[olug] smart iptables strategies (was Shell accounts? [OT?])

Lou Duchez lou at paprikash.com
Wed Sep 27 14:13:18 CDT 2017


That's pretty cool, thanks!

Speaking of, I keep meaning to talk about efficient iptables 
strategies.  My thought, as applies to the "filter" table and the 
"INPUT" chain:


1) The first rule in iptables should deal with established connections, 
so that every packet except the first should be lightning fast.  So the 
first rule is:

/sbin/iptables -t filter -A INPUT   -m conntrack --ctstate 
RELATED,ESTABLISHED -j ACCEPT


2) Next thing should be loopback, so that even the first packet is 
lightning fast (or almost) on internal operations:

/sbin/iptables -t filter -A INPUT -i lo -j ACCEPT


3) Beyond that, efficiency ceases to be much of a thing, and it's more 
about implementing the appropriate security.  Just put the rules in the 
right order to accept / deny traffic as appropriate; the initial packet 
might take a millisecond or two to go through the rules, but any 
subsequent packets are handled via "RELATED,ESTABLISHED" above.


Does that sound about right?  Anything I'm missing?



> You could also make the list shorter but much less readable and
> maintainable by taking advantage of CIDR VLSM:
> 58.0.0.0/7
> 60.0.0.0/7
> 62.0.0.0/8
> 77.0.0.0/8
> 78.0.0.0/7
> 80.0.0.0/6
> 84.0.0.0/5
> 88.0.0.0/6
> 90.0.0.0/7
> 116.0.0.0/6
> 120.0.0.0/6
> 124.0.0.0/7
> 126.0.0.0/8
> 190.0.0.0/8
> 193.0.0.0/8
> 194.0.0.0/7
> 200.0.0.0/6
> 210.0.0.0/7
> 212.0.0.0/7
> 217.0.0.0/8
> 218.0.0.0/7
> 220.0.0.0/7
> 222.0.0.0/8
>
>
> On Wed, Sep 27, 2017 at 11:26 AM, Lou Duchez <lou at paprikash.com> wrote:
>
>> In case anyone's interested, I came across this list of international IP
>> addresses some time ago; I can't confirm its accuracy or completeness, but
>> thus far it hasn't caused me any problems (that I know of).  In my
>> firewalls I typically block all IPs in these ranges except for email and
>> Web access; I spend so little time hiking through the Balkans, I feel
>> pretty safe blocking all SSH connections from Sarajevo.
>>
>>
>> N Filename iptables.rules
>> N Russia .ru
>> 89.0.0.0/8
>>
>> N RIPE.NET (Europe, the Middle East and parts of Central Asia)
>> 62.0.0.0/8
>> 77.0.0.0/8
>> 78.0.0.0/8
>> 79.0.0.0/8
>> 80.0.0.0/8
>> 81.0.0.0/8
>> 82.0.0.0/8
>> 83.0.0.0/8
>> 84.0.0.0/8
>> 85.0.0.0/8
>> 86.0.0.0/8
>> 87.0.0.0/8
>> 88.0.0.0/8
>> 89.0.0.0/8
>> 90.0.0.0/8
>> 91.0.0.0/8
>> 193.0.0.0/8
>> 194.0.0.0/8
>> 195.0.0.0/8
>> 212.0.0.0/8
>> 213.0.0.0/8
>> 217.0.0.0/8
>>
>> N APNIC (Asian Pacific Network Information Center)
>> 58.0.0.0/8
>> 59.0.0.0/8
>> 60.0.0.0/8
>> 61.0.0.0/8
>> 202.0.0.0/8
>> 203.0.0.0/8
>> 210.0.0.0/8
>> 211.0.0.0/8
>> 218.0.0.0/8
>> 219.0.0.0/8
>> 220.0.0.0/8
>> 221.0.0.0/8
>> 222.0.0.0/8
>> 116.0.0.0/8
>> 117.0.0.0/8
>> 118.0.0.0/8
>> 119.0.0.0/8
>> 120.0.0.0/8
>> 121.0.0.0/8
>> 122.0.0.0/8
>> 123.0.0.0/8
>> 124.0.0.0/8
>> 125.0.0.0/8
>> 126.0.0.0/8
>>
>> N End APNIC Addresses
>>
>> N LACNIC (Latin American and Caribbean Network Information Center)
>> 189.0.0.0/8
>> 190.0.0.0/8
>> 200.0.0.0/8
>> 201.0.0.0/8
>> N End LACNIC
>>
>> N Add .EU here?
>> N duesentrieb.kunst.uni-frankfurt.de
>> 141.0.0.0/8
>> N end .EU
>>
>> 88.0.0.0/8
>> 85.0.0.0/8
>>
>>
>>
>> ipset to efficiently and easily whitelist / blacklist large sets of IP
>>> addresses such as from an entire country.
>>>
>>>
>>> On Tue, Sep 26, 2017 at 11:26 PM, aric at omahax.com <aric at omahax.com>
>>> wrote:
>>>
>>> Thanks, that is a cool feature of iptables that I didn't know about.  When
>>>> I first read the port knocking suggestion on this thread I thought about
>>>> the Dr. Strangelove doomsday machine.  You could trigger events from a
