I have a small Ubuntu 16.04 server set up on DigitalOcean, and I’m working on securing it as much as I can. As there’s no reason anyone from outside the country should be accessing it, I’ve been slowly gathering unwanted IP’s from various sources (IPdeny, Spamhaus, and so on), putting them in an ipset block set, and adding that set to iptables with a DROP action. So far, so good, right?

Well, I’m also running psad for a bit of extra security, and here’s where I notice potential issues. Despite my ipset lists that are supposedly set up properly, psad still regularly gets hits from IP addresses that should be blocked. I am not sure if it’s picking up something that’s already been blocked by ipset, or if it’s something that made it through my blocklists somehow.

Would someone mind doing a sanity check on my iptables settings and tell me if I’ve got everything in the right place? The relevant parts are below - thanks!

root@m:~# iptables -S
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT DROP
-N MYBLOCKS
-N PSADBLOCKFORWARD
-N PSADBLOCKINPUT
-N PSADBLOCKOUTPUT
…
<<default ufw -N rules>>
…
-A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j MYBLOCKS
-A INPUT -j PSADBLOCKINPUT
…
<<default ufw -A rules>>
…
-A INPUT -j LOG –log-prefix “[IPTABLES] ” –log-tcp-options
-A FORWARD -j PSADBLOCKFORWARD
…
<<default ufw forward rules>>
…
-A FORWARD -j LOG –log-prefix “[IPTABLES] ” –log-tcp-options
…
<<default ufw output rules>>
…
-A MYBLOCKS -p tcp -m set –match-set myblockset1 src -j DROP
-A MYBLOCKS -p tcp -m set –match-set myblockset2 src -j DROP
-A MYBLOCKS -p tcp -m set –match-set myblockset3 src -j DROP
-A MYBLOCKS -p tcp -m set –match-set myblockset4 src -j DROP
…
<<PSAD autoblocked IPs>>
…
<<remaining default UFW rules>>