Since upgrading my VPS from CentOS 5.1 to 5.2 I am getting some errors in messages that look like they are iptables related.
If anybody could help comment on my iptables rules to let me know if I have them set up incorrectly I would appreciate it Smile
This is on a OpenVZ VPS at a remote data center and not a box on my lan.
The xx.xx.xx.xx is my static IP for my home office.
The chain banished is IPs of crackers that were repeatedly trying to get in my system and their source IPs are set to deny.
Run chain banished Always
Accept If input interface is lo
Accept If protocol is TCP and TCP flags ACK (of ACK) are set
Accept If state of connection is ESTABLISHED
Accept If state of connection is RELATED
Accept If protocol is TCP and source port is 53
Accept If protocol is UDP and source port is 53
Accept If protocol is ICMP and ICMP type is echo-reply
Accept If protocol is ICMP and ICMP type is destination-unreachable
Accept If protocol is ICMP and ICMP type is source-quench
Accept If protocol is ICMP and ICMP type is time-exceeded
Accept If protocol is ICMP and ICMP type is parameter-problem
Accept If protocol is ICMP and ICMP type is echo-request
Drop If protocol is TCP and destination port is ftp
Accept If protocol is TCP and source is xx.xx.xx.xx and destination port is ssh
Drop If protocol is TCP and destination port is ssh
Accept If protocol is TCP and destination port is 25
Accept If protocol is TCP and destination port is 80
Accept If protocol is TCP and source is xx.xx.xx.xx and destination port is 110
Drop If protocol is TCP and destination port is 110
Accept If protocol is TCP and destination port is 113
Accept If protocol is TCP and source is xx.xx.xx.xx and destination port is 143
Drop If protocol is TCP and destination port is 143
Accept If protocol is TCP and destination port is 443
Drop If protocol is TCP and destination port is 465
Accept If protocol is TCP and source is xx.xx.xx.xx and destination port is 10000:10010
Drop If protocol is TCP and destination port is 10000:10010
Accept If protocol is TCP and source is xx.xx.xx.xx and destination port is 20000
Drop If protocol is TCP and destination port is 20000
Accept If source is 127.0.0.1
Accept If input interface is venet0
The type of error I am seeing is:
Jul 10 16:42:12 vps kernel: IN= OUT=venet0 SRC=IP.IP.IP.IP DST=xx.xx.xx.xx LEN=1452 TOS=0x08 PREC=0x00 TTL=64 ID=4361 DF PROTO=TCP SPT=22 DPT=63628 WINDOW=644 RES=0x00 ACK URGP=0
xx.xx.xx.xx=any ip accessing the server
IP.IP.IP.IP=IP of the server
i dont understand the drop rules.
if only your IP can login on a specific port then you dont need the drop rules cause the firewall wont allow connections anyway if not from your IP.
if you dont use FTP then the drop rule for it can go, or?
also on the OpenVZ i dont think your iptables matter much or at least is very limited, the firewall of the main system is used whilst on Xen you could do a bit more.
Im no expert at all but it is what i’ve read (i have a openvz too as a 2nd nameserver)
if only you connect on ssh then why not switch to another port like 50000 or something? that would get rid of 90% of the bots/scripts.
The errors were just logged packets. I had always had th elog rule but in upgrading they started working!
Regarding the drop rules this is one of the reasons I need people with more experience than me to let me know why I need them as the rule set isn’t doing what I expect it to.
Default for incoming is drop.
As you can see I set some of my ports/protocols to accept only from my IP.
OK that seems pretty straight forward.
So in theory all incoming to ssh should be dropped unless coming from my IP. Well that doesn’t seem to be the case which is why I have put the extra drop rules after each accept as a temporary patch.
When I remove the extra drop for ssh and then change the IP for allowed to access ssh to something other than my IP I CAN STILL ACCESS SSH! That means anybody can access ssh. If I add the drop back in then I can’t access ssh. If I then change the IP back to mine then I can access.
So It seems there is something other than my allow rule allowing access.
Any ideas?
Also I have these three rules:
Accept If input interface is lo
Accept If source is 127.0.0.1
Accept If input interface is venet0
Are they all needed and are they all in the right place in the stack?
Is the accept venet0 what is causing my problem above?
I also found that the:
Accept If protocol is TCP and TCP flags ACK (of ACK) are set
is the same as the state rules so i have removed it.
Hmm, well, I don’t see what the “policy” is set to, is that set somewhere else by chance?
That is, for any given ruleset, it’s either ACCEPT by default, or DENY by default, and whichever that is – it’s defined by a policy somewhere.
If you log in over SSH, and run this:
iptables -L -n
You’ll see a list of all your iptables chains and rules – and next to each chain is the “policy”.
On my box, the Input chain begins with:
Chain INPUT (policy DROP)
If yours says “policy ACCEPT”, that could cause what you’re seeing. You just need to modify that policy.
As Ronald mentioned, if not many people are using SSH, but you’re reluctant to limit access to just one IP (if that IP ever goes down, you may not be able to get in!), you could always run SSH on an alternate port. That should cut down on the number of bots trying to break into your SSH service.
-Eric
