Hi there,
I have a VPS and am working on a little side project for myself and friend which is a DNS proxy. Everything was great till recently. My VPS IP has been detected by some botnet or something, and I believe SMURF attacks are occuring. The VPS provider keeps shutting down my VPS automatically after 30k connections are made. Every day for the past week I've been trying to tweak BIND rules and then moved onto iptable rules. The bind rules didn't do anything for some reason. I added specific hosts to the trusted ACL in bind and thought that would stop the recursion SMURF attack - it did not. At least I think it's a SMURF attack, when I use DNSTOP to monitor queries, I see lots of queries for 1x1.cz and isc.org Both sites that myself nor any friends would ever visit.
I'm very newb with iptables and have been trying countless rules but whenever I would apply them either all traffic still gets through or no traffic (aside from ssh). I've setup ssh to port 22022 and made one tcp state rule for it, that's about the only rule that seems to work properly.
I don't have the full rules I used due to the VPS being suspended till they enable it again.
However this is what I'm trying to do:
Have friends able to access the DNS from their specific IP addresses, the DNS query comes in, for certain sites BIND is setup to override and provide the client with the servers IP address, then have the data routed through a proxy which runs on port 80/443. SSH runs on 22022. The only ports I should have open I believe are 53, 80, 443, 22022.
so for example a client uses the DNS IP for my VPS, they submit a query for 'google.com' my BIND provides them the override for google.com which points back to the VPS IP, then the data gets submitted to the proxy program which then on the users behalf makes the http/https request and relays back the information to the client.
so my rules I thought I had setup something that would accept everything for local interface, then accept for port 22022 first off, then added the exclusion for each individual source IP being my friends IP addresses, then I setup rules for OUTPUT destination to my friends IP's, I didn't lock down the exclusions to specific ports, I just said if any request for x ip comes in, then allow it. and if any request exits the server for x ip then allow it. After that I added the iptables -P OUTPUT -j DROP and INPUT -j DROP commands.
this appears to only allow me to ssh to the VPS while DNS appears to not work.
I have no clue why things aren't working.
can anyone provide proper rules for this type of setup? I'm not technical to the point that I fully understand how the smurf attack works or if that is even what's going on, I thought disabling recursion for hosts that aren't in the exclusions list would have done the trick but that didn't appear to do anything. I still would receive the queries for 1x1.cz and isc.org from random hosts, then proceeding with iptables just made things not work at all.
When I flush the rules with iptables -F the server appears to block all connections and I cannot connect to it again till I reboot the VPS. Which is strange since I thought iptables -F just clears the iptables and allows you to write new rules from what I'm reading in the man pages.
any help would be appreciated!
EDIT:
VPS provider re-enabled my VPS, here is what i'm using:
root@vps:~# cat /etc/iptables.rules.042514
# Generated by iptables-save v1.4.12 on Sat Apr 26 05:24:45 2014
*raw
:PREROUTING ACCEPT [7691:490771]
:OUTPUT ACCEPT [6864:562471]
COMMIT
# Completed on Sat Apr 26 05:24:45 2014
# Generated by iptables-save v1.4.12 on Sat Apr 26 05:24:45 2014
*nat
:PREROUTING ACCEPT [1879:118359]
:POSTROUTING ACCEPT [92:5561]
:OUTPUT ACCEPT [1203:87450]
COMMIT
# Completed on Sat Apr 26 05:24:45 2014
# Generated by iptables-save v1.4.12 on Sat Apr 26 05:24:45 2014
*mangle
:PREROUTING ACCEPT [7691:490771]
:INPUT ACCEPT [7691:490771]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6864:562471]
:POSTROUTING ACCEPT [5753:480582]
COMMIT
# Completed on Sat Apr 26 05:24:45 2014
# Generated by iptables-save v1.4.12 on Sat Apr 26 05:24:45 2014
*filter
:INPUT DROP [1611:101493]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [1111:81889]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22022 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 216.232.249.xxx/32 -j ACCEPT
-A INPUT -s 24.85.234.xxx/32 -j ACCEPT
-A INPUT -s 96.48.135.xxx/32 -j ACCEPT
-A INPUT -s 70.70.132.xxx/32 -j ACCEPT
-A OUTPUT -d 216.232.249.xxx/32 -j ACCEPT
-A OUTPUT -d 24.85.234.xxx/32 -j ACCEPT
-A OUTPUT -d 96.48.135.xxx/32 -j ACCEPT
-A OUTPUT -d 70.70.132.xxx/32 -j ACCEPT
COMMIT
EDIT:
I've gotten things working with this:
iptables -P INPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22022 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 24.85.234.xxx/32 -j ACCEPT
iptables -A INPUT -s 96.48.135.xxx/32 -j ACCEPT
iptables -A INPUT -s 70.70.132.xxx/32 -j ACCEPT
iptables -A INPUT -s 216.232.249.xxx/32 -j ACCEPT
iptables -A INPUT -s 66.85.140.xxx/32 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
I've tried limiting the output with the following commands however it never seemed to route things properly/work when I applied them:
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -d 24.85.234.xxx/32 -j ACCEPT
iptables -P OUTPUT DROP
is it safe to have input DROP aside from excluded IP's then have output ACCEPT wide open? I'm guessing it isn't that much of an issue? So far testing things to see if the DDoS attackers can use my VPS for their smurf attacks, so far the VPS has been up and running for a few hours with no issues with the new rules. I just don't know if the output ACCEPT is OK to leave as is?