iptables i problemy z usługami
: 24 października 2018, 11:51
Niestety mam problem z usługami imap/smtp czasem się loguje do serwerów a czasem nie. Kwestia czy nie jest za dużo restrykcji jeśli chodzi o zabezpieczenia przed ataki. Mam też wrażenie, że strony dłużej się ładują. Podaję spis reguł:
Kod: Zaznacz cały
### IPTABLE RULES / STANDARD SETTINGS ###
#########################################
# clean all old chains
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t filter
iptables -X -t filter
if [ "$1" = "stop" ]
then
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
echo "The firewall is now turned off !"
exit
fi
# initial settings
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# passing traffic for internal connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT
# passing existing connections ( ESTABLISHED ) and those already associated with existing connections ( RELATED )
# for users who use ftp passive mode
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# reject connections for ident/auth service
iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
### PROTECTION AGAINST VARIOUS ATTACKS ###
##########################################
# limit of pings
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j LOG --log-prefix "Ping: "
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-unreachable
# protection from ACK scan / nmap -sA
#iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH ACK -j LOG --log-prefix "ACK scan: "
#iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH ACK -j DROP
# protection from FIN scan / nmap -sF
#iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN -j LOG --log-prefix "FIN scan: "
#iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN -j DROP
# protection from XMAS TREE scan / nmap -sX
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH PSH -j LOG --log-prefix "Xmas scan: "
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN,URG,PSH -j DROP
# protection from NULL scan
iptables -A INPUT -m conntrack --ctstate INVALID -p tcp ! --tcp-flags SYN,RST,ACK,FIN,PSH,URG SYN,RST,ACK,FIN,PSH,URG -j LOG --log-prefix "Null scan: "
# protection from DoS attack / problem with imap/smtp
#iptables -A INPUT -m conntrack --ctstate INVALID -p tcp ! --tcp-flags SYN,RST,ACK,FIN,PSH,URG SYN,RST
#iptables -N syn-flood
#iptables -A INPUT -p tcp --syn -j syn-flood
#iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
#iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j LOG --log-prefix "SYN-flood: "
#iptables -A syn-flood -j DROP
### ACCEPT SPECIFIED SERVICE ###
################################
iptables -A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
# tinyproxy
# iptables -I INPUT -p tcp --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
### LOGS ###
############
# logs - NIE DZIALA !!! BLOKUJE WSZYSTKO !!!
#iptables -N LOGGING
#iptables -A INPUT -j LOGGING
#iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
#iptables -A LOGGING -j DROP