[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

iptables config resets after restarting system

Good afternoon!

I've problem with resetting iptables after restarting system. Here's my
/usr/local/bin/fwall-rules file:

#!/bin/bash

IPTABLES=/sbin/iptables
IP6TABLES=/sbin/ip6tables

echo -e "\n ** clean rules ** \n"

echo " * flushing old rules"
${IPTABLES} --flush
${IPTABLES} --delete-chain
${IPTABLES} --table nat --flush
${IPTABLES} --table nat --delete-chain

${IP6TABLES} --flush
${IP6TABLES} --delete-chain
${IP6TABLES} --table nat --flush
${IP6TABLES} --table nat --delete-chain

echo " * setting default policies"
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD DROP
${IPTABLES} -P OUTPUT ACCEPT

${IP6TABLES} -P INPUT DROP
${IP6TABLES} -P FORWARD DROP
${IP6TABLES} -P OUTPUT ACCEPT

echo -e "\n ** input chain rules ** \n"

echo " * allowing loopback devices"
${IPTABLES} -A INPUT -i lo -j ACCEPT
${IPTABLES} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

${IP6TABLES} -A INPUT -i lo -j ACCEPT
${IP6TABLES} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
${IP6TABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

## BLOCK ABUSING IPs HERE ##
#echo " * BLACKLIST"
#${IPTABLES} -A INPUT -s _ABUSIVE_IP_ -j DROP
#${IPTABLES} -A INPUT -s _ABUSIVE_IP2_ -j DROP

echo " * allowing ssh on port 16960"
${IPTABLES} -A INPUT -p tcp --dport 16960  -m state --state NEW -j ACCEPT

${IP6TABLES} -A INPUT -p tcp --dport 16960  -m state --state NEW -j ACCEPT

#echo " * allowing ftp on port 21"
#${IPTABLES} -A INPUT -p tcp --dport 21  -m state --state NEW -j ACCEPT

echo " * allowing dns on port 53 udp"
${IPTABLES} -A INPUT -p udp -m udp --dport 53 -j ACCEPT

${IP6TABLES} -A INPUT -p udp -m udp --dport 53 -j ACCEPT

echo " * allowing dns on port 53 tcp"
${IPTABLES} -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT

${IP6TABLES} -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT

echo " * allowing http on port 80"
${IPTABLES} -A INPUT -p tcp --dport 80  -m state --state NEW -j ACCEPT

${IP6TABLES} -A INPUT -p tcp --dport 80  -m state --state NEW -j ACCEPT

echo " * allowing https on port 443"
${IPTABLES} -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

${IP6TABLES} -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

echo " * allowing smtp on port 25"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT

${IP6TABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j
ACCEPT

echo " * allowing smtps on port 465"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j
ACCEPT

${IP6TABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j
ACCEPT

echo " * allowing submission on port 587"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j
ACCEPT

${IP6TABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j
ACCEPT

echo " * allowing imaps on port 993"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j
ACCEPT

${IP6TABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j
ACCEPT

echo " * allowing pop3s on port 995"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j
ACCEPT

${IP6TABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j
ACCEPT

echo " * allowing imap on port 143"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j
ACCEPT

${IP6TABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j
ACCEPT

echo " * allowing pop3 on port 110"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j
ACCEPT

${IP6TABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j
ACCEPT

echo " * allowing ping responses"
${IPTABLES} -A INPUT -p ICMP -j ACCEPT

${IP6TABLES} -A INPUT -p ICMPv6 -j ACCEPT

# DROP everything else and Log it
${IPTABLES} -A INPUT -j LOG --log-prefix "iptables-reject "
${IPTABLES} -A INPUT -j REJECT --reject-with icmp-host-prohibited

${IP6TABLES} -A INPUT -j LOG --log-prefix "ip6tables-reject "
${IP6TABLES} -A INPUT -j REJECT --reject-with icmp6-adm-prohibited

#
# Save settings
#
echo -e " * SAVING RULES\n"

iptables-save > /etc/iptables/rules.v4
iptables-apply /etc/iptables/rules.v4

ip6tables-save > /etc/iptables/rules.v6
ip6tables-apply /etc/iptables/rules.v6

echo -e "\n * DONE!\n"

Here's my iptables config before restarting system:

# iptables-save
# Generated by iptables-save v1.6.0 on Fri Aug 10 22:24:06 2018
*nat
:PREROUTING ACCEPT [893:55496]
:INPUT ACCEPT [31:1408]
:OUTPUT ACCEPT [118:7908]
:POSTROUTING ACCEPT [118:7908]
COMMIT
# Completed on Fri Aug 10 22:24:06 2018
# Generated by iptables-save v1.6.0 on Fri Aug 10 22:24:06 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [7920:1029798]
:f2b-nginx-botsearch - [0:0]
:f2b-nginx-http-auth - [0:0]
:f2b-nginx-limit-req - [0:0]
:f2b-php-url-fopen - [0:0]
:f2b-sshd - [0:0]
:f2b-sshd-ddos - [0:0]
-A INPUT -p tcp -j f2b-php-url-fopen
-A INPUT -p tcp -j f2b-nginx-botsearch
-A INPUT -p tcp -j f2b-nginx-limit-req
-A INPUT -p tcp -j f2b-nginx-http-auth
-A INPUT -p tcp -j f2b-sshd-ddos
-A INPUT -p tcp -j f2b-sshd
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state
--state NEW -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 16960 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -j LOG --log-prefix "iptables-reject "
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A f2b-nginx-botsearch -j RETURN
-A f2b-nginx-http-auth -j RETURN
-A f2b-nginx-limit-req -j RETURN
-A f2b-php-url-fopen -s 212.237.44.247/32 -j REJECT --reject-with
icmp-port-unreachable
-A f2b-php-url-fopen -j RETURN
-A f2b-sshd -j RETURN
-A f2b-sshd-ddos -j RETURN
COMMIT
# Completed on Fri Aug 10 22:24:06 2018

And after restarting system:

$ sudo iptables-save
# Generated by iptables-save v1.6.0 on Fri Aug 10 22:26:45 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [496:168660]
:f2b-nginx-botsearch - [0:0]
:f2b-nginx-http-auth - [0:0]
:f2b-nginx-limit-req - [0:0]
:f2b-php-url-fopen - [0:0]
:f2b-sshd - [0:0]
:f2b-sshd-ddos - [0:0]
-A INPUT -p tcp -j f2b-php-url-fopen
-A INPUT -p tcp -j f2b-nginx-botsearch
-A INPUT -p tcp -j f2b-nginx-limit-req
-A INPUT -p tcp -j f2b-nginx-http-auth
-A INPUT -p tcp -j f2b-sshd-ddos
-A INPUT -p tcp -j f2b-sshd
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state
--state NEW -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 16960 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
-A f2b-nginx-botsearch -j RETURN
-A f2b-nginx-http-auth -j RETURN
-A f2b-nginx-limit-req -j RETURN
-A f2b-php-url-fopen -s 212.237.44.247/32 -j REJECT --reject-with
icmp-port-unreachable
-A f2b-php-url-fopen -j RETURN
-A f2b-sshd -j RETURN
-A f2b-sshd-ddos -j RETURN
COMMIT
# Completed on Fri Aug 10 22:26:45 2018
# Generated by iptables-save v1.6.0 on Fri Aug 10 22:26:45 2018
*nat
:PREROUTING ACCEPT [41:2652]
:INPUT ACCEPT [4:240]
:OUTPUT ACCEPT [37:2897]
:POSTROUTING ACCEPT [37:2897]
COMMIT
# Completed on Fri Aug 10 22:26:45 2018

Running command fwall-rules after restarting system works. What am I
doing wrong?

--
Best regards,
Hubert Hauser.

Attachment: 0x63D031274518F606.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: