Нуждаюсь в помощи с iptables

Question 1

Я использую этот сценарий удара, чтобы настроить iptables, попытаться соединиться с веб-сервером, которые слушают 80 портов, но все просьбы, отклоненные $IPT -A OUTPUT -j LOG_DROP7. Если я не использую это правило, то все порты открыты!

#!/bin/bash      
DEF_SSHPORT=9811;
ETH_INTERFACE=ens3;
echo "The network interface is $ETH_INTERFACE.";
echo "The SSH port is $DEF_SSHPORT.";

IPT=/sbin/iptables;

#remove all the previous
$IPT -X;
$IPT -F;
$IPT -t nat -F;
$IPT -t nat -X;
$IPT -t mangle -F;
$IPT -t mangle -X;

######################
# Default Policy DROP#
###################v##
$IPT -P INPUT   -j DROP;
$IPT -P FORWARD -j DROP;
$IPT -P OUTPUT  -j DROP;

#rules for log and drop
$IPT -N LOG_DROP;
$IPT -A LOG_DROP -j LOG --log-prefix "INPUT:DROP: " --log-level 6;
$IPT -A LOG_DROP -j DROP;

$IPT -N LOG_DROP1;
$IPT -A LOG_DROP1 -j LOG --log-prefix "INPUT:DROP1: " --log-level 6;
$IPT -A LOG_DROP1 -j DROP;

$IPT -N LOG_DROP2;
$IPT -A LOG_DROP2 -j LOG --log-prefix "INPUT:DROP2: " --log-level 6;
$IPT -A LOG_DROP2 -j DROP;

$IPT -N LOG_DROP3;
$IPT -A LOG_DROP3 -j LOG --log-prefix "INPUT:DROP3: " --log-level 6;
$IPT -A LOG_DROP3 -j DROP;

$IPT -N LOG_DROP4;
$IPT -A LOG_DROP4 -j LOG --log-prefix "INPUT:DROP4: " --log-level 6;
$IPT -A LOG_DROP4 -j DROP;

$IPT -N LOG_DROP5;
$IPT -A LOG_DROP5 -j LOG --log-prefix "INPUT:DROP5: " --log-level 6;
$IPT -A LOG_DROP5 -j DROP;

$IPT -N LOG_DROP6;
$IPT -A LOG_DROP6 -j LOG --log-prefix "INPUT:DROP6: " --log-level 6;
$IPT -A LOG_DROP6 -j DROP;

$IPT -N LOG_DROP7;
$IPT -A LOG_DROP7 -j LOG --log-prefix "INPUT:DROP7: " --log-level 6;
$IPT -A LOG_DROP7 -j DROP;

$IPT -N LOG_ALLOW7;
$IPT -A LOG_ALLOW7 -j LOG --log-prefix "INPUT:ALLOW8080: " --log-level 6;
$IPT -A LOG_ALLOW7 -j ACCEPT;

$IPT -N LOG_REJECT;
$IPT -A LOG_REJECT -j LOG --log-prefix "INPUT:REJECT: " --log-level 5;
$IPT -A LOG_REJECT -j DROP;

# We don't break the established connections
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT;
# iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT;
# echo "Established connections allowed";

# Authorizes the incoming and outgoing traffic on the loopback network interface (IP : 127.0.0.1)
$IPT -t filter -A INPUT  -i lo -j ACCEPT;
$IPT -t filter -A OUTPUT -o lo -j ACCEPT;
echo "Loopback traffic allowed";

#
# Allow outgoing pings
#
$IPT -t filter -A OUTPUT -o $ETH_INTERFACE -p icmp -j ACCEPT;

#
# Allow TCP connections on tcp port 80, 8080, 443, $DEF_SSHPORT
#
$IPT -A INPUT -i $ETH_INTERFACE -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT;
$IPT -A OUTPUT -o $ETH_INTERFACE -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT;
$IPT -A INPUT -i $ETH_INTERFACE -p tcp --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT;
$IPT -A OUTPUT -o $ETH_INTERFACE -p tcp --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT;
$IPT -A INPUT -i $ETH_INTERFACE -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT;
$IPT -A OUTPUT -o $ETH_INTERFACE -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT;

#ssh
$IPT -A INPUT -i $ETH_INTERFACE -p tcp --dport $DEF_SSHPORT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT;
$IPT -A OUTPUT -o $ETH_INTERFACE -p tcp --sport $DEF_SSHPORT -m conntrack --ctstate ESTABLISHED -j ACCEPT;

 #REROUTE from 80 to 8080 and 443 to 8443 
$IPT -t nat -A PREROUTING -i $ETH_INTERFACE -p tcp --dport 80 -j DNAT --to :8080;
$IPT -t nat -A PREROUTING -i $ETH_INTERFACE -p tcp --dport 443 -j DNAT --to :8443;

