firewall & pinguin: iptables where do thou go?
it is said that when using “ip-sets” iptables and nftables achieve almost same performance (amounts of ips possible to block, without server becoming slow/unresponsive)
Redhat and nftables on DDoS “so the only thing to fall back to is establishing a blacklist for all the different source IP addresses” (src) (which is exactly what iptables + cron + autoban.sh a simple bash script does)
the #3rd concept: bpfilter
and: will already established iptables scripts keep on working?
“We like iptables after all, this tool has been serving us (and will likely keep serving still for a while in many deployments) to filter out traffic on both per-packet and per-flow basis, log suspicious traffic activity, perform NAT and many other things.
It comes with more than a hundred of extensions that have been contributed along the last 15 years!.
Nevertheless, the iptables framework suffers from limitations that cannot be easily worked around:
- Avoid code duplication and inconsistencies:
- Many of the iptables extensions are protocol specific
- so there is no a consolidated way to match packet fields
- instead there is one extension for each protocol that it supports
- this bloats the codebase with very similar code to perform a similar task: payload matching
- Faster packet classification through enhanced generic set and map infrastructure
- Simplified dual stack IPv4/IPv6 administration, through the new inet family that allows you to register base chains that see both IPv4 and IPv6 traffic
- Better dynamic ruleset updates support
- Provide a Netlink API for third party applications, just as other Linux Networking and Netfilter subsystem do
- Address syntax inconsistencies and provide nicer and more compact syntax (aha aha X-D)
These, among other things not listed here, triggered the nftables development which was originally presented to the Netfilter community in the 6th Netfilter Workshop in Paris (2008, France).” (src: wiki.nftables.org)
updated: 2020-05:
how do you do your firewalling?
let users know!
iptables:
used to be “the standard” under GNU Linux in terms of firewalling and it is still widely used.
what is a bit confusing: bpfilter is from the iptables developers and they wanted to be “backward compatible” to some extent.
so even when the iptables command “works” it does not mean that iptables is actually installed (could be bpfilter).
iptables manpage: iptables.man.txt
GNU Linux Versions and default-firewalls:
- Debian 11 default firewall is: bpfilter (but it might get removed from the kernel soon)
- Ubuntu 20 default firewall is: ufw (for managing netfilter)
- Fedora/RedHat/CentOS: firewalld (also for managing netfilter)
CentOS7 uninstall nftables install iptables – what to expect for Debian 11
hostnamectl; # tested on Icon name: computer-desktop Chassis: desktop Operating System: Debian GNU/Linux 10 (buster) Kernel: Linux 4.19.0-9-amd64 Architecture: x86-64 iptables --version; iptables v1.8.2 (nf_tables) # <- aha! # install tools # needed: installs a great text editor (also can use nano or emacs) apt install vim # optional: installs legacy ifconfig apt install net-tools # ===== view/list network interfaces (NICs, LAN Network Cards and other network devices) ===== ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp2s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 00:1e:06:45:0f:2d brd ff:ff:ff:ff:ff:ff 3: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:1e:06:45:0f:2e brd ff:ff:ff:ff:ff:ff inet 192.168.0.223/24 brd 192.168.0.255 scope global enp3s0 valid_lft forever preferred_lft forever inet6 fe80::21e:6ff:fe45:f2e/64 scope link valid_lft forever preferred_lft forever # those are the two available network interfaces # ===== view/list rules list ===== # will be processed from top to bottom, first rule that matches is applied, rest ignored iptables -vnL --line-numbers # num (--line-numbers), show rule number, can be used to modify/delete the rule Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 2 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 3 141 9680 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 5 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 6 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 7 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 8 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 87 packets, 10512 bytes) num pkts bytes target prot opt in out source destination # maybe it is convenient to define an alias in /etc/bash.bashrc alias iptablesll="iptables -vnL --line-numbers" # different server, alternatively # show all iptable rules iptables -L -n -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set blacklist src 11573 1115K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 755 60068 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 38863 2528K f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 39100 2565K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 1 32 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 12 680 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 151 8295 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate NEW,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 ctstate NEW,ESTABLISHED Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set blacklist src 69 3310 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 105 packets, 7373 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 45705 110M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 ctstate ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 ctstate ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:443 ctstate ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 ctstate ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:2222 ctstate ESTABLISHED Chain f2b-sshd (1 references) pkts bytes target prot opt in out source destination 38863 2528K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 # same same but different iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N f2b-sshd -A INPUT -m set --match-set blacklist src -j DROP -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 2222 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A FORWARD -m set --match-set blacklist src -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 2222 -m conntrack --ctstate ESTABLISHED -j ACCEPT -A f2b-sshd -j RETURN # -S, --list-rules [chain] # Print all rules in the selected chain. If no chain is selected, all chains are printed like iptables-save. Like every other iptables command, it applies to the specified table (filter is the default). iptables -t nat -n -L # Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups. # It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed. # The exact output is affected by the other arguments given. The exact rules are suppressed until you use -t, --table table This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module loading, an attempt will be made to load the appro‐ priate module for that table if it is not already there.
