iptables help for port 80

ranjancom2000 · June 12, 2015, 1:01pm

Hi

I enable the IPtables but port 80 was not working. Below is my active configuration

neutronscott · June 12, 2015, 1:04pm

It needs to be above the REJECT line

ranjancom2000 · June 12, 2015, 1:19pm

I don't understand the logic why it was not working if i put after reject.

---------- Post updated at 12:19 PM ---------- Previous update was at 12:18 PM ----------

I want to add some more attack tables where i need to add. all are DROP

# Reject spoofed packets
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 127.0.0.0/8 -j DROP

-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255 -j DROP

# NULL packets
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Syn-flood attack
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# XMAS packets
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP

#Force Fragments packets check
-A INPUT -f -j DROP

# Stop smurf attacks
-A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
-A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
-A INPUT -p icmp -m icmp -j DROP

# Drop all invalid packets
-A INPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A OUTPUT -m state --state INVALID -j DROP

# Drop excessive RST packets to avoid smurf attacks
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

# Attempt to block portscans
# Anyone who tried to portscan us is locked out for an entire day.
-A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
-A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Once the day has passed, remove them from the portscan list
-A INPUT -m recent --name portscan --remove
-A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.
-A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
-A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

Corona688 · June 12, 2015, 1:36pm

It goes through them in order. "If this, do that, if this, jump there, if this, do that, otherwise, reject and quit".

So a REJECT line stops it cold.

ranjancom2000 · June 12, 2015, 1:56pm

Ok then i think i will place REJECT @ below of all lines. And all DROP will be placed after ACCEPT it will right

Corona688 · June 12, 2015, 3:23pm

If you put an ACCEPT before a DROP the DROP will never happen either. ACCEPT and DROP both kind of stop right there.

Aia · June 12, 2015, 8:58pm

That list of DROP, you posted previously, can be added right before:

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

This line:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

place it right after or before:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

ranjancom2000 · June 13, 2015, 12:23am

Is this correct

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Reject spoofed packets
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP

iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP

# NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Syn-flood attack
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

#Force Fragments packets check
iptables -A INPUT -f -j DROP

# Stop smurf attacks
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp -m icmp -j DROP

# Drop all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

# Drop excessive RST packets to avoid smurf attacks
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

# Attempt to block portscans
# Anyone who tried to portscan us is locked out for an entire day.
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Once the day has passed, remove them from the portscan list
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

#ALL ACCEPT

-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

#ALL REJECT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p all -j REJECT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Aia · June 13, 2015, 2:22am

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Bring that line to just above -A INPUT -p icmp -j ACCEPT and below

iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

That appears to be a solution.

ranjancom2000 · June 14, 2015, 11:23pm

Some issue if add the DROP before accept i am not able to restart the iptables

Aia · June 15, 2015, 12:36am

This is the format of how the saved rules get stored in permanent disk like /etc/sysconfig/iptables

#ALL ACCEPT

-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

#ALL REJECT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p all -j REJECT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

These are the individual commands for a script or cli that would load these rules to the current running iptables service:

# Reject spoofed packets
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP

iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP

If you load these rules via a script you have to save them permanently.
In RedHat: iptables-save > /etc/sysconfig/iptables

Or you just can drop the iptables part and place that in the file /etc/sysconfig/iptables directly. Then, reload the iptables service:

service iptables restart