop If protocol is TCP and destination port is 143 Accept If protocol is TCP and destination port is 443 Drop If protocol is TCP and destination port is 465 Accept If protocol is TCP and source is xx.xx.xx.xx and destination port is 10000:10010 Drop If protocol is TCP and destination port is 10000:10010 Accept If protocol is TCP and source is xx.xx.xx.xx and destination port is 20000 Drop If protocol is TCP and destination port is 20000 Accept If source is 127.0.0.1 Accept If input interface is venet0

The type of error I am seeing is: Jul 10 16:42:12 vps kernel: IN= OUT=venet0 SRC=IP.IP.IP.IP DST=xx.xx.xx.xx LEN=1452 TOS=0x08 PREC=0x00 TTL=64 ID=4361 DF PROTO=TCP SPT=22 DPT=63628 WINDOW=644 RES=0x00 ACK URGP=0

xx.xx.xx.xx=any ip accessing the server IP.IP.IP.IP=IP of the server

Thu, 07/10/2008 - 17:09
ronald
ronald's picture

i dont understand the drop rules.
if only your IP can login on a specific port then you dont need the drop rules cause the firewall wont allow connections anyway if not from your IP.
if you dont use FTP then the drop rule for it can go, or?

also on the OpenVZ i dont think your iptables matter much or at least is very limited, the firewall of the main system is used whilst on Xen you could do a bit more.

Im no expert at all but it is what i've read (i have a openvz too as a 2nd nameserver)

if only you connect on ssh then why not switch to another port like 50000 or something? that would get rid of 90% of the bots/scripts.

Wed, 07/16/2008 - 11:27 (Reply to #2)
velvetpixel

The errors were just logged packets. I had always had th elog rule but in upgrading they started working! :)

Regarding the drop rules this is one of the reasons I need people with more experience than me to let me know why I need them as the rule set isn't doing what I expect it to.

Default for incoming is drop.

As you can see I set some of my ports/protocols to accept only from my IP.

OK that seems pretty straight forward.

So in theory all incoming to ssh should be dropped unless coming from my IP. Well that doesn't seem to be the case which is why I have put the extra drop rules after each accept as a temporary patch.

When I remove the extra drop for ssh and then change the IP for allowed to access ssh to something other than my IP I CAN STILL ACCESS SSH! That means anybody can access ssh. If I add the drop back in then I can't access ssh. If I then change the IP back to mine then I can access.

So It seems there is something other than my allow rule allowing access.

Any ideas?

Also I have these three rules:

Accept If input interface is lo
Accept If source is 127.0.0.1
Accept If input interface is venet0

Are they all needed and are they all in the right place in the stack?
Is the accept venet0 what is causing my problem above?

I also found that the:
Accept If protocol is TCP and TCP flags ACK (of ACK) are set

is the same as the state rules so i have removed it.

Wed, 07/16/2008 - 12:03 (Reply to #3)
andreychek

Hmm, well, I don't see what the "policy" is set to, is that set somewhere else by chance?

That is, for any given ruleset, it's either ACCEPT by default, or DENY by default, and whichever that is -- it's defined by a policy somewhere.

If you log in over SSH, and run this:

iptables -L -n

You'll see a list of all your iptables chains and rules -- and next to each chain is the "policy".

On my box, the Input chain begins with:

Chain INPUT (policy DROP)

If yours says "policy ACCEPT", that could cause what you're seeing. You just need to modify that policy.

As Ronald mentioned, if not many people are using SSH, but you're reluctant to limit access to just one IP (if that IP ever goes down, you may not be able to get in!), you could always run SSH on an alternate port. That should cut down on the number of bots trying to break into your SSH service.
-Eric

Wed, 07/16/2008 - 12:15 (Reply to #4)
velvetpixel

Input default has always been drop.

That's why I am curious as to why the rules are working the way they are.

Topic locked