Tag: iptables
How to make your GNU/Linux servers just a bit more secure (using iptables)
by musashi on Feb.26, 2010, under I.T.
First, the code:
#!/bin/bash
shopt -s -o nounset
shopt -s extglob
declare APNIC="ftp://ftp.apnic.net/public/stats/apnic/delegated-apnic-latest"
declare AFRINIC="ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest"
declare LACNIC="ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest"
declare RIPENCC="ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest"
declare IP=unset
declare CACHE_MAX_AGE=30 #Number of days to rely on the cached list of networks
declare USE_CACHE=false #Do not use cache by default
#Wipe out any existing iptables rules before proceeding
iptables -F
checkcache() {
if [ `find /tmp/ -maxdepth 1 -iname "cached_IP_addresses" -mtime +$CACHE_MAX_AGE` ]; then
rm -f /tmp/cached_IP_addresses
elif [ -f /tmp/cached_IP_addresses ]; then
USE_CACHE=true
fi
}
ipfeeder() {
if [ "$USE_CACHE" = "true" ]; then
cat /tmp/cached_IP_addresses
else
curl -s $APNIC $AFRINIC $LACNIC $RIPENCC |\
awk -F'|' '{print $4}'|\
fgrep ".0.0.0" |\
sed -e 's:$:/8:g'
fi
}
checkcache
ipfeeder | tee /tmp/cached_IP_addresses | {
while read IP; do
#Drop inbound packets from $IP
iptables -A INPUT -s $IP -j DROP
#Drop outbound packets to $IP
iptables -A OUTPUT -d $IP -j DROP
done
}
#Rate limit some protocols
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 1800 --hitcount 10 -j DROP
This is fairly self-explanatory. Basically, you’re telling iptables to drop any inbound and outbound packets to any of the networks listed in the ipfeeder() function, and just for good measure, we rate limit new incoming ssh connections to 10 every 30 minutes. (If you have port 22 opened to the outside world, have a look in /var/log/secure or /var/log/auth — there’s probably a shitload of break-in attempts that have been logged; grep for sshd and you’ll see what I mean.)
Remember, iptables rules don’t survive reboots! So make sure that this script runs on system startup (e.g., insert a call to the script in /etc/rc.local.)
For detailed lists of all networks in the apnic, afrinic, lacnic, and ripe-ncc registries, visit the following urls:
ftp://ftp.apnic.net/public/stats/apnic/delegated-apnic-latest
ftp://ftp.apnic.net/public/stats/afrinic/delegated-afrinic-latest
ftp://ftp.apnic.net/public/stats/lacnic/delegated-lacnic-latest
ftp://ftp.apnic.net/public/stats/ripe-ncc/delegated-ripencc-latest
Alternate SMTP port with iptables
by musashi on Sep.29, 2009, under I.T.
Nowadays, more and more ISPs are blocking outbound port 25 (SMTP) for spam prevention or reduction purposes. This should be of concern to sysadmins who have users scattered across multiple ISPs (such as webhosting services) or corporate sysadmins who maintain e-mail for mobile users, for example. The workaround is to use the mail submission agent (MSA) port, 587. Most ISPs do not block outbound traffic for this port. On GNU/Linux, we can use iptables for this task. With a single command, we can configure any inbound traffic, destined for port 587 traffic to be redirected to port 25:
iptables -t nat -I PREROUTING -p tcp --dport 587 -j REDIRECT --to-port 25
-
Howdy. Welcome to Nefaria.com!
Thanks for dropping by! Feel free to join the discussion by leaving comments, and stay updated by subscribing to the RSS feed. If you've come here for something specific (Autoresponse, Photography, Beer Recipes, etc.) then you'll probably find it under the "Project Index" page.
NolanChart.com- Capitalism Failure--NOT 17, March 2010
- PolitiFact Articles
- Deem and pass explained 17, March 2010
- Open Ended
- Ubuntu prerelease testing made easy with TestDrive 17, March 2010
