Re: IPTables configuration.
Hi!
The machine is a standalone web server. I've been getting a bunch of
portscans and some weird logs in my webserver logs. I'd like to block
those ip's completely. However, I'm nut quite sure where in this setup I'd
put them. I was thinking they'd go into PAROLE.
Here's the output of "iptables -L -n -v":
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP tcp -- !lo * 0.0.0.0/0
127.0.0.0/8
74607 20M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
1 208 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
331K 39M PUB_IN all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 2 packets, 244 bytes)
pkts bytes target prot opt in out source
destination
77803 17M PUB_OUT all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain INT_IN (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain INT_OUT (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain PAROLE (4 references)
pkts bytes target prot opt in out source
destination
443 22260 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain PUB_IN (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 0
1 56 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 11
384 19428 PAROLE tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
5 240 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:23 state INVALID,NEW limit: avg 5/sec burst 8 LOG
flags 0 level 4 prefix `audit'
51 2524 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 state INVALID,NEW limit: avg 5/sec burst 8 LOG
flags 0 level 4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:143 state INVALID,NEW limit: avg 5/sec burst 8
LOG flags 0 level 4 prefix `audit'
3 140 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:110 state INVALID,NEW limit: avg 5/sec burst 8
LOG flags 0 level 4 prefix `audit'
7 332 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:79 state INVALID,NEW limit: avg 5/sec burst 8 LOG
flags 0 level 4 prefix `audit'
6 360 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:111 state INVALID,NEW limit: avg 5/sec burst 8
LOG flags 0 level 4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:512 state INVALID,NEW limit: avg 5/sec burst 8
LOG flags 0 level 4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:513 state INVALID,NEW limit: avg 5/sec burst 8
LOG flags 0 level 4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:98 state INVALID,NEW limit: avg 5/sec burst 8 LOG
flags 0 level 4 prefix `audit'
7 380 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 state INVALID,NEW limit: avg 5/sec burst 8 LOG
flags 0 level 4 prefix `audit'
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1980 state INVALID,NEW limit: avg 5/sec burst 8
LOG flags 0 level 4 prefix `audit'
0 0 LOG udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:31337 state INVALID,NEW limit: avg 5/sec burst 8
LOG flags 0 level 4 prefix `audit'
145 47167 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0
331K 39M DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain PUB_OUT (1 references)
pkts bytes target prot opt in out source
destination
77803 17M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
----- Original Message -----
From: "DEFFONTAINES Vincent" <Vincent.DEFFONTAINES@coe.int>
To: <debian-security@lists.debian.org>
Sent: Wednesday, December 04, 2002 2:45 PM
Subject: RE: IPTables configuration.
> To correctly audit your configuration, I need an output of
> "/sbin/iptables -L -n -v"
> The mere "/sbin/iptables -L [-n]" is not sufficient to me, cause it won't
> reveal the per interface filters.
>
> Vincent
>
>
>
>
> > -----Original Message-----
> > From: Tore Nilsson [mailto:iceydee@bredband.net]
> > Sent: Wednesday 4 December 2002 14:23
> > To: debian-security@lists.debian.org
> > Subject: IPTables configuration.
> >
> >
> > Hello!
> >
> > Can someone review my iptables configuration and give suggestions?
> > Btw. if I'd want to block someone completely using this configuration
> > should I put them in "Parole" by using this command:
> >
> > iptables -A PAROLE -s [ip-number] -j DROP
> >
> > //Tore Nilsson
> >
> > here's my configuration. btw, it was made with Bastille:
> >
> > Chain INPUT (policy DROP)
> > target prot opt source destination
> > DROP tcp -- anywhere 127.0.0.0/8
> > ACCEPT all -- anywhere anywhere state
> > RELATED,ESTABLISHED
> > ACCEPT all -- anywhere anywhere
> > DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
> > PUB_IN all -- anywhere anywhere
> > DROP all -- anywhere anywhere
> >
> > Chain FORWARD (policy DROP)
> > target prot opt source destination
> > ACCEPT all -- anywhere anywhere state
> > RELATED,ESTABLISHED
> > DROP all -- anywhere anywhere
> >
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source destination
> > PUB_OUT all -- anywhere anywhere
> >
> > Chain INT_IN (0 references)
> > target prot opt source destination
> > ACCEPT icmp -- anywhere anywhere
> > DROP all -- anywhere anywhere
> >
> > Chain INT_OUT (0 references)
> > target prot opt source destination
> > ACCEPT icmp -- anywhere anywhere
> > ACCEPT all -- anywhere anywhere
> >
> > Chain PAROLE (4 references)
> > target prot opt source destination
> > ACCEPT all -- anywhere anywhere
> >
> > Chain PUB_IN (1 references)
> > target prot opt source destination
> > ACCEPT icmp -- anywhere anywhere icmp
> > destination-unreachable
> > ACCEPT icmp -- anywhere anywhere
> > icmp echo-reply
> > ACCEPT icmp -- anywhere anywhere icmp
> > time-exceeded
> > PAROLE tcp -- anywhere anywhere
> > tcp dpt:www
> > LOG tcp -- anywhere anywhere
> > tcp dpt:telnet
> > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > prefix `audit'
> > LOG tcp -- anywhere anywhere
> > tcp dpt:ftp
> > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > prefix `audit'
> > LOG tcp -- anywhere anywhere
> > tcp dpt:imap2
> > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > prefix `audit'
> > LOG tcp -- anywhere anywhere
> > tcp dpt:pop3
> > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > prefix `audit'
> > LOG tcp -- anywhere anywhere
> > tcp dpt:finger
> > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > prefix `audit'
> > LOG tcp -- anywhere anywhere
> > tcp dpt:sunrpc
> > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > prefix `audit'
> > LOG tcp -- anywhere anywhere
> > tcp dpt:exec
> > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > prefix `audit'
> > LOG tcp -- anywhere anywhere
> > tcp dpt:login
> > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > prefix `audit'
> > LOG tcp -- anywhere anywhere tcp
> > dpt:linuxconf state INVALID,NEW limit: avg 5/sec burst 8 LOG
> > level warning
> > prefix `audit'
> > LOG tcp -- anywhere anywhere
> > tcp dpt:ssh
> > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > prefix `audit'
> > LOG tcp -- anywhere anywhere
> > tcp dpt:1980
> > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > prefix `audit'
> > LOG udp -- anywhere anywhere
> > udp dpt:31337
> > state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning
> > prefix `audit'
> > DROP icmp -- anywhere anywhere
> > DROP all -- anywhere anywhere
> >
> > Chain PUB_OUT (1 references)
> > target prot opt source destination
> > ACCEPT all -- anywhere anywhere
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
> >
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
Reply to: