IPTables bloqueando a porta apesar de permitir regra

Question

IPTables bloqueando a porta apesar de permitir regra

#1 resposta do (0 votos)

1

Eu tenho um arquivo IPtables.sh que me permite modificar rapidamente meus IPtables e usar variáveis.

Tudo estava indo bem até que percebi que tenho muitas conexões com meu servidor Ubuntu da minha rede privada em casa (mistura de caixas Nix e Win, além de dispositivos Android).

No meu IPtables eu tenho as seguintes variáveis definidas.

THIS_HOST="192.168.1.116"
WORK="XX.XX.XX.XX"
HOME_NETWORK="192.168.1.0/24"

Então eu tenho uma entrada para permitir que meu Home_Network se conecte à porta 1900

#Accept Some UPN Discovery Connections
$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 1900 -j ACCEPT

Esta entrada não funciona como eu recebo o seguinte no meu syslog:

Apr 4 15:54:39 zues kernel: [331454.549383] Firewalled packet:IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:cc:52:af:41:64:68:08:00 SRC=192.168.1.248 DST=239.255.255.250 LEN=188 TOS=0x00 PREC=0x00 TTL=2 ID=22168 PROTO=UDP SPT=1823 DPT=1900 LEN=168

Eu sei que as variáveis funcionam porque esta entrada está funcionando corretamente:

#accept some ssh connections
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $WORK -d $THIS_HOST --dport 22 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 22 -j ACCEPT

Quando faço um

sudo iptables -L

Eu entendo isso:

ACCEPT     udp  --  192.168.1.0/24       Zeus*(THIS_HOST)*                 state NEW udp dpt:1900

Como solicitado aqui está o arquivo iptables.sh completo

#!/bin/bash

################################################################
#Insert modules- should be done automatically if needed
dmesg -n 1 #Kill copyright display on module load
#/sbin/modprobe ip_tables
#/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_ftp #for PASV ftp

IPTABLES="/sbin/iptables"
THIS_HOST="192.168.1.116"
LOCAL_HOST="127.0.0.1"
WORK="XX.XX.XXX.18"
HOME_NETWORK="192.168.1.0/24"
#EXTRA_IP_FOR_SSH="$Work"
#EXTRA_IP_FOR_SSH=""
#EXTRA_IP_FOR_MYSQL=""

$IPTABLES -F

#Kill ANY stupid packets, including
#-Packets that are too short to have a full ICMP/UDP/TCP header
#- TCP and UDP packets with zero (illegal) source and destination ports
#-Illegal combinations of TCP flags
#-Zero-length (illegal) or over-length TCP and IP options,
# or options after the END-OF-OPTIONS option
#-Fragments of illegal length or offset (e.g., Ping of Death).
#Above list ripped from
#http://www.linux-mag.com/2000-01/bestdefense_02.html
#$IPTABLES -A INPUT -m unclean -j DROP
#$IPTABLES -A FORWARD -m unclean -j DROP

#Allow Loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#Allow Outgoing DNS
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

#Kill invalid packets (illegal combinations of flags)
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP

#block enemies
$IPTABLES -A INPUT -s "91.65.221.109" -j DROP

#Block Port Hammers
$IPTABLES -A INPUT -s "58.218.201.189" -j DROP
$IPTABLES -A INPUT -s "185.222.211.44" -j DROP
#$IPTABLES -A INPUT -s "61.78.245.0/24" -j DROP
#$IPTABLES -A INPUT -s "218.146.209.182" -j DROP
#$IPTABLES -A INPUT -s "220.77.44.229" -j DROP
#$IPTABLES -A INPUT -s "61.75.224.41" -j DROP

#Accept Some UPN Discovery Connections
$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 1900 -j ACCEPT

#ICMP
#ping flood protection
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP
#Allow all other icmp
$IPTABLES -A INPUT -p icmp -j ACCEPT

#allow established and related connections to continue
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -d 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -d $THIS_HOST -j ACCEPT

#this is "bif"
#procmail sends a biff/comsat message via udp on port 512 every time it deliveres a message to a users mailbox
#$IPTABLES -A INPUT -p UDP -s 127.0.0.1 -d 127.0.0.1 --dport 512 -j REJECT

#allow spamassassin to talk to spamd
#$IPTABLES -A INPUT -p TCP -s 127.0.0.1 -d 127.0.0.1 --dport 783 -j ACCEPT
#$IPTABLES -A INPUT -p TCP -s 127.0.0.1 -d 127.0.0.1 --sport 783 -j ACCEPT

#accept some httpd connections
$IPTABLES -A INPUT -p TCP -d $THIS_HOST --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

#accept some httpsd connections
$IPTABLES -A INPUT -p TCP -d $THIS_HOST --dport 443 -j ACCEPT

#accept some ssh connections
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $WORK -d $THIS_HOST --dport 22 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 22 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME -d $THIS_HOST --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#if [ "$EXTRA_IP_FOR_SSH" != "" ]; then
#        $IPTABLES -A INPUT -m state --state NEW -p TCP -s $EXTRA_IP_FOR_SSH -d $THIS_HOST --dport 22 -j ACCEPT
#fi

