iptables syn contramedida de inundação

1

Estou tentando ajustar meu firewall do iptables para aumentar a segurança do meu servidor, e encontrei algo um pouco problemático aqui: Eu tenho que configurar a diretiva INPUT para ACCEPT e, além disso, ter uma regra dizendo iptables -I INPUT -i eth0 -j ACCEPT .

Aqui vem meu script (lançado manualmente para testes):

#!/bin/sh
IPT=/sbin/iptables

echo "Clearing firewall rules"
$IPT -F
$IPT -Z
$IPT -t nat -F
$IPT -t nat -Z
$IPT -t mangle -F
$IPT -t mangle -Z
$IPT -X

echo "Defining logging policy for dropped packets"
$IPT -N LOGDROP 
$IPT -A LOGDROP -j LOG -m limit --limit 5/min --log-level debug --log-prefix "iptables rejected: "
$IPT -A LOGDROP -j DROP 

echo "Setting firewall policy"
$IPT -P INPUT   DROP  # Deny  all incoming connections
$IPT -P OUTPUT  ACCEPT  # Allow all outgoing connections
$IPT -P FORWARD DROP  # Deny  all forwaring

echo "Allowing connections from/to lo and incoming connections from eth0"
$IPT -I INPUT -i lo    -j ACCEPT
$IPT -I OUTPUT -o lo   -j ACCEPT
#$IPT -I INPUT -i eth0  -j ACCEPT

echo "Setting SYN flood countermeasures"
$IPT -A INPUT -p tcp -i eth0 --syn -m limit --limit 100/second --limit-burst 200 -j LOGDROP

echo "Allowing outgoing traffic corresponding to already initiated connections"
$IPT -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Allowing incoming SSH"
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT

echo "Setting SSH bruteforce attacks countermeasures (deny more than 10 connections every 10 minutes)"
$IPT -A INPUT -p tcp --dport 22 -m recent --update --seconds 600 --hitcount 10 --rttl --name SSH -j LOGDROP

echo "Allowing incoming traffic for HTTP, SMTP, NTP, PgSQL and SolR"
$IPT -A INPUT -p tcp --dport 25   -i eth0                -j ACCEPT
$IPT -A INPUT -p tcp --dport 80   -i eth0                -j ACCEPT
$IPT -A INPUT -p udp --dport 123  -i eth0                -j ACCEPT
$IPT -A INPUT -p tcp --dport 5433 -i eth0.2654 -s 172.16.0.2     -j ACCEPT
$IPT -A INPUT -p udp --dport 5433 -i eth0.2654 -s 172.16.0.2     -j ACCEPT
$IPT -A INPUT -p tcp --dport 8983 -i eth0.2654 -s 172.16.0.2     -j ACCEPT
$IPT -A INPUT -p udp --dport 8983 -i eth0.2654 -s 172.16.0.2     -j ACCEPT

echo "Allowing outgoing traffic for ICMP, SSH, whois, SMTP, DNS, HTTP, PgSQL and SolR"
$IPT -A OUTPUT -p tcp --dport 22                         -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 25   -o eth0               -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 43   -o eth0                       -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 53   -o eth0               -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53   -o eth0               -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 80   -o eth0               -j ACCEPT
$IPT -A OUTPUT -p udp --dport 80   -o eth0               -j ACCEPT
#$IPT -A OUTPUT -p tcp --dport 5433 -o eth0 -d 176.31.236.101    -j ACCEPT
#$IPT -A OUTPUT -p udp --dport 5433 -o eth0 -d 176.31.236.101    -j ACCEPT
#$IPT -A OUTPUT -p tcp --dport 8983 -o eth0 -d 176.31.236.101    -j ACCEPT
#$IPT -A OUTPUT -p udp --dport 8983 -o eth0 -d 176.31.236.101    -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 5433 -o eth0.2654          -j ACCEPT
$IPT -A OUTPUT -p udp --sport 5433 -o eth0.2654          -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 8983 -o eth0.2654          -j ACCEPT
$IPT -A OUTPUT -p udp --sport 8983 -o eth0.2654          -j ACCEPT
$IPT -A OUTPUT -p icmp                       -j ACCEPT

echo "Allowing outgoing FTP backup"
$IPT -A OUTPUT -p tcp --dport 20:21 -o eth0 -d 91.121.190.78     -j ACCEPT

echo "Dropping and logging everything else"
$IPT -A INPUT -s 0/0 -j LOGDROP 
$IPT -A OUTPUT -j LOGDROP
$IPT -A FORWARD -j LOGDROP

echo "Firewall loaded."
echo "Maintaining new rules for 3 minutes for tests"
sleep 180
$IPT -nvL

echo "Clearing firewall rules"
$IPT -F
$IPT -Z
$IPT -t nat -F
$IPT -t nat -Z
$IPT -t mangle -F
$IPT -t mangle -Z
$IPT -X
$IPT -P INPUT   ACCEPT
$IPT -P OUTPUT  ACCEPT
$IPT -P FORWARD ACCEPT

