IPTables

[Moredhel]

Hi,

I'm trying to make my Linux box hosting a couple of SRCDS server more secure and a bit more resilient to malicious attacks.

Any iptables gurus here that can comment and make any suggestions?

Quote:#!/bin/sh

# Wipe the tables clean
iptables -F

# INPUT SIDE
# Accept all loopback input
iptables -A INPUT -i lo -p all -j ACCEPT

# Allow the three way handshake
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drop bad IP's
iptables -A INPUT -s 95.132.0.0/255.254.0.0 -j DROP
iptables -A INPUT -s 95.135.0.0/255.255.0.0 -j DROP
iptables -A INPUT -s 94.178.0.0/255.254.0.0 -j DROP
iptables -A INPUT -s 92.112.0.0/255.254.0.0 -j DROP
iptables -A INPUT -s 91.124.0.0/255.255.0.0 -j DROP
iptables -A INPUT -s 178.94.192.0/255.255.240.0 -j DROP
iptables -A INPUT -s 178.94.0.0/255.255.128.0 -j DROP
iptables -A INPUT -s 178.92.0.0/255.255.0.0 -j DROP

# Reject spoofed packets
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP

iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP

# Stop smurf attacks
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT

# Drop all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

# Drop excessive RST packets to avoid smurf attacks
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

# Drop bad SRCDS packets
iptables -A INPUT -p udp -m udp --dport 27015:27016 -m length --length 0:32 -j DROP

# Attempt to block portscans
# Anyone who tried to portscan us is locked out for an entire day.
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Once the day has passed, remove them from the portscan list
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

# Allow the following ports through from outside
# ssh & sftp
iptables -A INPUT -p tcp -m tcp --dport 33333 -j ACCEPT

# VNC
iptables -A INPUT -p tcp -m tcp --dport 5900:5904 -j ACCEPT

# SRCDS
iptables -A INPUT -p udp -m udp --dport 1200 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 27000:27050 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 27000:27050 -j ACCEPT

# MySQL
iptables -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 3306 -j ACCEPT

# MDNS
iptables -A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT

# Allow pings through
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Kill all other input
iptables -A INPUT -j REJECT


# Output side
iptables -A OUTPUT -j ACCEPT


# FORWARD SIDE
iptables -A FORWARD -j REJECT

Do I require "-m state --state NEW" on all of my open ports or does iptables already assume this if you don't specify it?

[rautamiekka]

You'd get through easier by simply blocking everything inbound if it's not from your LAN. You can use Uncomplicated Firewall (supposedly only on Ubuntu but you can manually compile it) to make this much easier; UFW is set to deny inbound by default.

In practise
1) add checks to INPUT for your LAN
2) set INPUT to deny everything else

The rules take effect from top to bottom.