>>>> port
>>>> knock.  ....and then this Rick and Morty scene
>>>> https://youtu.be/a69kN7gyE70
>>>> There several ways to block SSH attempts.  I use pfSense to forward a non
>>>> standard port, ban the IP after 5 failed attempts and ban IPs that port
>>>> scan.  The iptables way you suggested looks to be the simplest.
>>>> ------ Original message------From: Christopher CashellDate: Tue, Sep 26,
>>>> 2017 10:53 PMTo: Omaha Linux User Group;Cc: Subject:Re: [olug] Shell
>>>> accounts? [OT?]
>>>> On Thu, Sep 14, 2017 at 9:40 AM, Ben Hollingsworth  wrote:
>>>>
>>>> The biggest bummer, nostalgia aside, is SSH access.  In order to keep the
>>>>> log file noise to a minimum, my home firewall restricts which IP blocks
>>>>>
>>>> are
>>>>
>>>>> allowed to SSH into my home computer.  On the rare occasion when I need
>>>>>
>>>> to
>>>>
>>>>> SSH in from an unapproved network, I was always able to SSH into falcon
>>>>> first, then jump from there to my home machine.  That route is no longer
>>>>>
>>>> an
>>>>
>>>>> option, so I'll probably have to open up the firewall again.  Or maybe I
>>>>> can just paint with a bigger brush & block foreign IP's using that list
>>>>> that somebody posted recently.
>>>>>
>>>>> Someone mentioned port-knocking, which can be a handy solution for this.
>>>> Another option that can significantly reduce the log noise is to use
>>>> iptables to minimize or prevent brute-force SSH attacks.
>>>>
>>>> Replace the iptables rule on your box that is allowing TCP port 22 with
>>>> the
>>>> following:
>>>>
>>>> iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m
>>>> hashlimit --hashlimit-mode srcip --hashlimit-upto 1/min
>>>> --hashlimit-burst 4
>>>> --hashlimit-name ssh -j ACCEPT
>>>>
>>>> That will limit new TCP connection attempts to a rate of 1 per minute,
>>>> with
>>>> a burst of 4 allowed per source IP.  Basically, anyone who makes repeated
>>>> ssh attempts to quickly will automatically have their connection attempts
>>>> dropped.  The most attempts they make, the longer they get blocked.  The
>>>> best thing about it is that it requires no maintenance or external
>>>> applications (like fail2ban), and is very "fire and forget" for low
>>>> connection rate protocols like SSH.
>>>>
>>>> One other handy option, you can keep SSH blocked from the outside, and
>>>> use
>>>> something like OpenVPN to connect remotely.  Then, after establishing a
>>>> VPN
>>>> session to your computer externally, you can SSH across the VPN to not
>>>> expose SSH publicly.  This can also give you some additional access
>>>> benefits to your system.
>>>>
>>>> For the ultimate in remote shell flexibility, I'll echo another
>>>> suggestion
>>>> that was thrown out, too: Linode.  I've been using Linode.com for 10
>>>> years
>>>> now, and I can't recommend them enough.  They're Virtual Private Server
>>>> (VPS) hosting by geeks/engineers for geeks/engineers.
>>>>
>>>> --
>>>>
>>>>> *Ben "Obi-Wan" Hollingsworth* obiwan at jedi.com
>>>>> www.Jedi.com
>>>>>
>>>>
>>>> --
>>>> Christopher
>>>> _______________________________________________
>>>> OLUG mailing list
>>>> OLUG at olug.org
>>>> https://www.olug.org/mailman/listinfo/olug
>>>> _______________________________________________
>>>> OLUG mailing list
>>>> OLUG at olug.org
>>>> https://www.olug.org/mailman/listinfo/olug
>>>>
>>>> _______________________________________________
>>> OLUG mailing list
>>> OLUG at olug.org
>>> https://www.olug.org/mailman/listinfo/olug
>>>
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://www.olug.org/mailman/listinfo/olug
>>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://www.olug.org/mailman/listinfo/olug


More information about the OLUG mailing list