I am trying to block external networks from initiating a connection to my internal networks for both TCP and UDP. My thought is to use --state. I am uncertain about what man page for different states mean.
"NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions" man page
Does NEW tracks the handshake? As in
client1 -SYN-> client2 NEW
client1 <-SYN,ACK- client2 NEW
client1 -ACK-> client2 ESTABLISHED
-or-
client1 -SYN-> client2 NEW
client1 <-SYN,ACK- client2 NEW
client1 -ACK-> client2 NEW
client1 <-DATA- client2 ESTABLISHED
for UDP
client1 -MSG1-> client2 NEW
client1 <-MSG2- client2 NEW
client1 -MSG3-> client2 ESTABLISHED
-or-
client1 -MSG1-> client2 NEW
client1 <-MSG2- client2 ESTABLISHED
Would this block incoming new connection but let new outgoing connection through?
-A FORWARD -p tcp -m state --state NEW ! -s 192.168.1.0/24 -j DROP
-A FORWARD -p tcp -m state --state ESTABLISHED ! -s 192.168.1.0/24 -j DROP
-A FORWARD -p tcp -m state --state NEW,ESTABLISHED -s 192.168.1.0/24 -j ACCEPT
I haven't tested UDP but for TCP as soon as the SYN packet was sent the connection become ESTABLISHED so
client1 -SYN-> client2 NEW
client1 <-SYN-ACK- client2 ESTABLISHED
client1 -SYN-> client2 NEW
client1 <-SYN,ACK- client2 ESTABLISH
client1 -ACK-> client2 ESTABLISHED
Be careful when SYN,ACK, it's should be ESTABLISHED status, if it's SYN,ACK and it's a new connection, it's normally an attack.
and you should add RELATED state too.
well, if you current machine has the ip of 192.168.1.0/24, it will be blocked when creating outgoing connections
My suggest is like this:
$IPTABLES -A INPUT -p tcp -s 192.168.1.0/24 --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p tcp -s 192.168.1.0/24 ! --syn -m state --state NEW -j DROP
$IPTABLES -A allowed -p TCP -s 192.168.1.0/24 --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -s 192.168.1.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -s 192.168.1.0/24 -j DROP
Related
I want to do something like
sudo iptables -A INPUT -i eth0 -m state --state NEW -p tcp -m limit --limit 12/minute --dport 12871 -j ACCEPT
sudo iptables -A INPUT -i eth0 -m state --state NEW -p tcp --dport 12871 -j DROP
https://askubuntu.com/questions/1095491/how-to-limit-connections-to-1-connect-on-5-seconds-iptables
but via cilium/natively on kubernetes
to protect my ingresses from falling over if many clients reconnect at the same time
I suppose you can, yes. This is done via the api-rate-limit configuration option that you will have to configure for your cilium-agent running on the node.
Your limit above will translate to:
--api-rate-limit endpoint-create=rate-limit:12/m
You can read more about this option here.
I have three boxes: a Linux client, a OpenWRT router, and a Squid server. I'm trying to get the client (which is connected to the router) web traffic to go through the proxy server without any client configuration.
Using this iptables rule on the router seems to make the client traffic go to the proxy just fine (I can see the request in the access.log):
iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DNAT --to $PROXY_IP:3128
But the traffic doesn't seem to make it back to the client. I get this error on the client's web browser:
The requested URL could not be retrieved. Invalid URL
It almost looks like the hostname is missing by the time it get's back to the client. Am I missing an iptables rule? On the router or on the proxy server? Or do I need set a route?
My end goal is to have dansguardian running on the proxy server. The router is not powerful enough to run the filter and that is why I have a separate server for that.
Got it to work!
The only iptables rule I needed on the router was:
iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DNAT --to $PROXY_IP:8080
And the rules I needed on the squid/dansguardian server was:
iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner proxy -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080
After creating those rules, I was able to see the client's traffic in the /var/log/squid3/access.log and /var/log/dansguardian/access.log logs and all of the client's traffic was coming back through just fine (with the web content filtering working perfectly).
