Linode Forum :: Someone to check my iptables File (Ubuntu 10.4)

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

# Allows SSH connections
-A INPUT -p tcp -m state --state NEW --dport 6969 -j ACCEPT

# Whitelist CloudFlare Service IP Ranges
-A INPUT -p tcp --dport 80 -m iprange --src-range 204.93.240.0-204.93.240.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 204.93.177.0-204.93.177.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 199.27.128.0-199.27.135.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 173.245.48.0-173.245.63.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 103.22.200.0-103.22.203.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 141.101.64.0-141.101.127.255 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable

COMMIT

*filter
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

# Whitelist CloudFlare Service IP Ranges
-A INPUT -p tcp --dport 80 -m iprange --src-range 204.93.240.0-204.93.240.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 204.93.177.0-204.93.177.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 199.27.128.0-199.27.135.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 173.245.48.0-173.245.63.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 103.22.200.0-103.22.203.255 -j ACCEPT
-A INPUT -p tcp --dport 80 -m iprange --src-range 141.101.64.0-141.101.127.255 -j ACCEPT

# cloudflare here

# the other rules
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

Can you please explain to me what the counters are that you mean?

Sorry for being such a newbie :)

Author:	Genjin [ Wed Jul 20, 2011 10:17 am ]
Post subject:	Someone to check my iptables File (Ubuntu 10.4)
Hi there. I moved to linode.com yesterday after migrating from slicehost.com and I have reason to believe that my iptables File may be wrongly configured and open to malicious traffic. The reason I believe that is that I had on my old host a sudden traffic spike of malicious attacks after setting this up. I also could not SSH on Linode when the "SSH" portion was under the "CLoudFlare" portion. In short: I want to be sure I got it right this time. If someone would be kind enough to take a look at them and correct any errors, I'd really appreciate it. I use Ubuntu 10.4 Quote: *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # Allows SSH connections -A INPUT -p tcp -m state --state NEW --dport 6969 -j ACCEPT # Whitelist CloudFlare Service IP Ranges -A INPUT -p tcp --dport 80 -m iprange --src-range 204.93.240.0-204.93.240.255 -j ACCEPT -A INPUT -p tcp --dport 80 -m iprange --src-range 204.93.177.0-204.93.177.255 -j ACCEPT -A INPUT -p tcp --dport 80 -m iprange --src-range 199.27.128.0-199.27.135.255 -j ACCEPT -A INPUT -p tcp --dport 80 -m iprange --src-range 173.245.48.0-173.245.63.255 -j ACCEPT -A INPUT -p tcp --dport 80 -m iprange --src-range 103.22.200.0-103.22.203.255 -j ACCEPT -A INPUT -p tcp --dport 80 -m iprange --src-range 141.101.64.0-141.101.127.255 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound -A INPUT -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j REJECT --reject-with icmp-port-unreachable COMMIT

Author:	otherbbs [ Thu Jul 21, 2011 7:02 pm ]
Post subject:	Re: Someone to check my iptables File (Ubuntu 10.4)
Quote: *filter -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # Whitelist CloudFlare Service IP Ranges -A INPUT -p tcp --dport 80 -m iprange --src-range 204.93.240.0-204.93.240.255 -j ACCEPT -A INPUT -p tcp --dport 80 -m iprange --src-range 204.93.177.0-204.93.177.255 -j ACCEPT -A INPUT -p tcp --dport 80 -m iprange --src-range 199.27.128.0-199.27.135.255 -j ACCEPT -A INPUT -p tcp --dport 80 -m iprange --src-range 173.245.48.0-173.245.63.255 -j ACCEPT -A INPUT -p tcp --dport 80 -m iprange --src-range 103.22.200.0-103.22.203.255 -j ACCEPT -A INPUT -p tcp --dport 80 -m iprange --src-range 141.101.64.0-141.101.127.255 -j ACCEPT I don't see anything wrong per say, but if you check the counters for the rules, you'll find out the first rule will match before the CloudFlare rules. -- Travis

Author:	Genjin [ Fri Jul 22, 2011 10:47 am ]
Post subject:
Thank you Travis for taking a look at my iptables. Unfortunately I am not sure what you are trying to tell me as I am very newbie with these things (else I wouldn't ask ) Can you please explain to me what the counters are that you mean? Did you mean that I should move the CloudFlare acceptances before the port 80 and port 443? Or did you mean that they should be moved before this line: Quote: # cloudflare here # the other rules -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT Sorry for being such a newbie

Author:	Guspaz [ Fri Jul 22, 2011 11:20 am ]
Post subject:
Yes, there's that too, but the port 80 rule makes all the cloudflare rules redundant. There's no need to whitelist port 80 for those IP ranges when you already explicitly allow port 80 from any IP address... I'm no IPTABLES whiz, but I believe it's a first-match-wins type system. The first rule that matches for a given packet is used and halts evaluation of any further rules.

Author:	otherbbs [ Fri Jul 22, 2011 12:10 pm ]
Post subject:
Genjin wrote: Can you please explain to me what the counters are that you mean? If you execute 'iptables -vnL' you will see the counters for each iptable rule. You'll be able to see how many packets/bytes are being match by your rules. Genjin wrote: Sorry for being such a newbie :) Don't be, that is how we all learn, by asking questions. Each packet is evaluated from top to bottom by your iptables rules. Thus the order of the rules are important. As Guspaz noted first rule match wins. Code: -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT It is unnecessary to have the firewall evaluated all traffic hitting your linode for your cloudflare rules when the above rule will allow all http port 80 traffic to be accepted (first rule matched wins). Thus you should removed the cloudflare rules as they will not have any matches. If you want to reject/drop all http port 80 traffic except for traffic from cloudflare, then what you have won't accomplish that. -- Travis

Linode Forum https://forum.linode.com/

Someone to check my iptables File (Ubuntu 10.4) https://forum.linode.com/viewtopic.php?f=19&t=7440	Page 1 of 1

Author:	Genjin [ Fri Jul 22, 2011 1:20 pm ]
Post subject:
Now I understand! Thanks for being so patient, I really appreciate that. I took the CloudFlare rules out. I hope it really is more or less secure. When I googled around on that topic I saw iptables that were at least 2-3 pages long - it's scary. That makes me respect trained security experts even more So thank you two again for taking a look and helping me out, I am glad that the Linode Community is so friendly and helpful

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/