Related

Can not join Unturned game server (stuck on loading, "server lost your connection". Not allowing inbound connections? Question Question
enabled UFW locks me out, my web pages doesn´t work, SSH also not, rulles applied Question Question

Question

iptables sanity check

Posted August 21, 2018 1.2k views
FirewallUbuntu 16.04

I have a small Ubuntu 16.04 server set up on DigitalOcean, and I’m working on securing it as much as I can. As there’s no reason anyone from outside the country should be accessing it, I’ve been slowly gathering unwanted IP’s from various sources (IPdeny, Spamhaus, and so on), putting them in an ipset block set, and adding that set to iptables with a DROP action. So far, so good, right?

Well, I’m also running psad for a bit of extra security, and here’s where I notice potential issues. Despite my ipset lists that are supposedly set up properly, psad still regularly gets hits from IP addresses that should be blocked. I am not sure if it’s picking up something that’s already been blocked by ipset, or if it’s something that made it through my blocklists somehow.

Would someone mind doing a sanity check on my iptables settings and tell me if I’ve got everything in the right place? The relevant parts are below - thanks!

root@m:~# iptables -S
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT DROP
-N MYBLOCKS
-N PSADBLOCKFORWARD
-N PSADBLOCKINPUT
-N PSADBLOCKOUTPUT

<<default ufw -N rules>>

-A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j MYBLOCKS
-A INPUT -j PSADBLOCKINPUT

<<default ufw -A rules>>

-A INPUT -j LOG –log-prefix “[IPTABLES] ” –log-tcp-options
-A FORWARD -j PSADBLOCKFORWARD

<<default ufw forward rules>>

-A FORWARD -j LOG –log-prefix “[IPTABLES] ” –log-tcp-options

<<default ufw output rules>>

-A MYBLOCKS -p tcp -m set –match-set myblockset1 src -j DROP
-A MYBLOCKS -p tcp -m set –match-set myblockset2 src -j DROP
-A MYBLOCKS -p tcp -m set –match-set myblockset3 src -j DROP
-A MYBLOCKS -p tcp -m set –match-set myblockset4 src -j DROP

<<PSAD autoblocked IPs>>

<<remaining default UFW rules>>

Add a comment
zachb
By:
zachb
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer
X40C August 21, 2018

Heya,

Is this the psad you are talking about: http://cipherdyne.org/psad/ ? This one seems like a monitoring system designed to gather info from iptables and display statistics and such and i’m guessing that it will display the ips from the blocklist as well as it is getting the data from iptables.

Regards,
Alex

Reply Report
  • zachb August 22, 2018

    Yes, that’s the one. Wondering if I can somehow filter out the IPs that are already on the blocklist (blocked by psad or my ipset rules) and basically not log them if they’ve already been blocked.

    Reply Report
    • X40C August 25, 2018

      If the logs are in a file and you are using something like cat then you could add grep -v "keyword to exclude" and it will hide the unwanted ips(|grep -v "1.1.1.1" |grep -v "2.2.2.2"). Or maybe something like sed can remove them from the file entirely. Not sure if there is a way to filter them at the app level as i’ve never used psad.

      Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help