Re: iptables and networking

To: "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: Re: iptables and networking
From: Steven Post <redalert.commander@gmail.com>
Date: Thu, 20 Jun 2013 21:17:52 +0200
Message-id: <[🔎] 1371755872.7717.21.camel@pc-steven.LAN>
In-reply-to: <[🔎] 51C2DF42.2060204@fuckaround.org>
References: <[🔎] 51C1F36D.7070108@fuckaround.org> <[🔎] 1371669370.5346.16.camel@pc-steven.LAN> <[🔎] 51C2DF42.2060204@fuckaround.org>

On Thu, 2013-06-20 at 12:53 +0200, Pol Hallen wrote:
[...]
> 
> Hi Steven and thanks for your reply :-)

You're welcome.

> 
> This is my full iptables config:
[... snip iptables rules...]
> 
> with this way my actually server runs perfectly. Is there other rules to
> block ddos attack, or other type of attacks?

A real ddos cannot really be blocked by using iptables on the server, as
an attacker might just be flooding the connection, there are commercial
services for that if you really want them, but these are not cheap.

Some other things you might consider blocking on the firewall are
repeated attempts to log in to the server, such as a brute force attack
on your SSH service.
You can block repeated attempts to log in with iptables using the
'recent' module, an alternative is 'fail2ban', which monitors your
server logs (ssh, apache, and others) for failed login attempts and then
adds an iptables rule for the offending IP. It is available in the
repository, but I cannot comment on its working much as I don't use it
(yet?). I heard it's really good.

For my simple home server I use the 'recent' module:
iptables -A INPUT -i $EXTIF -p tcp --dport 22 -m state --state NEW -m
recent --set
iptables -A INPUT -i $EXTIF -p tcp --dport 22 -m state --state NEW -m
recent --update --seconds 120 --hitcount 3 -j DROP
iptables -A INPUT -i $EXTIF -p tcp --dport 22 -m state --state NEW -j
ACCEPT

This blocks new connections if a host attempts more than 3 connections
within 120 seconds, still enough if I type in the wrong password
(openssh will allow 3 attempts before disconnecting if I recall
correctly). This is sufficient for most attacks on ssh, of course you
already disabled direct root login.

In some cases the 'limit' module for iptables might be useful, for
example (not really a good one):
iptables -A INPUT -i $EXTIF -p tcp --dport 21 -m state --state NEW -m
limit --limit 1/min --limit-burst 3 -j ACCEPT

This will only allow 1 connection attempt on an FTP server per minute,
with an initial burst of 3 before limiting.

Regards,
Steven

PS: no need to send the mail directly to me, I'm subscribed to the list.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- iptables and networking
  - From: Pol Hallen <deben@fuckaround.org>
- Re: iptables and networking
  - From: Steven Post <redalert.commander@gmail.com>
- Re: iptables and networking
  - From: Pol Hallen <deben@fuckaround.org>

Prev by Date: Re: wacky question
Next by Date: Re: Just a question...........
Previous by thread: Re: iptables and networking
Next by thread: Fwd: iptables and networking
Index(es):
- Date
- Thread