server - Need help with iptables - Ask Ubuntu


i use bash script configure iptables, try connect webserver listen 80 port, requests denyed $ipt -a output -j log_drop7. if not use rule, ports opened!

#!/bin/bash       def_sshport=9811; eth_interface=ens3; echo "the network interface $eth_interface."; echo "the ssh port $def_sshport.";  ipt=/sbin/iptables;  #remove previous $ipt -x; $ipt -f; $ipt -t nat -f; $ipt -t nat -x; $ipt -t mangle -f; $ipt -t mangle -x;  ###################### # default policy drop# ###################v## $ipt -p input   -j drop; $ipt -p forward -j drop; $ipt -p output  -j drop;  #rules log , drop $ipt -n log_drop; $ipt -a log_drop -j log --log-prefix "input:drop: " --log-level 6; $ipt -a log_drop -j drop;  $ipt -n log_drop1; $ipt -a log_drop1 -j log --log-prefix "input:drop1: " --log-level 6; $ipt -a log_drop1 -j drop;  $ipt -n log_drop2; $ipt -a log_drop2 -j log --log-prefix "input:drop2: " --log-level 6; $ipt -a log_drop2 -j drop;  $ipt -n log_drop3; $ipt -a log_drop3 -j log --log-prefix "input:drop3: " --log-level 6; $ipt -a log_drop3 -j drop;  $ipt -n log_drop4; $ipt -a log_drop4 -j log --log-prefix "input:drop4: " --log-level 6; $ipt -a log_drop4 -j drop;  $ipt -n log_drop5; $ipt -a log_drop5 -j log --log-prefix "input:drop5: " --log-level 6; $ipt -a log_drop5 -j drop;  $ipt -n log_drop6; $ipt -a log_drop6 -j log --log-prefix "input:drop6: " --log-level 6; $ipt -a log_drop6 -j drop;  $ipt -n log_drop7; $ipt -a log_drop7 -j log --log-prefix "input:drop7: " --log-level 6; $ipt -a log_drop7 -j drop;  $ipt -n log_allow7; $ipt -a log_allow7 -j log --log-prefix "input:allow8080: " --log-level 6; $ipt -a log_allow7 -j accept;  $ipt -n log_reject; $ipt -a log_reject -j log --log-prefix "input:reject: " --log-level 5; $ipt -a log_reject -j drop;  # don't break established connections # iptables -a input -m state --state related,established -j accept; # iptables -a output -m state --state related,established -j accept; # echo "established connections allowed";  # authorizes incoming , outgoing traffic on loopback network interface (ip : 127.0.0.1) $ipt -t filter -a input  -i lo -j accept; $ipt -t filter -a output -o lo -j accept; echo "loopback traffic allowed";  # # allow outgoing pings # $ipt -t filter -a output -o $eth_interface -p icmp -j accept;  # # allow tcp connections on tcp port 80, 8080, 443, $def_sshport # $ipt -a input -i $eth_interface -p tcp --dport 80 -m conntrack --ctstate new,established -j accept; $ipt -a output -o $eth_interface -p tcp --dport 80 -m conntrack --ctstate new,established -j accept; $ipt -a input -i $eth_interface -p tcp --dport 8080 -m conntrack --ctstate new,established -j accept; $ipt -a output -o $eth_interface -p tcp --dport 8080 -m conntrack --ctstate new,established -j accept; $ipt -a input -i $eth_interface -p tcp --dport 443 -m conntrack --ctstate new,established -j accept; $ipt -a output -o $eth_interface -p tcp --dport 443 -m conntrack --ctstate new,established -j accept;  #ssh $ipt -a input -i $eth_interface -p tcp --dport $def_sshport -m conntrack --ctstate new,established -j accept; $ipt -a output -o $eth_interface -p tcp --sport $def_sshport -m conntrack --ctstate established -j accept;   #reroute 80 8080 , 443 8443  $ipt -t nat -a prerouting -i $eth_interface -p tcp --dport 80 -j dnat --to :8080; $ipt -t nat -a prerouting -i $eth_interface -p tcp --dport 443 -j dnat --to :8443;  ######################## ########anti ddos######## ########################  #reject traffic localhost not originate lo0 #$ipt -t filter -a input ! -i lo -s 127.0.0.0/8 -j log --log-prefix -j log_drop1;  echo "rule 1"; ### 1: drop invalid packets ### $ipt -t mangle -a prerouting -m conntrack --ctstate invalid -j log_drop1;  echo "rule 2"; ### 2: drop tcp packets new , not syn ### $ipt -t mangle -a prerouting -p tcp ! --syn -m conntrack --ctstate new -j log_drop1;  echo "rule 3"; ### 3: drop syn packets suspicious mss value ### $ipt -t mangle -a prerouting -p tcp -m conntrack --ctstate new -m tcpmss ! --mss 536:65535 -j log_drop2;  echo "rule 4"; ### 4: block packets bogus tcp flags ### $ipt -t mangle -a prerouting -p tcp --tcp-flags fin,syn,rst,psh,ack,urg none -j log_drop2; $ipt -t mangle -a prerouting -p tcp --tcp-flags fin,syn fin,syn -j log_drop2; $ipt -t mangle -a prerouting -p tcp --tcp-flags syn,rst syn,rst -j log_drop2; $ipt -t mangle -a prerouting -p tcp --tcp-flags syn,fin syn,fin -j log_drop2; $ipt -t mangle -a prerouting -p tcp --tcp-flags fin,rst fin,rst -j log_drop2; $ipt -t mangle -a prerouting -p tcp --tcp-flags fin,ack fin -j log_drop2; $ipt -t mangle -a prerouting -p tcp --tcp-flags ack,urg urg -j log_drop2; $ipt -t mangle -a prerouting -p tcp --tcp-flags ack,fin fin -j log_drop2; $ipt -t mangle -a prerouting -p tcp --tcp-flags ack,psh psh -j log_drop2; $ipt -t mangle -a prerouting -p tcp --tcp-flags all -j log_drop2; $ipt -t mangle -a prerouting -p tcp --tcp-flags none -j log_drop2; $ipt -t mangle -a prerouting -p tcp --tcp-flags fin,psh,urg -j log_drop2; $ipt -t mangle -a prerouting -p tcp --tcp-flags syn,fin,psh,urg -j log_drop2; $ipt -t mangle -a prerouting -p tcp --tcp-flags syn,rst,ack,fin,urg -j log_drop2;  echo "rule 5"; ### 5: block spoofed packets ### $ipt -t mangle -a prerouting -s 224.0.0.0/3 -j log_drop3; $ipt -t mangle -a prerouting -s 169.254.0.0/16 -j log_drop3; $ipt -t mangle -a prerouting -s 172.16.0.0/12 -j log_drop3; $ipt -t mangle -a prerouting -s 192.0.2.0/24 -j log_drop3; $ipt -t mangle -a prerouting -s 192.168.0.0/16 -j log_drop3; $ipt -t mangle -a prerouting -s 10.0.0.0/8 -j log_drop3; $ipt -t mangle -a prerouting -s 0.0.0.0/8 -j log_drop3; $ipt -t mangle -a prerouting -s 240.0.0.0/5 -j log_drop3; $ipt -t mangle -a prerouting -s 127.0.0.0/8 ! -i lo -j log_drop3;  echo "rule 6"; ### 6: drop icmp (you don't need protocol) ### $ipt -t mangle -a prerouting -p icmp -j log_drop4;  echo "rule 7"; ### 7: drop fragments in chains ### $ipt -t mangle -a prerouting -f -j log_drop4;  echo "rule 8"; ### 8: limit connections per source ip ### $ipt -a input -p tcp -m connlimit --connlimit-above 111 -j reject --reject-with tcp-reset;  echo "rule 9"; ### 9: limit rst packets ### $ipt -a input -p tcp --tcp-flags rst rst -m limit --limit 2/s --limit-burst 2 -j accept; $ipt -a input -p tcp --tcp-flags rst rst -j drop;  echo "rule 10"; ### 10: limit new tcp connections per second per source ip ### $ipt -a input -p tcp -m conntrack --ctstate new -m limit --limit 60/s --limit-burst 20 -j accept; $ipt -a input -p tcp -m conntrack --ctstate new -j log_drop4;  echo "rule 11"; ### 11: use synproxy on ports (disables connection limiting rule) ### #$ipt -t raw -a prerouting -p tcp -m tcp --syn -j ct --notrack; #$ipt -a input -p tcp -m tcp -m conntrack --ctstate invalid,untracked -j synproxy --sack-perm --timestamp --wscale 7 --mss 1460; #$ipt -a input -m conntrack --ctstate invalid -j drop;  echo "rule ssh brute-force protection"; ### ssh brute-force protection ### $ipt -a input -p tcp --dport $def_sshport -m conntrack --ctstate new -m recent --set; $ipt -a input -p tcp --dport $def_sshport -m conntrack --ctstate new -m recent --update --seconds 60 --hitcount 10 -j log_drop4;  echo "rule ssh protection against port scanning"; ### protection against port scanning ### $ipt -n port-scanning; $ipt -a port-scanning -p tcp --tcp-flags syn,ack,fin,rst rst -m limit --limit 1/s --limit-burst 2 -j return; $ipt -a port-scanning -j log_drop4;  #echo "reject traffic localhost not originate lo"; #reject traffic localhost not originate lo #$ipt -t filter -a input ! -i lo -s 127.0.0.0/8 -j log_drop4;  ###################### # default policy drop# ###################v## $ipt -a input -i $eth_interface   -j log_drop5; $ipt -a forward -i $eth_interface -j log_drop6; $ipt -a output  -j log_drop7;  rm /etc/iptables/rules.v4; iptables-save > /etc/iptables/rules.v4;  apt-get install -y iptables-persistent;

can me edit rules allow tcp connections on 80?

this ifconfig output:

ens3      link encap:ethernet  hwaddr fa:16:3e:4c:4c:65           inet addr:... bcast:...  mask:255.255.255.255           broadcast running multicast  mtu:1500  metric:1           rx packets:3598 errors:0 dropped:0 overruns:0 frame:0           tx packets:3118 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:1000           rx bytes:268852 (268.8 kb)  tx bytes:4216143 (4.2 mb)  lo        link encap:local loopback           inet addr:127.0.0.1  mask:255.0.0.0           loopback running  mtu:65536  metric:1           rx packets:18186 errors:0 dropped:0 overruns:0 frame:0           tx packets:18186 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:1           rx bytes:1262093 (1.2 mb)  tx bytes:1262093 (1.2 mb)

open iptables config file , add rule 

iptables -a input -p tcp -m tcp --dport 80 -j accept

Comments

Post a Comment

Popular posts from this blog

download - Firefox cannot save files (most of the time), how to solve? - Super User

this not full duplicate of this question or this question , though base question same. however, questions have no answers. for on half year have problems downloading files firefox. when click on download link, download dialog opened asking me do, save or open it. immediately, there error/warning pop-up (twice, can see 1 @ first) ok button. looks this message : "c:\users\%user%\appdata\local\temp\wbbdv9k8.zip.part not saved because source file not read. try again later or contact server administrator." replace '%user%' name of user trying download. after closing pop-up, download dialog disappears , have minimize firefox , open again, see other pop-up. downloading exact same file internet explorer work, not desired. i tried solutions here . tried solutions here . tried disabling extensions. tried fixing permissions on temp folder. tried making files , folder in profile directory non-readonly. tried running firefox administrator. tried
Read more

windows - "-2146893807 NTE_NOT_FOUND" when repair certificate store - Super User

i try repair certificate store in windows 10 doing c:\windows\system32>certutil -store -user ‎330000019dba8d5dddb98062a900000000019d "personal" certutil: -store command failed: 0x80090011 (-2146893807 nte_not_found) certutil: object not found. i have double check mmc, certificate details serial number of certificate. still fail repair certificate store. can please help? i getting same error when trying export pfx. turns out had export c:\cert.pfx instead of cert.pfx (it trying export file cert store ( cert:\localmachine\my ).
Read more

sql server - "Configuration file does not exist", Event ID 274 - Super User

sql server 2014 standard in server 2012 r2 i installed sql server 2014 in drive d: i following error: microsoft ssis service: registry setting specifying configuration file not exist. attempting load default config file. simply add c:\program files\microsoft sql server\1?0\dts\binn\msdtssrvr.ini.xml to default reg_sz value in: hkey_local_machine\software\microsoft\microsoft sql server\1?0\ssis\serviceconfigfile where ? replaced matching sql server version
Read more