Quando eu inicio este script (eu só tenho um acesso SSH), o shell exibe todas as mensagens até Maintaining new rules for 3 minutes for tests , o servidor não responde durante o atraso de 3 minutos e então retoma as operações normais.

A única solução que encontrei até agora foi definir $IPT -P INPUT ACCEPT e $IPT -I INPUT -i eth0 -j ACCEPT , mas essa configuração não me protege de nenhum ataque, o que é uma grande vergonha para um firewall.

Eu suspeito que o erro vem do meu script e não do iptables, mas eu não entendo o que há de errado com o meu script. Poderia algum bem fazer-me explicar o meu erro, por favor?

EDIT: aqui vem o resultado de iptables -nvL com a solução "accept all input" ( $IPT -P INPUT ACCEPT e $IPT -I INPUT -i eth0 -j ACCEPT ):

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    52 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0               
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOGDROP    tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 100/sec burst 200 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW recent: SET name: SSH side: source 
    0     0 LOGDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 recent: UPDATE seconds: 600 hit_count: 10 TTL-Match name: SSH side: source 
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:123 
    0     0 ACCEPT     tcp  --  eth0.2654 *       172.16.0.2           0.0.0.0/0           tcp dpt:5433 
    0     0 ACCEPT     udp  --  eth0.2654 *       172.16.0.2           0.0.0.0/0           udp dpt:5433 
    0     0 ACCEPT     tcp  --  eth0.2654 *       172.16.0.2           0.0.0.0/0           tcp dpt:8983 
    0     0 ACCEPT     udp  --  eth0.2654 *       172.16.0.2           0.0.0.0/0           udp dpt:8983 
    0     0 LOGDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOGDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    2   728 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
    0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
    0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp dpt:43 
    0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
    0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           udp dpt:53 
    0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
    0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           udp dpt:80 
    0     0 ACCEPT     tcp  --  *      eth0.2654  0.0.0.0/0            0.0.0.0/0           tcp spt:5433 
    0     0 ACCEPT     udp  --  *      eth0.2654  0.0.0.0/0            0.0.0.0/0           udp     spt:5433 
    0     0 ACCEPT     tcp  --  *      eth0.2654  0.0.0.0/0            0.0.0.0/0           tcp spt:8983 
    0     0 ACCEPT     udp  --  *      eth0.2654  0.0.0.0/0            0.0.0.0/0           udp spt:8983 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            91.121.190.78       tcp dpts:20:21 
    0     0 LOGDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOGDROP (5 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/min burst 5 LOG flags 0 level 7 prefix 'iptables rejected: ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

EDIT # 2: Eu modifiquei meu script (política ACCEPT , definindo pacotes de entrada autorizados, registrando e descartando todo o resto) para gravar iptables -nvL resultados em um arquivo e permitir somente 10 solicitações ICMP por segundo, registrando e soltando todo o resto. O resultado provou ser inesperado: enquanto o servidor não estava disponível para conexões SSH, mesmo já estabelecido, pinguei-o de outro servidor, e a taxa de ping ficou restrita a 10 solicitações por segundo. Durante esse teste, também tentei abrir novas conexões SSH, que ficaram sem resposta até que o script liberou as regras. Aí vem as estatísticas do iptables escritas após estes testes:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  600 35520 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    6   360 LOGDROP    tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 100/sec burst 200 
    0     0 LOGDROP    tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 STRING match "w00tw00t.at.ISC.SANS." ALGO name bm TO 65535 
    0     0 LOGDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 STRING match "Host: anoticiapb.com.br" ALGO name bm TO 65535 
    0     0 LOGDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 STRING match "Host: www.anoticiapb.com.br" ALGO name bm TO 65535 
  105  8820 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5 
  830 69720 LOGDROP    icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 state NEW recent: SET name: SSH side: source 
    0     0 LOGDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 recent: UPDATE seconds: 600 hit_count: 10 TTL-Match name: SSH side: source 
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:80 
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:123 
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
    0     0 ACCEPT     tcp  --  eth0.2654 *       172.16.0.1           0.0.0.0/0           tcp spt:5433 
    0     0 ACCEPT     udp  --  eth0.2654 *       172.16.0.1           0.0.0.0/0           udp spt:5433 
    0     0 ACCEPT     tcp  --  eth0.2654 *       172.16.0.1           0.0.0.0/0           tcp spt:8983 
    0     0 ACCEPT     udp  --  eth0.2654 *       172.16.0.1           0.0.0.0/0           udp spt:8983 
   16  1684 LOGDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOGDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  600 35520 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 LOGDROP    tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp dpt:80 owner UID match 33 
    0     0 LOGDROP    udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           udp dpt:80 owner UID match 33 
  116 11136 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
    0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
    0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
    0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           udp dpt:53 
    0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
    0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           udp dpt:80 
    0     0 ACCEPT     tcp  --  *      eth0.2654  0.0.0.0/0            0.0.0.0/0           tcp dpt:5433 
    0     0 ACCEPT     udp  --  *      eth0.2654  0.0.0.0/0            0.0.0.0/0           udp dpt:5433 
    0     0 ACCEPT     tcp  --  *      eth0.2654  0.0.0.0/0            0.0.0.0/0           tcp dpt:8983 
    0     0 ACCEPT     udp  --  *      eth0.2654  0.0.0.0/0            0.0.0.0/0           udp dpt:8983 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp dpt:43 
    0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            91.121.190.18       tcp dpts:20:21 
    7  1249 LOGDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOGDROP (11 references)
 pkts bytes target     prot opt in     out     source               destination         
   35  3156 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 0 level 7 prefix 'iptables rejected: ' 
  859 73013 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0 

Aí vem o conteúdo do log adicionado durante este teste:

Mar 28 09:52:51 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=194.51.74.245 DST=176.31.238.3 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=55666 DF PROTO=TCP SPT=57504 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0 
Mar 28 09:52:51 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=194.51.74.245 DST=176.31.238.3 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=55667 DF PROTO=TCP SPT=57504 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0 
Mar 28 09:52:51 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=194.51.74.245 DST=176.31.238.3 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=55668 DF PROTO=TCP SPT=57504 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0 
Mar 28 09:52:51 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=194.51.74.245 DST=176.31.238.3 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=55669 DF PROTO=TCP SPT=57504 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0 
Mar 28 09:52:52 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=194.51.74.245 DST=176.31.238.3 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=55670 DF PROTO=TCP SPT=57504 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0 
Mar 28 09:52:54 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=194.51.74.245 DST=176.31.238.3 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=55671 DF PROTO=TCP SPT=57504 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0 
Mar 28 09:52:58 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=194.51.74.245 DST=176.31.238.3 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=55672 DF PROTO=TCP SPT=57504 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0 
Mar 28 09:52:59 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=176.31.236.101 DST=176.31.238.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7430 SEQ=6 
Mar 28 09:52:59 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=176.31.236.101 DST=176.31.238.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7430 SEQ=7 
Mar 28 09:52:59 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=176.31.236.101 DST=176.31.238.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7430 SEQ=8 
Mar 28 09:52:59 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=176.31.236.101 DST=176.31.238.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7430 SEQ=9 
Mar 28 09:52:59 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=176.31.236.101 DST=176.31.238.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7430 SEQ=59 
Mar 28 09:53:00 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=176.31.236.101 DST=176.31.238.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7430 SEQ=152 
Mar 28 09:53:01 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=176.31.236.101 DST=176.31.238.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7430 SEQ=246 
Mar 28 09:53:02 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=176.31.236.101 DST=176.31.238.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7430 SEQ=339 
Mar 28 09:53:03 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=176.31.236.101 DST=176.31.238.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7430 SEQ=432 
Mar 28 09:53:04 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=176.31.236.101 DST=176.31.238.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7430 SEQ=524 
Mar 28 09:53:05 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=176.31.236.101 DST=176.31.238.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7430 SEQ=617 
Mar 28 09:53:06 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=176.31.236.101 DST=176.31.238.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7430 SEQ=711 
Mar 28 09:53:07 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=176.31.236.101 DST=176.31.238.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7430 SEQ=804 
Mar 28 09:53:08 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=176.31.236.101 DST=176.31.238.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7430 SEQ=897 
Mar 28 09:53:16 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:c0:62:6b:e3:5c:80:08:00 SRC=194.51.74.245 DST=176.31.238.3 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=61402 DF PROTO=TCP SPT=57637 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 
Mar 28 09:53:19 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:c0:62:6b:e3:5c:80:08:00 SRC=194.51.74.245 DST=176.31.238.3 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=61403 DF PROTO=TCP SPT=57637 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 
Mar 28 09:53:21 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=194.51.74.245 DST=176.31.238.3 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=55674 DF PROTO=TCP SPT=57504 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0 
Mar 28 09:53:25 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:c0:62:6b:e3:5c:80:08:00 SRC=194.51.74.245 DST=176.31.238.3 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=61404 DF PROTO=TCP SPT=57637 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 
Mar 28 09:53:37 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=194.51.74.245 DST=176.31.238.3 LEN=116 TOS=0x00 PREC=0x00 TTL=51 ID=55675 DF PROTO=TCP SPT=57504 DPT=22 WINDOW=501 RES=0x00 ACK PSH URGP=0 
Mar 28 09:53:37 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=194.51.74.245 DST=176.31.238.3 LEN=116 TOS=0x00 PREC=0x00 TTL=51 ID=55676 DF PROTO=TCP SPT=57504 DPT=22 WINDOW=501 RES=0x00 ACK PSH URGP=0 
Mar 28 09:53:37 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=194.51.74.245 DST=176.31.238.3 LEN=180 TOS=0x00 PREC=0x00 TTL=51 ID=55677 DF PROTO=TCP SPT=57504 DPT=22 WINDOW=501 RES=0x00 ACK PSH URGP=0 
Mar 28 09:53:38 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=194.51.74.245 DST=176.31.238.3 LEN=180 TOS=0x00 PREC=0x00 TTL=51 ID=55678 DF PROTO=TCP SPT=57504 DPT=22 WINDOW=501 RES=0x00 ACK PSH URGP=0 
Mar 28 09:53:39 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=194.51.74.245 DST=176.31.238.3 LEN=180 TOS=0x00 PREC=0x00 TTL=51 ID=55679 DF PROTO=TCP SPT=57504 DPT=22 WINDOW=501 RES=0x00 ACK PSH URGP=0 
Mar 28 09:53:39 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:c0:62:6b:e3:5c:80:08:00 SRC=194.51.74.245 DST=176.31.238.3 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=5055 DF PROTO=TCP SPT=57638 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 
Mar 28 09:53:41 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=194.51.74.245 DST=176.31.238.3 LEN=180 TOS=0x00 PREC=0x00 TTL=51 ID=55680 DF PROTO=TCP SPT=57504 DPT=22 WINDOW=501 RES=0x00 ACK PSH URGP=0 
Mar 28 09:53:42 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:c0:62:6b:e3:5c:80:08:00 SRC=194.51.74.245 DST=176.31.238.3 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=5056 DF PROTO=TCP SPT=57638 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 
Mar 28 09:53:45 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:10:8c:cf:28:39:80:08:00 SRC=194.51.74.245 DST=176.31.238.3 LEN=180 TOS=0x00 PREC=0x00 TTL=51 ID=55681 DF PROTO=TCP SPT=57504 DPT=22 WINDOW=501 RES=0x00 ACK PSH URGP=0 
Mar 28 09:53:48 localhost kernel: iptables rejected: IN=eth0 OUT= MAC=00:25:90:54:d7:88:c0:62:6b:e3:5c:80:08:00 SRC=194.51.74.245 DST=176.31.238.3 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=5057 DF PROTO=TCP SPT=57638 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 

Se eu interpretei corretamente esses resultados, eles dizem que as regras do ICMP foram corretamente interpretadas pelo iptables, mas as regras do SSH não foram. Isso não faz sentido ... Alguém entende de onde vem meu erro?

EDIT # 3: Depois de mais alguns testes, descobri que comentar a contramedida de inundação do SYN elimina o problema. Eu continuo pesquisando desta maneira mas, enquanto isso, se alguém vir meu erro de regra de inundação anti SYN ...

    
por Penegal 27.03.2012 / 16:59

1 resposta

1

Encontrou! O problema veio tanto da contramedida de inundação SYN, que descartou os fluxos autorizados em vez de aceitá-los, como da contramedida de força bruta SSH, que estava após a contramedida de inundação SYN, portanto não descartou nenhuma conexão de entrada supranumerária como essas conexões já foram aceitas pela contramedida de inundação SYN.

Aí vem a boa versão deste script:

#!/bin/sh
IPT=/sbin/iptables

echo "Clearing firewall rules"
$IPT -F
$IPT -Z
$IPT -t nat -F
$IPT -t nat -Z
$IPT -t mangle -F
$IPT -t mangle -Z
$IPT -X

echo "Defining logging policy for dropped packets"
$IPT -N LOGDROP 
$IPT -A LOGDROP -j LOG -m limit --limit 60/min --log-level debug --log-prefix "iptables rejected: "
$IPT -A LOGDROP -j DROP 

echo "Setting firewall policy"
$IPT -P INPUT   ACCEPT
$IPT -P OUTPUT  ACCEPT
$IPT -P FORWARD ACCEPT

echo "Allowing connections from/to lo"
$IPT -I INPUT -i lo    -j ACCEPT
$IPT -I OUTPUT -o lo   -j ACCEPT

echo "Denying web server user outgoing HTTP connections on eth0"
$IPT -A OUTPUT -p tcp --dport 80 -o eth0 -m owner --uid-owner www-data -j LOGDROP
$IPT -A OUTPUT -p udp --dport 80 -o eth0 -m owner --uid-owner www-data -j LOGDROP

echo "Denying more than 3 SSH connection attempts per minute and per IP"
$IPT -A INPUT -p tcp --dport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOGDROP

echo "Setting SYN flood countermeasures"
$IPT -A INPUT -p tcp -i eth0 --syn -m limit --limit 30/s --limit-burst 200 -j ACCEPT
$IPT -A INPUT -p tcp -i eth0 --syn -j LOGDROP

echo "Denying 'w00tw00t' vulnerability scans"
$IPT -A INPUT -p tcp --dport 80 -i eth0 -m string --algo bm --string 'w00tw00t.at.ISC.SANS.' -j LOGDROP

echo "Denying HTTP requests concerning misconfigured anoticiapb.com.br external domain"
$IPT -A INPUT -p tcp --dport 80 -i eth0 -m string --algo bm --string "Host: anoticiapb.com.br" -j LOGDROP
$IPT -A INPUT -p tcp --dport 80 -i eth0 -m string --algo bm --string "Host: www.anoticiapb.com.br" -j LOGDROP

echo "Allowing outgoing traffic corresponding to already initiated connections"
$IPT -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Allowing up to 10 ICMP requests per second, dropping any supernumerary ICMP request"
$IPT -A INPUT -p icmp -m limit --limit 10/second -j ACCEPT
$IPT -A INPUT -p icmp -j LOGDROP

echo "Allowing incoming HTTP(S), SMTP, NTP, PgSQL, SolR"
$IPT -A INPUT -p tcp --dport 25   -i eth0                -j ACCEPT
$IPT -A INPUT -p tcp --dport 80   -i eth0                -j ACCEPT
$IPT -A INPUT -p udp --dport 123  -i eth0                -j ACCEPT
$IPT -A INPUT -p tcp --dport 443  -i eth0                -j ACCEPT
$IPT -A INPUT -p tcp --sport 5433 -i eth0.2654 -s 172.16.0.1 -j ACCEPT
$IPT -A INPUT -p tcp --sport 8983 -i eth0.2654 -s 172.16.0.1 -j ACCEPT

echo "Allowing outgoing SSH, SMTP, whois, DNS, HTTP, SolR, PgSQL, ICMP"
$IPT -A OUTPUT -p tcp --dport 22                         -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 25   -o eth0               -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 43   -o eth0           -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 53   -o eth0               -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53   -o eth0               -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 80   -o eth0               -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 443  -o eth0               -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 5433 -o eth0.2654      -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 8983 -o eth0.2654      -j ACCEPT
$IPT -A OUTPUT -p icmp                   -j ACCEPT

echo "Allowing outgoing FTP backup"
$IPT -A OUTPUT -p tcp --dport 20:21 -o eth0 -d 91.121.190.18 -j ACCEPT

echo "Dropping and logging everything else"
$IPT -A INPUT -j LOGDROP 
$IPT -A OUTPUT -j LOGDROP
$IPT -A FORWARD -j LOGDROP

echo "Firewall loaded."
    
por 29.03.2012 / 14:01