I installed the Gitlab-Omnibus bundle and opened iptables for port 80, 443, 9418 and temp. even for 22. Why doesn't pushing via https work? When I put iptables in default open for everything it works.
Here are my rules for 80, 443, 22 and 9418
# 1. Allow incoming HTTP
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 80 -j ACCEPT
# 2. Allow outgoing HTTP
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 80 -j ACCEPT
# Allow incoming HTTPS
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 443 -j ACCEPT
# 10. Allow outgoing HTTPS
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT
# allow git
$IPTABLES -A OUTPUT -p tcp --dport 9418 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 9418 -j ACCEPT
#SSH: Client --> Server
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 22 -j ACCEPT
The Result is:
Pushing to https://TLD/USER/REPO.git
POST git-receive-pack (448 bytes)
And then it just freezes. What do I need to open else?
I tried logging dropped packages but there is nothing with my ip?
I hope someone can help me..
Ok here are the rules for my logging:
#Logging
$IPTABLES -N LOGGING
$IPTABLES -A INPUT -j LOGGING
$IPTABLES -A OUTPUT -j LOGGING
$IPTABLES -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$IPTABLES -A LOGGING -j DROP
And here is the output:
# Generated by iptables-save v1.4.21 on Thu Nov 13 18:43:13 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LOGGING - [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A INPUT -s 10.20.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 37655 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 9418 -j ACCEPT
-A INPUT -j LOGGING
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -d 10.20.0.0/16 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 37655 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 9418 -j ACCEPT
-A OUTPUT -j LOGGING
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
COMMIT
#Devices
DEV0=eth0
#internal network
INT_NET=xxx.xxx.0.0/16
INT_NET_SECURE=xxx.xxx.xxx.0/24
#external network
EXT_NET=xxx.xxx.xxx.0/24
#path iptables
IPTABLES=/sbin/iptables
#path modprobe
MODPROBE=/sbin/modprobe
case $1 in
start)
$0 stop
echo "start ip-package-filter"
# iptables-Modul
$MODPROBE ip_tables
# Connection-Tracking-Module
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
$MODPROBE iptable_nat
#Standard-Policy - Deny everything except what we want
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#slows down icmp for too much packages
echo "5" >/proc/sys/net/ipv4/icmp_ratelimit
#Kills packages with source route option
echo "0">/proc/sys/net/ipv4/conf/$DEV0/accept_source_route
#Kills icmp forwarding
echo "0">/proc/sys/net/ipv4/conf/$DEV0/accept_redirects
#Kills spoofed packages
echo "1" > /proc/sys/net/ipv4/conf/$DEV0/rp_filter
#Kills packages from 0.X.X.X
echo "0" > /proc/sys/net/ipv4/conf/eth0/bootp_relay
# TCP-FIN-Timeout (DoS-Attack)
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
#TCP-SYN max 3 answers
echo 3 > /proc/sys/net/ipv4/tcp_retries1
#TCP-Package max 15x repetitions
echo 15 > /proc/sys/net/ipv4/tcp_retries2
#Loopback-Communication
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
#ICMP: Client <--> Server
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
#DNS: Server --> DNS-Server
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
# Allow incoming HTTP
$IPTABLES -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# Allow incoming HTTPS
$IPTABLES -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
#SSH: Client --> Server (internal)
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 22 -m state --state NEW -j ACCEPT
#SSH: Client --> Server
#$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp --sport 22 -j ACCEPT
#Update (apt)
$IPTABLES -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
#TeamDrive
$IPTABLES -A INPUT -p tcp --dport 37655 -m state --state NEW -j ACCEPT
#Git
$IPTABLES -A INPUT -p tcp --dport 9418 -m state --state NEW -j ACCEPT
#Connection-Tracking for INPUT and OUTPUT CHAIN
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Logging
$IPTABLES -N LOGGING
$IPTABLES -A INPUT -j LOGGING
$IPTABLES -A OUTPUT -j LOGGING
$IPTABLES -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$IPTABLES -A LOGGING -j DROP
echo "Firewall activated"
;;
stop)
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
;;
restart)
$0 start
;;
*)
echo "Usage: $0 {startwd|stop|restart}"
;;
esac
I want to list all the domains that my composer.json will use to download dependencies of my project in order to list them in my iptable config. Is there a way to do this ?
