How to use iptables?

I am getting a lot of unwanted access to my virtualmin web server:
Operating system Debian Linux 9, Webmin version 1.881, Virtualmin version 6.02.gpl, Kernel and CPU Linux 4.9.0-6-686-pae on i686

Here is a cleaned-up list of some of the accesses using ‘pktstat -i eth0 -nt’

152.6k 6% udp :22473 <-> :53
146.5k 5% udp :18575 <-> :53
122.1k 4% udp :52275 <-> :53

13.5k 0% arp

4.6k 0% udp 0.0.0.0:68 <-> 255.255.255.255:67

569.6 0% llc 802.1d -> 802.1d
417.7 0% udp :5353 <-> 224.0.0.251:5353
291.1 0% udp :137 <-> 209.160.27.255:137
224.7 0% udp :5678 <-> 255.255.255.255:5678
148.7 0% udp :1985 <-> 224.0.0.102:1985

My IP is not any of those above.

1- I would need something to prevent port 53 from getting so much query.

2- Not sure what to do about ‘arp’ and 802.1d?

3- I did not enable 5353, 137, 5678 or 1985 but they seem to pass through. By default all should be dropped, no? See bottom of my post for more complete iptables.

Set default chain policies

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP

4- I thought I already blocked port 0.0.0.0 and 255.255.255.255 using these?

Reject spoofed packets

-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255 -j DROP
-A INPUT -s 192.168.0.0/24 -j DROP

RFC 3330

-A INPUT -s 192.0.2.0/24 -j DROP

TEST-NET rfc3330

#-A INPUT -s 198.18.0/25 -j DROP

testnet2 from rfc2544

#-A INPUT -s 198.51.100/24 -j DROP

testnet3 RFC 5736, RFC 5737

#-A INPUT -s 203.0.113/24 -j DROP

protocol assignment(192.0.0.0/24)

-A INPUT -s 192.0.0.0/24 -j DROP

carrier grade nat from rfc6598

#-A INPUT -s 100.64/10 -j DROP

5- I tried blocking port 1985 and also IP 224.0.0.102 using this but it does not seem to work either:

Reject HSRP

-A INPUT -p udp --dport 1985 -j DROP
-A OUTPUT -p udp --dport 1985 -j DROP
-A OUTPUT -s 224.0.0.102 -j DROP

Drop multicast

-A INPUT -m pkttype --pkt-type multicast -j DROP

Here is a strip down version of my iptables.up.rules:

Each of the ‘allow’ below is like this but with a different port:

-A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

Allow previously accepted

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Allow incoming SSH

Allow Virtualmin

Allow incoming HTTP

Allow incoming HTTPS

MultiPorts (Allow incoming SSH, HTTP, and HTTPS)

Allow outgoing HTTP

Allow outgoing HTTPS

Ping from inside to outside

-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Ping from outside to inside

-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Allow all loopback (lo0) traffic

-A INPUT -i lo -j ACCEPT

Drop all traffic to 127/8 that doesn’t use lo0

-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT

Allow inbound DNS

Allow outbound DNS

Allow SMTP

Allow SMTP SSL

Allow POP3S

Allow FTP

to investigate?

-A INPUT -p tcp -m tcp -m limit --tcp-flags FIN,SYN,RST,ACK SYN --limit 5/sec -j ACCEPT

Prevent http DoS attack

-A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

Drop null packets

Block fragmented Packet

-A INPUT -p tcp --tcp-flags ALL NONE -j DROP

Block fragmented Packet

-A INPUT -f -j DROP

Force SYN Packet Check

-A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Frop XMAS Packet

-A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Reject spoofed packets

see ‘4-’ above

Log dropped packets

-N LOGGING
-A INPUT -j LOGGING
-A LOGGING -m limit --limit 6/min -j LOG --log-prefix "iptables packet dropped: " --log-level 7
-A LOGGING -j DROP

-A FORWARD -j DROP
COMMIT

1- I would need something to prevent port 53 from getting so much query.

If your Virtualmin server is one of the name servers that external hosts query to find your services (mail/web/etc), then you should expect to get regular traffic on port 53 UDP (this is DNS traffic).

2 - ARP is completely normal - it is used to resolve your IP address to your hardware MAC address on the local link (between the NIC, switch, router, other machines on the LAN). 802.1d is just some chatter from your switch.

3 - iptables rules are assessed in order. It’s hard to make any kind of call about your rules as you have posted them piecemeal.

1- If your Virtualmin server is one of the name servers that external hosts query to find your services (mail/web/etc), then you should expect to get regular traffic on port 53 UDP (this is DNS traffic).

I agree, but not >100kbs from one IP or more IPs continuously.

2 - ARP is completely normal - it is used to resolve your IP address to your hardware MAC address on the local link (between the NIC, switch, router, other machines on the LAN). 802.1d is just some chatter from your switch.

I am no expert but I sometimes get 70% of my bandwidth in arp so it looks abnormal to me.
The machine is a dedicated server connected to the internet in a data center.
So 802.1d is normal in that setup?

3 - iptables rules are assessed in order. It’s hard to make any kind of call about your rules as you have posted them piecemeal.
Thanks, I will try to move them up to see if it helps.

Re: 1. It’s possible that those IPs are using your server as a recursive DNS server. Generally this is undesirable. I don’t think the default Virtualmin BIND config prevents this. You can change the behavior as follows:-

In Webmin -> Servers -> BIND DNS Server -> Edit Config File -> /etc/bind/named.conf.options

You will see

options { directory "/var/cache/bind";

at the top.

Change it to look like

options { directory "/var/cache/bind"; allow-query { any; }; allow-recursion { a.b.c.d; v.w.x.y; localhost; };

The a.b.c.d and v.w.x.y are optional. Replace them with IPs you would like to be able to use your DNS for recursive lookups, or just remove them if you only want your server to be able to do that. Don’t forget to save the file and restart BIND afterwards.

Thanks for the info.

I had checked with this free web site tool and it turned out ok:
http://www.openresolver.com