#accept some ftp connections
#$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 21 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -p TCP -s $WORK -d $THIS_HOST --dport 21 -j ACCEPT

#Accept Some Vino/VNC Connections
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 5900 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 5900 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $WORK -d $THIS_HOST --dport 5900 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p UDP -s $WORK -d $THIS_HOST --dport 5900 -j ACCEPT

#Accept Some Samba Connections
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 139 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 445 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 137 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 138 -j ACCEPT

#Accept Some MYTHTV Connections
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 6543 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 6544 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 3306 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -p TCP -s $LOCAL_HOST -d $THIS_HOST --dport 6543 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -p TCP -s $LOCAL_HOST -d $THIS_HOST --dport 6544 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -p TCP -s $LOCAL_HOST -d $THIS_HOST --dport 3306 -j ACCEPT

#Accept Some UPN Discovery Connections
#$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 1900 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 1900 -j ACCEPT

#Accept Some Mosquitto Connections
$IPTABLES -A INPUT -p TCP -d $THIS_HOST --dport 1883 -j ACCEPT
$IPTABLES -A INPUT -p UDP -d $THIS_HOST --dport 1883 -j ACCEPT
$IPTABLES -A INPUT -p TCP -d $THIS_HOST --dport 8883 -j ACCEPT
$IPTABLES -A INPUT -p UDP -d $THIS_HOST --dport 8883 -j ACCEPT
$IPTABLES -A INPUT -p TCP -d $THIS_HOST --dport 8083 -j ACCEPT
$IPTABLES -A INPUT -p UDP -d $THIS_HOST --dport 8083 -j ACCEPT

#Accept Some Test Connections
$IPTABLES -A INPUT -p TCP -d $THIS_HOST --dport 56665 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 1823 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p UDP -s $HOME_NETWORK -d $THIS_HOST --dport 1823 -j ACCEPT

#Accept Some Minecraft Connections


#Accept Some UT2K4 Connections




#accept some mysql connections
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $THIS_HOST -d $THIS_HOST --dport 3306 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p TCP -s $HOME_NETWORK -d $THIS_HOST --dport 3306 -j ACCEPT
#$IPTABLES -A INPUT -m state --state NEW -p TCP -s $OFFICE2 -d $THIS_HOST --dport 3306 -j ACCEPT
#if [ "$EXTRA_IP_FOR_MYSQL" != "" ]; then
#        $IPTABLES -A INPUT -m state --state NEW -p TCP -s $EXTRA_IP_FOR_MYSQL -d $THIS_HOST --dport 3306 -j ACCEPT
#fi

#SMTP server
#accept connections from the world
#smtp  One per second limt -burst rate of ten
#$IPTABLES -A INPUT -p tcp --dport 25 --syn -m limit --limit 1/s --limit-burst 10 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 25 --syn -j DROP
#$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT

#pop server
#$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT
#$IPTABLES -A INPUT -p tcp -d 127.0.0.1 --dport 110 -j ACCEPT

#snmp
#$IPTABLES -A INPUT -p udp -s 205.189.48.232 --dport 161 -j ACCEPT


####################################################################3
# that's it for specific port opennings
# now we just log everythign and drop it
####################################################################3

#Drop all packets from Private IP Address space
## Class A Reserved
$IPTABLES -A OUTPUT -d 10.0.0.0/8 -j DROP

## Class B Reserved
$IPTABLES -A OUTPUT -d 172.16.0.0/12 -j DROP

## Class C Reserved
$IPTABLES -A OUTPUT -d 192.168.1.0/24 -j ACCEPT

## Class D Reserved
$IPTABLES -A OUTPUT -d 224.0.0.0/4 -j DROP

## Class E Reserved
$IPTABLES -A OUTPUT -d 240.0.0.0/5 -j DROP


##Some ports should be denied and logged.
$IPTABLES -A INPUT -p tcp --dport 515 -m limit -j LOG \
                                       --log-prefix "L1on attack"
$IPTABLES -A INPUT -p tcp --dport 515 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6670 -m limit -j LOG \
                                       --log-prefix "Deepthroat scan"
$IPTABLES -A INPUT -p tcp --dport 6670 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6711 -m limit -j LOG \
                                       --log-prefix "Subseven scan"
$IPTABLES -A INPUT -p tcp --dport 6711 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6712 -m limit -j LOG \
                                       --log-prefix "Subseven scan"
$IPTABLES -A INPUT -p tcp --dport 6712 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6713 -m limit -j LOG \
                                       --log-prefix "Subseven scan"
$IPTABLES -A INPUT -p tcp --dport 6713 -j DROP

$IPTABLES -A INPUT -p tcp --dport 12345 -m limit -j LOG \
                                       --log-prefix "Netbus scan"
$IPTABLES -A INPUT -p tcp --dport 12345 -j DROP
$IPTABLES -A INPUT -p tcp --dport 12346 -m limit -j LOG \
                                       --log-prefix "Netbus scan"
$IPTABLES -A INPUT -p tcp --dport 12346 -j DROP
$IPTABLES -A INPUT -p tcp --dport 20034 -m limit -j LOG \
                                       --log-prefix "Netbus scan"
$IPTABLES -A INPUT -p tcp --dport 20034 -j DROP
$IPTABLES -A INPUT -p tcp --dport 31337 -m limit -j LOG \
                                       --log-prefix "Back orifice scan"
$IPTABLES -A INPUT -p tcp --dport 31337 -j DROP

$IPTABLES -A INPUT -p tcp --dport 6000  -m limit -j LOG \
                                       --log-prefix "X-Windows Port"
$IPTABLES -A INPUT -p tcp --dport 6000  -j DROP


$IPTABLES -A INPUT -p tcp --dport 9704 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "rpc.statd(9704) Shell:"
$IPTABLES -A INPUT -p tcp --dport 9704 -j DROP

$IPTABLES -A INPUT -p tcp --sport 9704 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "rpc.statd(9704) Shell:"
$IPTABLES -A INPUT -p tcp --sport 9704 -j DROP
  ## NetBus and NetBus Pro

$IPTABLES -A INPUT -p tcp --dport 20034 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "NetBus Pro:"
$IPTABLES -A INPUT -p tcp --dport 20034 -j DROP
$IPTABLES -A INPUT -p tcp --dport 12345:12346 -j DROP
$IPTABLES -A INPUT -p tcp --dport 12345:12346 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "NetBus:"

  ## Trinoo
$IPTABLES -A INPUT -p tcp --sport 27665 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A INPUT -p tcp --dport 27665 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A INPUT -p tcp --sport 27665 -j DROP
$IPTABLES -A INPUT -p tcp --dport 27665 -j DROP

$IPTABLES -A INPUT -p udp --sport 27444 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A INPUT -p udp --dport 27444 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A INPUT -p udp --sport 27444 -j DROP
$IPTABLES -A INPUT -p udp --dport 27444 -j DROP

$IPTABLES -A INPUT -p udp --sport 31335 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A INPUT -p udp --dport 31335 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A INPUT -p udp --sport 31335 -j DROP
$IPTABLES -A INPUT -p udp --dport 31335 -j DROP



  ## Back Orifice
$IPTABLES -A INPUT -p tcp --dport 31337 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "BackOrifice-TCP:"
$IPTABLES -A INPUT -p udp --dport 31337 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "BackOrifice-UDP:"
$IPTABLES -A INPUT -p tcp --dport 31337 -j DROP
$IPTABLES -A INPUT -p udp --dport 31337 -j DROP

$IPTABLES -A INPUT -p tcp --sport 31337 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "BackOrifice-TCP:"
$IPTABLES -A INPUT -p udp --sport 31337 -m limit --limit 5/minute \
        -j LOG --log-level 6 --log-prefix "BackOrifice-UDP:"
$IPTABLES -A INPUT -p tcp --sport 31337 -j DROP
$IPTABLES -A INPUT -p udp --sport 31337 -j DROP

#Traceroutes depend on finding a rejected port.  DROP the ones it uses
$IPTABLES -A INPUT -p udp --dport 33434:33523 -j DROP

#Don't log ident because it gets hit all the time eg connecting to an irc server
$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT


#drop netbios lookups
#don't bother logging them, since they're innocent and frequent
$IPTABLES -A INPUT -p tcp --dport 137 -j DROP
$IPTABLES -A INPUT -p udp --dport 137 -j DROP


##i don't want these logged - there's just too many of them
$IPTABLES -A INPUT -p UDP --dport 67  -j DROP
$IPTABLES -A INPUT -p UDP --dport 138  -j DROP

##Catch all rules.
#iptables reverts to these if it hasn't matched any of the previous rules.
$IPTABLES -A INPUT -m limit --limit 5/minute -j LOG  \
        --log-prefix "Firewalled packet:"
$IPTABLES -A FORWARD -m limit --limit 5/minute -j LOG \
        --log-prefix "Firewalled packet:"
#Reject
$IPTABLES -A INPUT -p all -j DROP
$IPTABLES -A FORWARD -p all -j REJECT

#Accept it anyway if it's only output
$IPTABLES -A OUTPUT -j ACCEPT

iptables

por Havock 05.04.2018 / 02:55

1 resposta

Tags iptables

Não é possível conectar-se ao banco de dados mysql remoto usando autenticação de senha SSL e SHA256 Erro de postfix com o servidor de mensagens remoto - Erro 550

score 0 · Answer 1

As regras parecem boas, algo que me enganou no passado que pode estar acontecendo aqui. Quando você adiciona regras (-A INPUT), elas serão adicionadas ao final da cadeia. Verifique se você já tem algo lá que vai deixar cair o pacote antes que ele chegue à sua regra. Em vez disso, tente inserir a regra ...

iptables -I INPUT ......