This is the part of my iptable config I want to complete with that list :
HTTPS_SERVERS=(packagist.org api.github.com github.com getcomposer.org us3.api.mailchimp.com mandrillapp.com)
for i in `seq 0 $((${#HTTPS_SERVERS[*]} -1))`
do
server=${HTTPS_SERVERS[i]}
$IPT -A me_bad -p tcp -d $server --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A bad_me -p tcp -s $server --sport 443 -m state --state ESTABLISHED -j ACCEPT
done
Many thanks.
I have installed FreeSWITCH 1.0.6 on CentOS 5.5. I believe CentOS is blocking the ports FreeSWITCH needs in order to contact with my remote phones, but I have no idea how to use ipTables in Linux or what ports need to be open. Can anyone help?
With Asterisk the ports were 5060 - 5090 for sip and a few others but I don't remember them.
Thank you!
The accepted answer is a bad answer... FreeSWITCH does not use all these ports, and not all port are defined there. For those needing a guideline (using default configs):
3478 - STUN Discovery (UDP)
3479 - STUN Discovery (UDP)
5060 - Sofia Internal Profile (TCP & UDP)
5080 - Sofia External Profile (TCP & UDP)
8021 - Event Socket (TCP)
16384-32768 - RTP Ports (UDP)
Port usage is subject to change with module usage. You can find the entry on http://confluence.freeswitch.org, and more (up to date) information about port usage can be found at https://freeswitch.org/confluence/display/FREESWITCH/Firewall
Best reference seems to be :
http://wiki.freeswitch.org/wiki/Firewall
All of the ports are dependent on your module usage (ie. 8080 if you are using the web api). Keep in mind that all of the ports mentioned are defaults and are configurable.
I could not match FreeSWITCH wiki to ports to my setup, in the end I went with what actual open ports were reported by my machine, run the following to find out what FreeSWITCH is using on your rig:
root#tardis:~# netstat -lntp | grep freeswitch
tcp 0 0 192.0.1.2:2856 0.0.0.0:* LISTEN 7220/freeswitch
tcp 0 0 192.0.1.2:5066 0.0.0.0:* LISTEN 7220/freeswitch
tcp 0 0 192.0.1.2:8081 0.0.0.0:* LISTEN 7220/freeswitch
tcp 0 0 192.0.1.2:8082 0.0.0.0:* LISTEN 7220/freeswitch
tcp 0 0 192.0.1.2:7443 0.0.0.0:* LISTEN 7220/freeswitch
tcp 0 0 192.0.1.2:5080 0.0.0.0:* LISTEN 7220/freeswitch
tcp 0 0 192.0.1.2:5060 0.0.0.0:* LISTEN 7220/freeswitch
tcp 0 0 192.0.1.2:2855 0.0.0.0:* LISTEN 7220/freeswitch
tcp6 0 0 ::1:8081 :::* LISTEN 7220/freeswitch
tcp6 0 0 ::1:8082 :::* LISTEN 7220/freeswitch
tcp6 0 0 :::8021 :::* LISTEN 7220/freeswitch
tcp6 0 0 ::1:5080 :::* LISTEN 7220/freeswitch
tcp6 0 0 ::1:5060 :::* LISTEN 7220/freeswitch
Nevermind chumps, I figured it out myself:
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 37 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 37 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8021 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 8021 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 5080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p icmp -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5532 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5564 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited