firewall & pinguin: iptables where do thou go?
it is said that when using “ip-sets” iptables and nftables achieve almost same performance (amounts of ips possible to block, without server becoming slow/unresponsive)
Redhat and nftables on DDoS “so the only thing to fall back to is establishing a blacklist for all the different source IP addresses” (src) (which is exactly what iptables + cron + autoban.sh a simple bash script does)
the #3rd concept: bpfilter
and: will already established iptables scripts keep on working?
“We like iptables after all, this tool has been serving us (and will likely keep serving still for a while in many deployments) to filter out traffic on both per-packet and per-flow basis, log suspicious traffic activity, perform NAT and many other things.
It comes with more than a hundred of extensions that have been contributed along the last 15 years!.
Nevertheless, the iptables framework suffers from limitations that cannot be easily worked around:
- Avoid code duplication and inconsistencies:
- Many of the iptables extensions are protocol specific
- so there is no a consolidated way to match packet fields
- instead there is one extension for each protocol that it supports
- this bloats the codebase with very similar code to perform a similar task: payload matching
- Faster packet classification through enhanced generic set and map infrastructure
- Simplified dual stack IPv4/IPv6 administration, through the new inet family that allows you to register base chains that see both IPv4 and IPv6 traffic
- Better dynamic ruleset updates support
- Provide a Netlink API for third party applications, just as other Linux Networking and Netfilter subsystem do
- Address syntax inconsistencies and provide nicer and more compact syntax (aha aha X-D)
These, among other things not listed here, triggered the nftables development which was originally presented to the Netfilter community in the 6th Netfilter Workshop in Paris (2008, France).” (src: wiki.nftables.org)
firewalls and: Debian11
juli 2019: “documentation is pretty poor” “does not work very well” (src)
“Back in July 2019, I (Arturo Borrero Gonzalez <arturo ÄT debian DOTTT org>) started an email thread in the debian-devel ÄT lists.debian.org mailing lists looking for consensus on lowering the archive priority of the iptables package in Debian 11 Bullseye.
My proposal is to drop iptables from Priority: important and promote nftables instead.
In general, having such a priority level means the package is installed by default in every single Debian installation.
Given that we aim to deprecate iptables and that starting with Debian 10 Buster iptables is not even using the x_tables kernel subsystem but nf_tables, having such priority level seems pointless and inconsistent.
There was agreement, and I already made the changes to both packages.
This is another step in deprecating iptables and welcoming nftables.
But it does not mean that iptables won’t be available in Debian 11 Bullseye.
If you need it, you will need to use aptitude install iptables to download and install it from the package repository.
The second part of my proposal was to promote firewalld as the default ‘wrapper’ for firewaling in Debian.
I think this is in line with the direction other distros are moving.
It turns out firewalld integrates pretty well with the system, includes a DBus interface and many system daemons (like libvirt) already have native integration with firewalld.
Also, I believe the days of creating custom-made scripts and hacks to handle the local firewall may be long gone, and firewalld should be very helpful here too.”
src: https://ral-arturo.org/2019/10/14/debian-netfilter.html
yeah well… what this means, please provide very very very good examples on how to setup firewalld + nftables in a typical:
- server setup
- ssh/sftp server
- webserver
- corporate LAN workstation client
people that just got used to iptables and made elaborate scripts over the years should migrate to nftables (complicated) + firewalld (python = slooooow).
ok, but if Debian developers and the netfilter team, takes this task seriously, please: GET A SERVER! and test “in-the-wild”
applying iptables “concepts” (writing scripts that in a batch-way tell firewalld what to do and not to do) won’t work – because a single firewalld-command takes way more time than an iptables command and blocking 1000x individual IPs can not be done in reasonable fast amount of time (ok have to look into ipsets anyway).
- get a test-server (hetzner has high quality vps at world record low prices starting single core at 3 bucks per month! (this server is running in their datacenter)
- setup ssh + LAMP stack: apache2 + test.php running (does not need to have gui or eclipse pdt)
- run the selfmade DDoS autobench against this server (target ssh(20) port and http(80)/https(443) ports/services)
- is the server still usable/responding from clientB?
- no
- bad
- setup nftable rules to shield against those attacks
- document and share knowledge in public blogs “how to shield against DDoS with nftables” online as examples for others to implement/use and follow
- bad
- yes
- good
- document and share knowledge in public blogs “how to shield against DDoS with nftables” online as examples for others to implement/use and follow
- good
- no
- try to ssh bruteforce and see if ssh is still usable
- yes
- good – nftables shields against ssh brute force attacks (which are very very very very common)
- bad – nftables failed and users will be angry uninstall it and install iptables AGAIN
- yes
- is the server still usable/responding from clientB?
