Hello, let me clear, sometimes code is better than chat,
First of all, you must reduce all your rules ever, the worst thing to do with netfilter is create 1 match rule for each ip or port. Below is a complete firewall with all your desires plus, a small honey pot with 10 minutes dinamic block list, The log-drop chains set made logging keeping 1 log per second control to avoid kill your syslog server, please
send all your logs to other host !
Adjust to you world, but keep this in mind: After rule set loaded it never will be modified, only lists are modified, Use default port services to detect scanners, and systematically drop their packets. Hope that it solve your questions #######################################CREATING BLOCK IP LIST ipset create BLOCKIPLIST hash:net family inet hashsize 1024 maxelem 65536 ipset add BLOCKIPLIST 10.0.0.0/8
ipset add BLOCKIPLIST 127.0.0.0/8
ipset add BLOCKIPLIST
192.168.0.0/16
ipset add BLOCKIPLIST
172.16.0.0/12
#######################################CREATING
BLOCK PORT LIST
ipset create
BLOCKPORTS bitmap:port range 0-65535
ipset add BLOCKPORTS 1
ipset add BLOCKPORTS 7
ipset add BLOCKPORTS 22
ipset add BLOCKPORTS 23
ipset add BLOCKPORTS 135
ipset add BLOCKPORTS 136
ipset add BLOCKPORTS 137
ipset add BLOCKPORTS 138
ipset add BLOCKPORTS 139
ipset add BLOCKPORTS 445
ipset add BLOCKPORTS 1433
ipset add BLOCKPORTS 1701 ipset add BLOCKPORTS 3128 ipset add BLOCKPORTS 8080 ipset add BLOCKPORTS 8081 ipset add BLOCKPORTS 3389 #######################################CREATING
ALLOW IP LIST
ipset create ALLOWIPLIST hash:net family inet hashsize 1024 maxelem 65536 ipset add ALLOWIPLIST
8.8.8.8/32
ipset add ALLOWIPLIST
39.48.55.1/32#######################################CREATING
ALLOWED PORT LIST
ipset create
ALLOWPORTS bitmap:port range 0-65535
ipset add ALLOWPORTS 80
ipset add ALLOWPORTS 443ipset add ALLOWPORTS 47122
#SSH FAKE
#######################################CREATING
TAR PIT
create
TARPIT hash:ip family inet hashsize 1024 maxelem 65536 timeout 600
####################################### CREATING LOG-DROP-RULESET
iptables -N LOGDROP_100 iptables -A LOGDROP_100 -m limit --limit 1/sec -j LOG --log-prefix " ::LOGDROP_100:: " iptables
-A LOGDROP_100 -j DROP
#######################################
CREATING LOG-TARPIT-RULESET
iptables -N LOGTARPIT_100 iptables -A LOGTARPIT_100 -m limit --limit 1/sec -j LOG --log-prefix " ::LOGDROP_100:: " iptables
-A LOGTARPIT_100 -j SET --add-set
TARPIT src
iptables
-A LOGTARPIT_100 -j DROP
#######################################
CREATING LOG-ALLOW-RULESET
iptables -N LOGALLOW_100 iptables -A LOGALLOW_100 -m limit --limit 1/sec -j LOG --log-prefix " ::LOGALLOW_100:: " iptables
-A LOGALLOW_100 -m state --state NEW -j ACCEPT
#######################################
CREATING IN FLOW RULESET
iptables -N INFLOW_100 iptables -A INFLOW_100
-m state --state RELATED,ESTABLISHED -j ACCEPT
#
iptables
-A INFLOW_100 -m set --match-set
ALLOWIPLIST src -j
LOGALLOW_100
iptables
-A INFLOW_100 -m set --match-set ALLOWPORT dst -j LOGALLOW_100
#
iptables -A INFLOW_100 -m set --match-set BLOCKIPLIST src -j LOGDROP_100
iptables
-A INFLOW_100 -m set --match-set BLOCKPORT dst -j LOGTARPIT_100
#
iptables
-A INFLOW_100 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOGDROP_100
# iptables -A INFLOW_100
-m state --state INVALID -j DROP
###################################### RESTRICTING FLOW iptables -F INPUT iptables -F FORWARD iptables -F OUTPUT
iptables -A INPUT -i eth0 -j INFLOW_100 iptables -A FORWARD -i eth0 -j INFLOW_100 #THIS AVOID UNRECHEABLE MESSAGES TO OTHERS IS USEFULL iptables -A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 3 -j DROP De: linux_forum1 <linux_forum1@protonmail.com>
Enviado: sexta-feira, 7 de janeiro de 2022 06:22 Para: Willian Pires <willian_pires@hotmail.com> Cc: Dan Ritter <dsr@randomstring.org>; debian-firewall@lists.debian.org <debian-firewall@lists.debian.org> Assunto: RE: Is this even POSSIBLE? Hello William, thanks for the reply!
ipset would be nice, but it doesn't solve the logging issue.
I have about 30 rules like the ones below that need to be logged and dropped if matched with iptables. (Both in INPUT and FORWARD)
-p
tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-s 169.254.0.0/16 -j DROP
-s
172.16.0.0/12 -j DROP
-s
192.0.2.0/24 -j DROP
As I understand it there are two ways to log and drop packets that matched a specific rule in iptables.
1.) Separate LOG and DROP rules, for each IP, but this is inefficient.
-A INPUT -j Block
-A FORWARD -j Block
-A Block -s 169.254.0.0/16 -j LOG
-A Block -s 169.254.0.0/16 -j DROP
-A Block -s 172.16.0.0/12 -j LOG
-A Block -s 172.16.0.0/12 -j DROP
2.) The only other way, create separate chains for bad IPs and LOG/DROP, then jump in between. But Dan Ritter says this is problematic, because bad IPs are not dropped in Block chain, but only after jumping to
the Logger chain.
-N Block
-N Logger
-A INPUT -j Block
-A FORWARD -j Block
-A Block -s 169.254.0.0/16 -j Logger
-A Block -s 172.16.0.0/12 -j Logger
-A Block -s 192.0.2.0/24 -j Logger
-A Logger -j LOG
-A Logger -j DROP
I have been searching for 48h, but there is no other way to log and drop packets.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, January 7th, 2022 at 6:20 AM, Willian Pires <willian_pires@hotmail.com> wrote:
|