########################
########ANTI DDOS########
########################

#reject traffic to localhost that does not originate from lo0
#$IPT -t filter -A INPUT ! -i lo -s 127.0.0.0/8 -j LOG --log-prefix -j LOG_DROP1;

echo "rule 1";
### 1: Drop invalid packets ###
$IPT -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j LOG_DROP1;

echo "rule 2";
### 2: Drop TCP packets that are new and are not SYN ###
$IPT -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j LOG_DROP1;

echo "rule 3";
### 3: Drop SYN packets with suspicious MSS value ###
$IPT -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j LOG_DROP2;

echo "rule 4";
### 4: Block packets with bogus TCP flags ###
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j LOG_DROP2;
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG_DROP2;

echo "rule 5";
### 5: Block spoofed packets ###
$IPT -t mangle -A PREROUTING -s 224.0.0.0/3 -j LOG_DROP3;
$IPT -t mangle -A PREROUTING -s 169.254.0.0/16 -j LOG_DROP3;
$IPT -t mangle -A PREROUTING -s 172.16.0.0/12 -j LOG_DROP3;
$IPT -t mangle -A PREROUTING -s 192.0.2.0/24 -j LOG_DROP3;
$IPT -t mangle -A PREROUTING -s 192.168.0.0/16 -j LOG_DROP3;
$IPT -t mangle -A PREROUTING -s 10.0.0.0/8 -j LOG_DROP3;
$IPT -t mangle -A PREROUTING -s 0.0.0.0/8 -j LOG_DROP3;
$IPT -t mangle -A PREROUTING -s 240.0.0.0/5 -j LOG_DROP3;
$IPT -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j LOG_DROP3;

echo "rule 6";
### 6: Drop ICMP (you usually don't need this protocol) ###
$IPT -t mangle -A PREROUTING -p icmp -j LOG_DROP4;

echo "rule 7";
### 7: Drop fragments in all chains ###
$IPT -t mangle -A PREROUTING -f -j LOG_DROP4;

echo "rule 8";
### 8: Limit connections per source IP ###
$IPT -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset;

echo "rule 9";
### 9: Limit RST packets ###
$IPT -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT;
$IPT -A INPUT -p tcp --tcp-flags RST RST -j DROP;

echo "rule 10";
### 10: Limit new TCP connections per second per source IP ###
$IPT -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT;
$IPT -A INPUT -p tcp -m conntrack --ctstate NEW -j LOG_DROP4;

echo "rule 11";
### 11: Use SYNPROXY on all ports (disables connection limiting rule) ###
#$IPT -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack;
#$IPT -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460;
#$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP;

echo "rule ssh brute-force protection";
### SSH brute-force protection ###
$IPT -A INPUT -p tcp --dport $DEF_SSHPORT -m conntrack --ctstate NEW -m recent --set;
$IPT -A INPUT -p tcp --dport $DEF_SSHPORT -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j LOG_DROP4;

echo "rule ssh protection against port scanning";
### Protection against port scanning ###
$IPT -N port-scanning;
$IPT -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN;
$IPT -A port-scanning -j LOG_DROP4;

#echo "reject traffic to localhost that does not originate from lo";
#reject traffic to localhost that does not originate from lo
#$IPT -t filter -A INPUT ! -i lo -s 127.0.0.0/8 -j LOG_DROP4;

######################
# Default Policy DROP#
###################v##
$IPT -A INPUT -i $ETH_INTERFACE   -j LOG_DROP5;
$IPT -A FORWARD -i $ETH_INTERFACE -j LOG_DROP6;
$IPT -A OUTPUT  -j LOG_DROP7;

rm /etc/iptables/rules.v4;
iptables-save > /etc/iptables/rules.v4;

apt-get install -y iptables-persistent;

Можно ли помочь мне отредактировать правила позволить соединения TCP на 80?

Это ifconfig вывод:

ens3      Link encap:Ethernet  HWaddr fa:16:3e:4c:4c:65
          inet addr:... Bcast:...  Mask:255.255.255.255
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3598 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3118 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:268852 (268.8 KB)  TX bytes:4216143 (4.2 MB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:18186 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18186 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:1262093 (1.2 MB)  TX bytes:1262093 (1.2 MB)

Question 2

открытый файл конфигурации iptables и добавляют это правило

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

Question 3

Question 4

Я нашел, что это помогло:

    $IPT -A INPUT -i $ETH_INTERFACE -p tcp --sport 1024:65535 --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT;
    $IPT -A OUTPUT -o $ETH_INTERFACE -p tcp --sport 8080 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT;

Благодарит Вас все!

Sukhjinder Singh · Answer 1 · 8 December 2019 в 07:50

открытый файл конфигурации iptables и добавляют это правило

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

0

ответ дан Sukhjinder Singh 8 December 2019 в 07:50

Paul Akulich · Answer 2 · 8 December 2019 в 07:50

Я нашел, что это помогло:

    $IPT -A INPUT -i $ETH_INTERFACE -p tcp --sport 1024:65535 --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT;
    $IPT -A OUTPUT -o $ETH_INTERFACE -p tcp --sport 8080 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT;

Благодарит Вас все!

Нуждаюсь в помощи с iptables

2 ответа

Другие вопросы по тегам:

Похожие вопросы: