Hello HTF Group... Today I finally got around to working with the HowTo: http://howtoforge.com/blocking-ip-addresses-of-any-country-with-iptables My first question pertains to after the blocklist script runs. The first thing the script does after using 'wget' to download the current Country IP Blocks is to run 'iptables -F' which purges IPTables of any current rules. The issue I have is I also utilize the following IPTables rules to try and provide some security to SSH access and then additional rules to also close unused ports. SSH Protection Code: iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --set --name SSH -j ACCEPT iptables -A INPUT -p tcp --dport 54000 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force" iptables -A INPUT -p tcp --dport 54000 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP THE WHITELIST iptables -A SSH_WHITELIST -s 65.197.209.0/25 -m recent --remove --name SSH -j ACCEPT BLOCKING RULES iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -j SSH_WHITELIST iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROPBLOCKING RULES CLOSE UNUSED PORTS Code: iptables -A INPUT -p tcp --dport 444:53999 -j DROP iptables -A INPUT -p tcp --dport 54001:60000 -j DROP After the script is finished running I have to re-enter the SSH protection and close unused ports rules manually. Can I add these lines at the base of the script as such to automate this as follows? BLOCKLIST BASH SCRIPT Code: GAMA.ORG### ###PUT HERE COMA SEPARATED LIST OF COUNTRY CODE### COUNTRIES="A1,A2,AD,AE,AF,AG,AI,AL,AM,AN,AO,AP,AQ,AR,AS,AT,AU,AW,AX,AZ,BA,BB,BD,BE,BF,BG,BH,BI,BJ,BM,BN,BO,BR,BS,BT,BV,,BW,BY,BZ,CA,CC,CD,CF,CG,CH,CI,CK,CL,CM,CN,CO,CR,CU,CV,CX,CY,CZ,DE,DJ,DK,DM,DO,DZ,EC,EE,EG,EH,ER,ES,ET,EU,FI,FJ,FK,FM,FO,FR,GA,GB,GD,GE,GF,GG,GH,GI,GL,GM,GN,GP,GQ,GR,GS,GT,GU,GW,GY,HK,HM,HN,HR,HT,HU,ID,IE,IL,IM,IN,IO,IQ,IR,IS,IT,JE,JM,JO,JP,KE,KG,KH,KI,KM,KN,KP,KR,KW,KY,KZ,LA,LB,LC,LI,LK,LB,LC,LI,LK,LR,LS,LT,LU,LV,LY,MA,MC,MD,ME,MG,MH,MK,ML,MM,MO,MP,MQ,MR,MS,MT,MU,MV,MW,MX,MY,MZ,NA,NC,NE,NF,NF,NI,NL,NO,NP,NR,NU,NZ,OM,PA,PE,PF,PG,PH,PK,PL,PM,PN,PR,PS,PT,PW,PY,QA,RE,RO,RS,RU,RW,SA,SB,SC,SD,SE,SG,SH,SI,SJ,SK,SL,SM,SN,SO,SR,ST,SV,SY,SZ,TC,TD,TF,TG,TH,TJ,TK,TL,TM,TN,TO,TR,TT,TV,TW,TZ,UA,UG,UM,UY,UZ,VA,VC,VE,VG,VI,VN,VU,WF,WS,YE,YT,ZA,ZM,ZW" WORKDIR="/root" ####################################### cd $WORKDIR wget -c --output-document=iptables-blocklist.txt [URL]http://blogama.org/country_query.php?country=$COUNTRIES[/URL] if [ -f iptables-blocklist.txt ]; then iptables -F BLOCKDB="iptables-blocklist.txt" IPS=$(grep -Ev "^#" $BLOCKDB) for i in $IPS do iptables -A INPUT -s $i -j DROP iptables -A OUTPUT -d $i -j DROP done fi rm $WORKDIR/iptables-blocklist.txt do iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --set --name SSH -j ACCEPT iptables -A INPUT -p tcp --dport 54000 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force" iptables -A INPUT -p tcp --dport 54000 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP iptables -A SSH_WHITELIST -s 65.197.209.0/25 -m recent --remove --name SSH -j ACCEPT iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -j SSH_WHITELIST iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP iptables -A INPUT -p tcp --dport 444:53999 -j DROP iptables -A INPUT -p tcp --dport 54001:60000 -j DROP done Would this be correct and acceptible? One last thing I have issue with after the script runs- all services seems to function on the server afterwards however from the CLI I am unable to ping the world. The server returns: Code: root@giganetwireless:/home/bender# ping yahoo.com ping: unknown host yahoo.com I do notice though now that after sending E-Mails from the server I receive: Delayed Mail (still being retried) I am however able to receive in-bound E-Mail to this server... The results of 'hostname -f && hostname' are following: Code: [COLOR=#0000ff]root@giganetwireless:/home/bender[/COLOR]# hostname -f localhost.localdomain [COLOR=#0000ff]root@giganetwireless:/home/bender[/COLOR]# hostname giganetwireless.net netstat -tap Lines Of Interest Code: tcp6 0 0 [UNKNOWN]:953 *:* LISTEN 6261/named tcp6 0 0 *:smtp *:* LISTEN 6211/master getnameinfo failed getnameinfo failed tcp6 0 0 [UNKNOWN]:pop3 [UNKNOWN]:54015 TIME_WAIT - tail -f /var/log/mail.log Output Code: Mar 15 21:18:47 giganetwireless postfix/smtp[25481]: 4B7EB1C882BA: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=1122, delays=1122/0.01/0/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=giganetwireless.com type=MX: Host not found, try again) Mar 15 21:18:47 giganetwireless postfix/smtp[25482]: DCA081C882B7: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=4721, delays=4721/0.01/0/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=giganetwireless.com type=MX: Host not found, try again) Mar 15 21:18:47 giganetwireless postfix/smtp[25484]: 76CBB1C882AD: to=<[EMAIL="[email protected]"][email protected][/EMAIL]>, relay=none, delay=8322, delays=8322/0.02/0/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=giganetwireless.com type=MX: Host not found, try again) Thanking you in advance for your time and help. Best Regards
I think this should work. Regarding the connection problem: I guess this is related to your firewall problem. Please modify the script and try again.
Hi Falko, thank you for the reply... I did find that the DNS numbers used in 'resolv.conf' were in the same network as some of the blocked country numbers, after changing the DNS numbers I can ping the world now. The issue I am trying to resolve with this presently is that when I attempt to run 'apt-get update' apt snags on the following: Code: 0% [Connecting to us.archive.ubuntu.com (91.189.88.45)] [Connecting to security.ubuntu.com (91.189.88.37)] The above IP originates from the U.K., Canonical Presently in 'apt' my 'sources.list' is as follows: Code: # deb [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] gutsy main restricted # deb [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] gutsy-updates main restricted # deb [URL]http://us.archive.ubuntu.com/ubuntu[/URL] gutsy-security main restricted # See [URL]http://help.ubuntu.com/community/UpgradeNotes[/URL] for how to upgrade to # newer versions of the distribution. deb [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] gutsy main restricted deb-src [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] gutsy main restricted ## Major bug fix updates produced after the final release of the ## distribution. deb [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] gutsy-updates main restricted deb-src [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] gutsy-updates main restricted ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team, and may not be under a free licence. Please satisfy yourself as to ## your rights to use the software. Also, please note that software in ## universe WILL NOT receive any review or updates from the Ubuntu security ## team. deb [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] gutsy universe deb-src [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] gutsy universe deb [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] gutsy-updates universe deb-src [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] gutsy-updates universe ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team, and may not be under a free licence. Please satisfy yourself as to ## your rights to use the software. Also, please note that software in ## multiverse WILL NOT receive any review or updates from the Ubuntu ## security team. deb [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] gutsy multiverse deb-src [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] gutsy multiverse deb [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] gutsy-updates multiverse deb-src [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] gutsy-updates multiverse ## Uncomment the following two lines to add software from the 'backports' ## repository. ## N.B. software from this repository may not have been tested as ## extensively as that contained in the main release, although it includes ## newer versions of some applications which may provide useful features. ## Also, please note that software in backports WILL NOT receive any review ## or updates from the Ubuntu security team. # deb [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] gutsy-backports main restricted universe multiverse # deb-src [URL]http://us.archive.ubuntu.com/ubuntu/[/URL] gutsy-backports main restricted universe multiverse ## Uncomment the following two lines to add software from Canonical's ## 'partner' repository. This software is not part of Ubuntu, but is ## offered by Canonical and the respective vendors as a service to Ubuntu ## users. # deb [URL]http://archive.canonical.com/ubuntu[/URL] gutsy partner # deb-src [URL]http://archive.canonical.com/ubuntu[/URL] gutsy partner deb [URL]http://security.ubuntu.com/ubuntu[/URL] gutsy-security main restricted deb-src [URL]http://security.ubuntu.com/ubuntu[/URL] gutsy-security main restricted deb [URL]http://security.ubuntu.com/ubuntu[/URL] gutsy-security universe deb-src [URL]http://security.ubuntu.com/ubuntu[/URL] gutsy-security universe deb [URL]http://security.ubuntu.com/ubuntu[/URL] gutsy-security multiverse deb-src [URL]http://security.ubuntu.com/ubuntu[/URL] gutsy-security multiverse What would the U.S. sources URL be for the security? BTW: the OS is UBUNTU 7.10 Thank you Best Regards
Issue solved ISSUE SOLVED I had to open a few ports which I had closed down and also set new DNS numbers in resolv.conf and VIOLA! Thank you Falko Best Regards
A suggestion here... instead of blacklisting ports why dont you whitelist ports and make a default drop policy? -Adam
Hi Adam... Thank you for the reply. Excuse my ignorance, but in short detail what measures would I take to implement a port whitelist including DROP policy? Once again, thank you for sharing your knowlege too! Best Regards
The default policy should drop everything except what is allowed in the iptables ex. ssh, http,https and dns. Everything else should be dropped. Do a netstat and see what ports you are using. Default drop policy: iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP Here is a great place to start: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-iptables.html
What ports? I'm having the same issue on one of my machines here. Would you mind elaborating on what ports you had to open to get this to work? (I already have 80 open) Thanks Glenn
Aptitude... Aptitude; I've been having similar problems with updates and was wondering what ports poster giganet opened to solve his problem. Glenn