iptables sanity check

August 21, 2018 844 views
Firewall Ubuntu 16.04

I have a small Ubuntu 16.04 server set up on DigitalOcean, and I’m working on securing it as much as I can. As there’s no reason anyone from outside the country should be accessing it, I’ve been slowly gathering unwanted IP’s from various sources (IPdeny, Spamhaus, and so on), putting them in an ipset block set, and adding that set to iptables with a DROP action. So far, so good, right?

Well, I’m also running psad for a bit of extra security, and here’s where I notice potential issues. Despite my ipset lists that are supposedly set up properly, psad still regularly gets hits from IP addresses that should be blocked. I am not sure if it’s picking up something that’s already been blocked by ipset, or if it’s something that made it through my blocklists somehow.

Would someone mind doing a sanity check on my iptables settings and tell me if I’ve got everything in the right place? The relevant parts are below - thanks!

root@m:~# iptables -S
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT DROP
-N MYBLOCKS
-N PSADBLOCKFORWARD
-N PSADBLOCKINPUT
-N PSADBLOCKOUTPUT

<<default ufw -N rules>>

-A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j MYBLOCKS
-A INPUT -j PSADBLOCKINPUT

<<default ufw -A rules>>

-A INPUT -j LOG –log-prefix “[IPTABLES] ” –log-tcp-options
-A FORWARD -j PSADBLOCKFORWARD

<<default ufw forward rules>>

-A FORWARD -j LOG –log-prefix “[IPTABLES] ” –log-tcp-options

<<default ufw output rules>>

-A MYBLOCKS -p tcp -m set –match-set myblockset1 src -j DROP
-A MYBLOCKS -p tcp -m set –match-set myblockset2 src -j DROP
-A MYBLOCKS -p tcp -m set –match-set myblockset3 src -j DROP
-A MYBLOCKS -p tcp -m set –match-set myblockset4 src -j DROP

<<PSAD autoblocked IPs>>

<<remaining default UFW rules>>

1 Answer

Heya,

Is this the psad you are talking about: http://cipherdyne.org/psad/ ? This one seems like a monitoring system designed to gather info from iptables and display statistics and such and i’m guessing that it will display the ips from the blocklist as well as it is getting the data from iptables.

Regards,
Alex

  • Yes, that’s the one. Wondering if I can somehow filter out the IPs that are already on the blocklist (blocked by psad or my ipset rules) and basically not log them if they’ve already been blocked.

    • If the logs are in a file and you are using something like cat then you could add grep -v "keyword to exclude" and it will hide the unwanted ips(|grep -v "1.1.1.1" |grep -v "2.2.2.2"). Or maybe something like sed can remove them from the file entirely. Not sure if there is a way to filter them at the app level as i’ve never used psad.

Have another answer? Share your knowledge.