Hello, let me clear, sometimes code is better than chat, First of all, you must reduce all your rules ever, the worst thing to do with netfilter is create 1 match rule for each ip or port.
Below is a complete firewall with all your desires plus, a small honey pot with 10 minutes dinamic block list, The log-drop chains set made logging keeping 1 log per second control to avoid kill your syslog server, please send all your logs to other host ! Adjust to you world, but keep this in mind: After rule set loaded it never will be modified, only lists are modified, Use default port services to detect scanners, and systematically drop their packets. Hope that it solve your questions #######################################CREATING BLOCK IP LIST ipset create BLOCKIPLIST hash:net family inet hashsize 1024 maxelem 65536 ipset add BLOCKIPLIST 10.0.0.0/8 ipset add BLOCKIPLIST 127.0.0.0/8 ipset add BLOCKIPLIST 192.168.0.0/16 ipset add BLOCKIPLIST 172.16.0.0/12 #######################################CREATING BLOCK PORT LIST ipset create BLOCKPORTS bitmap:port range 0-65535 ipset add BLOCKPORTS 1 ipset add BLOCKPORTS 7 ipset add BLOCKPORTS 22 ipset add BLOCKPORTS 23 ipset add BLOCKPORTS 135 ipset add BLOCKPORTS 136 ipset add BLOCKPORTS 137 ipset add BLOCKPORTS 138 ipset add BLOCKPORTS 139 ipset add BLOCKPORTS 445 ipset add BLOCKPORTS 1433 ipset add BLOCKPORTS 1701 ipset add BLOCKPORTS 3128 ipset add BLOCKPORTS 8080 ipset add BLOCKPORTS 8081 ipset add BLOCKPORTS 3389 #######################################CREATING ALLOW IP LIST ipset create ALLOWIPLIST hash:net family inet hashsize 1024 maxelem 65536 ipset add ALLOWIPLIST 8.8.8.8/32 ipset add ALLOWIPLIST 39.48.55.1/32 #######################################CREATING ALLOWED PORT LIST ipset create ALLOWPORTS bitmap:port range 0-65535 ipset add ALLOWPORTS 80 ipset add ALLOWPORTS 443 ipset add ALLOWPORTS 47122 #SSH FAKE #######################################CREATING TAR PIT create TARPIT hash:ip family inet hashsize 1024 maxelem 65536 timeout 600 ####################################### CREATING LOG-DROP-RULESET iptables -N LOGDROP_100 iptables -A LOGDROP_100 -m limit --limit 1/sec -j LOG --log-prefix " ::LOGDROP_100:: " iptables -A LOGDROP_100 -j DROP ####################################### CREATING LOG-TARPIT-RULESET iptables -N LOGTARPIT_100 iptables -A LOGTARPIT_100 -m limit --limit 1/sec -j LOG --log-prefix " ::LOGDROP_100:: " iptables -A LOGTARPIT_100 -j SET --add-set TARPIT src iptables -A LOGTARPIT_100 -j DROP ####################################### CREATING LOG-ALLOW-RULESET iptables -N LOGALLOW_100 iptables -A LOGALLOW_100 -m limit --limit 1/sec -j LOG --log-prefix " ::LOGALLOW_100:: " iptables -A LOGALLOW_100 -m state --state NEW -j ACCEPT ####################################### CREATING IN FLOW RULESET iptables -N INFLOW_100 iptables -A INFLOW_100 -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables -A INFLOW_100 -m set --match-set ALLOWIPLIST src -j LOGALLOW_100 iptables -A INFLOW_100 -m set --match-set ALLOWPORT dst -j LOGALLOW_100 # iptables -A INFLOW_100 -m set --match-set BLOCKIPLIST src -j LOGDROP_100 iptables -A INFLOW_100 -m set --match-set BLOCKPORT dst -j LOGTARPIT_100 # iptables -A INFLOW_100 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOGDROP_100 # iptables -A INFLOW_100 -m state --state INVALID -j DROP ###################################### RESTRICTING FLOW iptables -F INPUT iptables -F FORWARD iptables -F OUTPUT iptables -A INPUT -i eth0 -j INFLOW_100 iptables -A FORWARD -i eth0 -j INFLOW_100 #THIS AVOID UNRECHEABLE MESSAGES TO OTHERS IS USEFULL iptables -A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 3 -j DROP ________________________________ De: linux_forum1 <[email protected]> Enviado: sexta-feira, 7 de janeiro de 2022 06:22 Para: Willian Pires <[email protected]> Cc: Dan Ritter <[email protected]>; [email protected] <[email protected]> Assunto: RE: Is this even POSSIBLE? Hello William, thanks for the reply! ipset would be nice, but it doesn't solve the logging issue. I have about 30 rules like the ones below that need to be logged and dropped if matched with iptables. (Both in INPUT and FORWARD) -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -s 169.254.0.0/16 -j DROP -s 172.16.0.0/12 -j DROP -s 192.0.2.0/24 -j DROP As I understand it there are two ways to log and drop packets that matched a specific rule in iptables. 