Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linux Community Forums » Linux Networking
  Print view Previous topic | Next topic 
Author Message
Genjin
PostPosted: Wed Jul 20, 2011 10:17 am 
Offline
Newbie

Joined: Wed Jul 20, 2011 10:11 am
Posts: 3
Hi there. I moved to linode.com yesterday after migrating from slicehost.com and I have reason to believe that my iptables File may be wrongly configured and open to malicious traffic. The reason I believe that is that I had on my old host a sudden traffic spike of malicious attacks after setting this up. I also could not SSH on Linode when the "SSH" portion was under the "CLoudFlare" portion.

In short: I want to be sure I got it right this time. If someone would be kind enough to take a look at them and correct any errors, I'd really appreciate it.

I use Ubuntu 10.4

Quote:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

# Allows SSH connections
-A INPUT -p tcp -m state --state NEW --dport 6969 -j ACCEPT

# Whitelist CloudFlare Service IP Ranges
-A INPUT -p tcp --dport 80 -m iprange --src-range 204.93.240.0-204.93.240.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 204.93.177.0-204.93.177.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 199.27.128.0-199.27.135.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 173.245.48.0-173.245.63.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 103.22.200.0-103.22.203.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 141.101.64.0-141.101.127.255 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable

COMMIT
Top
   
Reply with quote  
otherbbs
PostPosted: Thu Jul 21, 2011 7:02 pm 
Offline
Senior Member

Joined: Sun Oct 30, 2005 7:52 pm
Posts: 97
Quote:
*filter
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

# Whitelist CloudFlare Service IP Ranges
-A INPUT -p tcp --dport 80 -m iprange --src-range 204.93.240.0-204.93.240.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 204.93.177.0-204.93.177.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 199.27.128.0-199.27.135.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 173.245.48.0-173.245.63.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 103.22.200.0-103.22.203.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 141.101.64.0-141.101.127.255 -j ACCEPT

I don't see anything wrong per say, but if you check the counters for the rules, you'll find out the first rule will match before the CloudFlare rules.

--
Travis
Top
   
Reply with quote  
Genjin
 Post subject:
PostPosted: Fri Jul 22, 2011 10:47 am 
Offline
Newbie

Joined: Wed Jul 20, 2011 10:11 am
Posts: 3
Thank you Travis for taking a look at my iptables. Unfortunately I am not sure what you are trying to tell me as I am very newbie with these things (else I wouldn't ask :))

Can you please explain to me what the counters are that you mean?

Did you mean that I should move the CloudFlare acceptances before the port 80 and port 443? Or did you mean that they should be moved before this line:
Quote:
# cloudflare here

# the other rules
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT


Sorry for being such a newbie :)
Top
   
Reply with quote  
Guspaz
 Post subject:
PostPosted: Fri Jul 22, 2011 11:20 am 
Offline
Senior Member
User avatar

Joined: Tue May 26, 2009 3:29 pm
Posts: 1691
Location: Montreal, QC
Yes, there's that too, but the port 80 rule makes all the cloudflare rules redundant. There's no need to whitelist port 80 for those IP ranges when you already explicitly allow port 80 from *any* IP address...

I'm no IPTABLES whiz, but I believe it's a first-match-wins type system. The first rule that matches for a given packet is used and halts evaluation of any further rules.
Top
   
Reply with quote  
otherbbs
 Post subject:
PostPosted: Fri Jul 22, 2011 12:10 pm 
Offline
Senior Member

Joined: Sun Oct 30, 2005 7:52 pm
Posts: 97
Genjin wrote:
Can you please explain to me what the counters are that you mean?

If you execute 'iptables -vnL' you will see the counters for each iptable rule. You'll be able to see how many packets/bytes are being match by your rules.

Genjin wrote:
Sorry for being such a newbie :)

Don't be, that is how we all learn, by asking questions.


Each packet is evaluated from top to bottom by your iptables rules. Thus the order of the rules are important. As Guspaz noted first rule match wins.

Code:
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

It is unnecessary to have the firewall evaluated all traffic hitting your linode for your cloudflare rules when the above rule will allow all http port 80 traffic to be accepted (first rule matched wins). Thus you should removed the cloudflare rules as they will not have any matches. If you want to reject/drop all http port 80 traffic except for traffic from cloudflare, then what you have won't accomplish that.

--
Travis
Top
   
Reply with quote  
Genjin
 Post subject:
PostPosted: Fri Jul 22, 2011 1:20 pm 
Offline
Newbie

Joined: Wed Jul 20, 2011 10:11 am
Posts: 3
Now I understand! Thanks for being so patient, I really appreciate that. I took the CloudFlare rules out.

I hope it really is more or less secure. When I googled around on that topic I saw iptables that were at least 2-3 pages long - it's scary. That makes me respect trained security experts even more ;)

So thank you two again for taking a look and helping me out, I am glad that the Linode Community is so friendly and helpful :)
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linux Community Forums » Linux Networking


Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group