The tables are as follows:
filter:
This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the
box), and OUTPUT (for locally-generated packets).
nat:
This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT
(for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). IPv6 NAT support is available since kernel 3.7.
mangle:
This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for alter‐
ing locally-generated packets before routing). Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for alter‐
ing packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).
raw:
This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is
thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets
generated by local processes)
security:
This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets. Mandatory Access Control is implemented by Linux
Security Modules such as SELinux. The security table is called after the filter table, allowing any Discretionary Access Control (DAC) rules in the filter table to take effect before
MAC rules. This table provides the following built-in chains: INPUT (for packets coming into the box itself), OUTPUT (for altering locally-generated packets before routing), and FOR‐
WARD (for altering packets being routed through the box).
warning: those scripts are probably far from perfect!
check the source test and improve 🙂 and share
firewall init script:
one possible firewall this init script:
https://dwaves.de/downloads/firewall/mrfirewall/firewall.init.sh.txt
this is straight from the official Debian wiki “Example: Basic gateway machine firewall”
and guess what iptables v1.8.2 has to say about “–log-level DEBUG”
“log level “DEBUG” unkown” ha! nftables sucks!
even the official Debian wiki is now wrong or outdated documentation!
what a mess!
autoban bad ssh brute forcing IPs:
firewall scripts that search the logs and ban automatically:
when log files give
- meaningful error message (that an auth / login failed, not because of bad connection, but because of bad password)
- correct/full IP address of an attacker (bruteforce ssh, imap etc.) (even when inside an vm! X-D)
this script manages to block hundreds (more than 5000 is getting slow/depending on one’s cpu and hardware)
system goes like this:
- crontab: every night at 1:00 run reset.sh
- this will unblock all previous blocked ips and start the process of detecting and blocking misbehaving IPs all over
- will reset the the firewall (all existing connections will be dropped)
- crontab: every 30min run autoban.sh
- this scans the log for misbehaving IPs and puts them on a list
let’s start:
su - root; # become root mkdir -p /scripts/firewall cd /scripts/firewall; # this will reset the auto-banned ip list: wget https://dwaves.de/downloads/firewall/reset.sh.txt -O rules.sh # this is just a "tool script" used by autoban.sh # to block a single ip. can also be called manually from terminal
wget https://dwaves.de/downloads/firewall/ban_ip.sh.txt -O ban_ip.sh # this is just a "tool script" to unblock/unban a single ip # can also be called manually from terminal
wget https://dwaves.de/downloads/firewall/unban_ip.sh.txt -O unban_ip.sh # this will parse logs and extract evil IPs into lists to block until midnight wget https://dwaves.de/downloads/firewall/autoban.sh.txt -O autoban.sh # this will reset the firewall e.g. all temporarily banned ips will be allowed again wget wget https://dwaves.de/downloads/firewall/reset.sh.txt -O reset.sh # to make all of those scripts work don't forget to mark them as runnable:
chmod +x /scripts/firewall/*.sh
# there is also a blacklist feature
# (those are the ips and subnets that even after a reset, will get immediately re-banned X-D)
wget https://dwaves.de/downloads/firewall/blacklist.readme.txt # it is basically just a list of ips and subnets to block cat blacklist.txt 123.123.123.0/24 123.123.123.123 ...
# after editing blacklist.txt
# manual run
/scripts/firewall/rules.sh
# which will automatically apply the rules and save the config
# to be loaded on next startup or on every firewall reset (every 3 days crontab)
# then run:
/scripts/firewall/autoban.sh
how to ban / block a single ip:
iptables -L -n|less
# Howto block an malicious IP address/subnet? # $1 = ip.to.bock.123 or 123.123.123.0/24 subnet to block cat /scripts/firewall_ban_ip.sh echo "========== banning until reboot this host: ===========" host $1 /sbin/iptables -I INPUT -s $1 -j DROP cat /scripts/firewall_unban_ip.sh echo "========== UNbanning this host: ===========" host $1 echo "unbanning ip: "$1 /sbin/iptables -D INPUT -s $1 -j DROP # in case autoban.sh is used echo "remove ip from var log secure" sed -i '/$1/d' /var/log/secure sed -i '/$1/d' /var/log/secure_invalid_preauth.log # in both cases save your results service iptables save
links:
https://wiki.debian.org/DebianFirewall
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!