- write a nftables/blog/book: (if user needs a blog contact me)
- hands on guide – how to use nftables “in the wild” to secure servers, routers and firewalls against DDoS and desktop clients against everyday threats”
open letter:
Dear Mr Arturo,
thanks for ur efforts and engagement in the Debian community.
https://ral-arturo.org/2018/06/16/nfws2018.html
imho there is still lack of good documentation for nftables / firewalld and thus users find it hard to migrate from iptables.
am not the only one that thinks so: juli 2019: „documentation is pretty poor“ „does not work very well“
why was the workshop not recorded and shared with the world via mp4 (as the ccc does with almost every presentation) or “youtube”?
after all you have proficiency in video editing https://ral-arturo.org/2018/07/19/multimedia.html
this way only a handful of people might be positively affected by your workshops. (thanks never the less)
while when it would have been recorded this knowledge would have been shared with the public and people might be thinking more positively about nftables.
right now it’s simply just a pain in the a….
unless you plan on making money with it (can do both, take ticket workshop fees while youtube it)
PS: with “in the wild” means:
- do you run your own test-server?
- that you tested with autobench, to see if your nftables rules fend off basic bruteforce and DDoS attacks? (which should any good firewall be capable of)
fed up with nftables?
https://dwaves.de/2019/03/06/centos7-uninstall-nftables-install-iptables/
watch your logs
with this command, you can watch all logs at the same time, which should work for small servers with 10-30x websites (with more it probably get’s a little too much output)
links:
https://wiki.debian.org/Teams/pkg-netfilter
https://lists.debian.org/debian-devel/2019/07/msg00332.html
analyze the malicious traffic
you can use tcpdump or better tshark (comes with wireshark) to further analyze the traffic and from what IP it is caused.
https://kvz.io/blog/2010/05/15/analyze-http-requests-with-tshark/
about netfilter-team, iptables -> nftables.
“downgrade” to iptables
if iptables is not working well… nftables might be the reason, there are good reasons for nftables like performance when facing DDoS, but some tools are not compatible with it (yet).
if fail2ban fails to ban:
RedHat has developed nftables and it ships with the kernel since 3.13.
“funny” and confusing is, that there is still a iptables command for backward compatibility, but this RedHat backward compatibility “fake” iptables does not work well with fail2ban.
# stop, disable and prevent firewalld from starting systemctl stop firewalld systemctl disable firewalld systemctl mask --now firewalld # install, start iptables yum install iptables-services systemctl start iptables # there does not seem to be such a thing as "iptables6" in CentOS7 # so this will fail systemctl start iptables6 systemctl enable iptables systemctl status iptables # now you can run your first iptables command iptables -nvL # all rules you add now will be lost after reboot # unless you save em now service iptables save
example config script:
you can quickly scan your server for open / ports in use:
apt install nmap
yum install nmap
nmap localhost
you might scan this script before using it,
1. remove the ports you are not using
2. add the ports you need
you might want to run THE script line
# this is a list of ips, subnets you want to block cat /scripts/firewall_blacklist.txt 66.249.64.0/24 # this is THE script cat /scripts/firewall_rules.sh #!/bin/bash # # iptables firewall script # https://www.rosehosting.com # IPTABLES=/sbin/iptables echo "===== put all ips you want to backlist in: /scripts/firewall_blacklist.txt ====="; BLACKLIST=/scripts/firewall_blacklist.txt echo " currently blacklisted: " cat /scripts/firewall_blacklist.txt # echo "===== what ports are in use? =====" # nmap localhost # PORT STATE SERVICE # 22/tcp open ssh # 25/tcp open smtp # 80/tcp open http # 143/tcp open imap # 443/tcp open https # 465/tcp open smtps # 587/tcp open submission # 993/tcp open imaps # 2222/tcp open EtherNet/IP-1 # 2525/tcp open ms-v-worlds # 9001/tcp open tor-orport echo "===== enabling ipv4 forwarding (makes server act as switch) =====" echo 1 > /proc/sys/net/ipv4/ip_forward echo " * flushing old rules" ${IPTABLES} --flush ${IPTABLES} --delete-chain ${IPTABLES} --table nat --flush ${IPTABLES} --table nat --delete-chain echo " * setting default policies" ${IPTABLES} -P INPUT DROP ${IPTABLES} -P FORWARD DROP ${IPTABLES} -P OUTPUT ACCEPT echo " * allowing loopback devices" ${IPTABLES} -A INPUT -i lo -j ACCEPT ${IPTABLES} -A OUTPUT -o lo -j ACCEPT ${IPTABLES} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP ${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ## BLOCK ABUSING IPs HERE ## #echo " * BLACKLIST" #${IPTABLES} -A INPUT -s _ABUSIVE_IP_ -j DROP #${IPTABLES} -A INPUT -s _ABUSIVE_IP2_ -j DROP echo " * allowing ssh on port 22" ${IPTABLES} -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT echo " * allowing ssh on port 2222" ${IPTABLES} -A INPUT -p tcp --dport 2222 -m state --state NEW -j ACCEPT echo " * allowing vestacp on port 9093" ${IPTABLES} -A INPUT -p tcp --dport 9093 -m state --state NEW -j ACCEPT # echo " * allowing dns on port 53 udp" # ${IPTABLES} -A INPUT -p udp -m udp --dport 53 -j ACCEPT # echo " * allowing dns on port 53 tcp" # ${IPTABLES} -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT # will not use these rules, will use the anti-DDoS rules further down # echo " * allowing http on port 80" # ${IPTABLES} -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT # echo " * allowing https on port 443" # ${IPTABLES} -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT echo " * allowing smtp on port 25" ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT echo " * allowing smtps 465" ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT echo " * allowing submission on port 587" ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT echo " * allowing imaps on port 993" ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT echo " * allowing smtps on port 2525" ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 2525 -j ACCEPT echo " * allowing tor port 9001" ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 9001 -j ACCEPT # echo " * allowing pop3s on port 995" # ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT # echo " * allowing imap on port 143" # ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT # echo " * allowing pop3 on port 110" # ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT echo "===== basic DDoS protection of port 80/443 =====" echo "===== loading module ipt_recent, Xtables: recently-seen host matching =====" # ip_list_tot:number of IPs to remember per list (uint) modprobe ipt_recent ip_list_tot=10000 echo "===== loading module xt_limit, Xtables: rate-limit match =====" modprobe xt_limit # ${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # ${IPTABLES} -A INPUT -p tcp -m multiport --dports 80,443 -m recent --update --seconds 3600 --name BANNED --rsource -j DROP # ${IPTABLES} -A INPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ATTK_CHECK # ${IPTABLES} -A ATTACKED -m limit --limit 5/min -j LOG --log-prefix "IPTABLES (Rule ATTACKED): " --log-level 7 # ${IPTABLES} -A ATTACKED -m recent --set --name BANNED --rsource -j DROP # ${IPTABLES} -A ATTK_CHECK -m recent --set --name ATTK –-rsource # ${IPTABLES} -A ATTK_CHECK -m recent --update --seconds 600 --hitcount 150 --name ATTK --rsource -j ATTACKED # ${IPTABLES} -A ATTK_CHECK -m recent --update --seconds 60 --hitcount 50 --name ATTK --rsource -j ATTACKED # ${IPTABLES} -A ATTK_CHECK -j ACCEPT ${IPTABLES} -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-upto 50/min --hashlimit-burst 500 --hashlimit-mode srcip --hashlimit-name http -j ACCEPT ${IPTABLES} -A INPUT -p tcp --dport 80 -j DROP ${IPTABLES} -A INPUT -p tcp --dport 443 -m hashlimit --hashlimit-upto 50/min --hashlimit-burst 500 --hashlimit-mode srcip --hashlimit-name http -j ACCEPT ${IPTABLES} -A INPUT -p tcp --dport 443 -j DROP echo " * allowing ping responses" ${IPTABLES} -A INPUT -p ICMP --icmp-type 8 -j ACCEPT # echo " while Block ICMP attacks" # ${IPTABLES} -p icmp -m u32 ! --u32 "4&0x3FFF=0" -j DROP # ${IPTABLES} -p icmp -m length --length 1492:65535 -j DROP # DROP everything else and Log it ${IPTABLES} -A INPUT -j LOG ${IPTABLES} -A INPUT -j DROP # Block abusing IPs # from ${BLACKLIST} # if [[ -f "${BLACKLIST}" ]] && [[ -s "${BLACKLIST}" ]]; then echo " * BLOCKING ABUSIVE IPs" while read IP; do ${IPTABLES} -I INPUT -s "${IP}" -j DROP done < <(cat "${BLACKLIST}") fi # iptables: Saving firewall rules to /etc/sysconfig/iptables iptables-save > /root/iptables.txt;service iptables save
Links and Books:
https://opensource.com/article/18/9/linux-iptables-firewalld
https://nerdpol.ch/tags/iptables
https://lwn.net/Articles/564095/
https://lwn.net/Articles/324989/
https://www.amazon.de/Linux-Firewalls-Sicherheit-Linux-Server-Netzwerke-Library/
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!