1.) Separate LOG and DROP rules, for each IP, but this is inefficient. -A INPUT -j Block -A FORWARD -j Block -A Block -s 169.254.0.0/16 -j LOG -A Block -s 169.254.0.0/16 -j DROP -A Block -s 172.16.0.0/12 -j LOG -A Block -s 172.16.0.0/12 -j DROP 2.) The only other way, create separate chains for bad IPs and LOG/DROP, then jump in between. But Dan Ritter says this is problematic, because bad IPs are not dropped in Block chain, but only after jumping to the Logger chain. -N Block -N Logger -A INPUT -j Block -A FORWARD -j Block -A Block -s 169.254.0.0/16 -j Logger -A Block -s 172.16.0.0/12 -j Logger -A Block -s 192.0.2.0/24 -j Logger -A Logger -j LOG -A Logger -j DROP I have been searching for 48h, but there is no other way to log and drop packets. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, January 7th, 2022 at 6:20 AM, Willian Pires <[email protected]> wrote: Sorry, try ipset to create a list and combine it with appropriated netfilter rule to blocke networks in one rule, instead use 1 rule per class. Sent from my Galaxy -------- Original message -------- From: linux_forum1 <[email protected]> Date: 1/6/22 17:11 (GMT-03:00) To: Dan Ritter <[email protected]> Cc: [email protected] Subject: Re: Is this even POSSIBLE? Hello Dan! Thank you so much for the reply! Yes that helps a lot, but I have 2 follow up questions if you don't mind haha. 1.) When you say " -A INPUT -j Block puts the chain in order", you mean that at this point iptables will look for any rules appended to the Block chain, no matter where they are? This would make sense cz then the order wouldn't matter and you can jump to a chain in the beginning, whose rules are defined at the bottom for example. 2.) I want to log when one of these rules gets matched. (It's 30 - 40 rules in total) -A Block -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A Block -s 169.254.0.0/16 -j DROP -A Block -s 172.16.0.0/12 -j DROP -A Block -s 192.0.2.0/24 -j DROP . . This is my solution: -A INPUT -j Block -A FORWARD -j Block -A Block -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j Logger -A Block -s 169.254.0.0/16 -j Logger -A Block -s 172.16.0.0/12 -j Logger -A Block -s 192.0.2.0/24 -j Logger Then in Logger it gets logged and dropped. I considered this, but was told the above is better. -A INPUT -j Block -A FORWARD -j Block -A Block -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG -A Block -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A Block -s 169.254.0.0/16 -j LOG -A Block -s 169.254.0.0/16 -j DROP -A Block -s 172.16.0.0/12 -j LOG -A Block -s 172.16.0.0/12 -j DROP . . Is there a better way? Thanks again. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, January 6th, 2022 at 7:26 PM, Dan Ritter <[email protected]> wrote: > linux_forum1 wrote: > > > Hello, I have 2 questions if that's OK. > > > > INPUT DROP > > > > FORWARD DROP > > > > OUTPUT DROP > > > > -N Block > > > > -N Logger > > > > -A INPUT -j Block > > > > -A Block -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j Logger > > > > -A Logger -j LOG --log-level 4 > > > > -A Logger -j DROP > > > > -A INPUT -i lo -j ACCEPT > > > > -A OUTPUT -o lo -j ACCEPT > > > > There will be more rules in Block, but I just want to understand the logic. > > > > 1.) How is -A INPUT -j Block possible before there are any rules appended > > to Block, does that mean iptables first searches and assembles all rules > > that belong to custom chains regardless of order? Same for Logger. > > Everything has an order. You can turn on line numbers and see > > the order. > > Creating a chain (Block, Logger) does not put it into order. > > The jump (-j) to Block, from INPUT, places the chain in order. > > I note that you don't have a rule in Block to actually drop > > packets, and you do have a rule in Logger that drops packets. > > That seems... problematic to me. > > > 2.) > > > > Would this be OK to log and drop all rules in in Block? > > > > I am worried because there are four jumps, INPUT -> Block -> Logger -> LOG > > -> Logger -> DROP > > In general, you can jump as many times as you like as long as > > you don't go in a circle. Note that -j LOG continues processing > > on the next rule in order, unlike ACCEPT, DROP and REJECT. If a chain > > ends without ACCEPT, DROP or REJECT happening, then when it ends > > execution picks up at the next statement in order following the > > jump to that chain. > > Does that help? > > -dsr-
