In this post, I'll go over how to use iptables and ipset to create a basic firewall with ssh brute force protection and geo-blocking. I'm assuming CentOS here, adjust paths/commands accordingly for other distributions.
Ipset is a tool to create and maintain IP sets in the Linux kernel. The advantage of using ipset over setting up a bunch of individual rules is one of CPU utilization. Ipset can handle thousands of entries without CPU degradation, wheras introducing thousands of rules in iptables will have a noticeable impact on packet processing speeds.
First we'll install the tool and create an initial ipset and persist it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
yum install ipset iptables iptables-services
cat <<'EOF' >/root/refresh-geoblock.sh
#!/bin/bash
mkdir /tmp/geoblocking
cd /tmp/geoblocking
ipset destroy geoblock
ipset -N geoblock nethash
for i in cn kr pk tw sg kh pe; do
echo $i
wget -q http://www.ipdeny.com/ipblocks/data/countries/$i.zone
for k in `cat $i.zone`; do
ipset -A geoblock $k
done
done
cd /tmp
rm -rf /tmp/geoblocking
ipset save geoblock >/etc/sysconfig/ipset-geoblock
'EOF'
chmod +x /root/refresh-geoblock.sh
/root/refresh-geoblock.sh
|
Next up, a basic firewall configuration. Some things to note about these rules:
- Default input/output policy is set to drop. I highly recommend you leave it this way and only open up what you really need.
- Poking holes for inbound SSH. These rules use the recent match and will only allow 4 connections per source IP every five minutes, which will greatly reduce the number of brute force attempts that hit the server.
- Poking holes for outbound ports for github/bitbucket
- Poking holes for some yum repositories
- Poking holes for outbound DNS (using google's recursive DNS resolver in this example)
If you want to use this as-is, make sure you update your /etc/resolv.conf to have the correct DNS entries.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
cat <<'EOF' >/etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Thu Feb 12 15:15:51 2015
*filter
:INPUT DROP [70:4342]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m set --match-set geoblock src -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i lo -p tcp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 300 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 300 --hitcount 3 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "SSH brute force "
-A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 300 --hitcount 3 --rttl --name SSH --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -d 192.30.252.0/24 -p tcp -m multiport --dports 80,443,22,9418 -m comment --comment "Allow to talk to github" -j ACCEPT
-A OUTPUT -d 70.38.0.137/32 -p tcp -m tcp --dport 80 -m comment --comment "epel mirror" -j ACCEPT
-A OUTPUT -d 31.172.186.53/32 -p tcp -m tcp --dport 80 -m comment --comment "erlang mirror" -j ACCEPT
-A OUTPUT -d 209.132.181.16/32 -p tcp -m tcp --dport 80 -m comment --comment "epel mirror" -j ACCEPT
-A OUTPUT -d 66.135.62.201/32 -p tcp -m tcp --dport 80 -m comment --comment "epel mirror" -j ACCEPT
-A OUTPUT -d 66.35.62.166/32 -p tcp -m tcp --dport 80 -m comment --comment "epel mirror" -j ACCEPT
-A OUTPUT -d 152.19.134.146/32 -p tcp -m tcp --dport 80 -m comment --comment "epel mirror" -j ACCEPT
-A OUTPUT -d 140.211.169.197/32 -p tcp -m tcp --dport 80 -m comment --comment "epel mirror" -j ACCEPT
-A OUTPUT -d 67.203.2.67/32 -p tcp -m tcp --dport 80 -m comment --comment "epel mirror" -j ACCEPT
-A OUTPUT -d 70.38.0.136/32 -p tcp -m tcp --dport 80 -m comment --comment "centos mirror" -j ACCEPT
-A OUTPUT -d 131.103.20.168/32 -p tcp -m multiport --dports 80,443,22 -m comment --comment "Allow to talk to bitbucket" -j ACCEPT
-A OUTPUT -d 131.103.20.167/32 -p tcp -m multiport --dports 80,443,22 -m comment --comment "Allow to talk to bitbucket" -j ACCEPT
-A OUTPUT -d 4.2.2.2/32 -p udp -m udp --dport 53 -m comment --comment "google DNS 1" -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m comment --comment "google DNS 2" -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Feb 12 15:15:51 2015
'EOF'
|
Once this is in place, we're good to go. You can start your fresh firewall with
You may want to periodically refresh your geo-blocking rules. This can be done with the following commands:
1
2
3
|
service iptables stop
/root/refresh-geoblock.sh
service iptables start
|
There's one last thing that hasn't been addressed, it's reloading the ipset after a reboot before the firewall gets reloaded. To address this, I've edited /usr/libexec/iptables/iptables.init and changed the following function:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
start() {
# Do not start if there is no config file.
[ ! -f "$IPTABLES_DATA" ] && return 6
# check if ipv6 module load is deactivated
if [ "${_IPV}" = "ipv6" ] \
&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
echo $"${IPTABLES}: ${_IPV} is disabled."
return 150
fi
echo -n $"${IPTABLES}: Applying firewall rules: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
$IPTABLES-restore $OPT $IPTABLES_DATA
if [ $? -eq 0 ]; then
success; echo
else
failure; echo;
if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
echo -n $"${IPTABLES}: Applying firewall fallback rules: "
$IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA
if [ $? -eq 0 ]; then
success; echo
else
failure; echo; return 1
fi
else
return 1
fi
fi
# Load additional modules (helpers)
if [ -n "$IPTABLES_MODULES" ]; then
echo -n $"${IPTABLES}: Loading additional modules: "
ret=0
for mod in $IPTABLES_MODULES; do
echo -n "$mod "
modprobe $mod > /dev/null 2>&1
let ret+=$?;
done
[ $ret -eq 0 ] && success || failure
echo
fi
# Load sysctl settings
load_sysctl
touch $VAR_SUBSYS_IPTABLES
return $ret
}
|
To:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
start() {
# Do not start if there is no config file.
[ ! -f "$IPTABLES_DATA" ] && return 6
# check if ipv6 module load is deactivated
if [ "${_IPV}" = "ipv6" ] \
&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
echo $"${IPTABLES}: ${_IPV} is disabled."
return 150
fi
echo -n $"${IPTABLES}: Loading ipset: "
ipset restore </etc/sysconfig/ipset-geoblock
echo "ok"
echo -n $"${IPTABLES}: Applying firewall rules: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
$IPTABLES-restore $OPT $IPTABLES_DATA
if [ $? -eq 0 ]; then
success; echo
else
failure; echo;
if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
echo -n $"${IPTABLES}: Applying firewall fallback rules: "
$IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA
if [ $? -eq 0 ]; then
success; echo
else
failure; echo; return 1
fi
else
return 1
fi
fi
# Load additional modules (helpers)
if [ -n "$IPTABLES_MODULES" ]; then
echo -n $"${IPTABLES}: Loading additional modules: "
ret=0
for mod in $IPTABLES_MODULES; do
echo -n "$mod "
modprobe $mod > /dev/null 2>&1
let ret+=$?;
done
[ $ret -eq 0 ] && success || failure
echo
fi
# Load sysctl settings
load_sysctl
touch $VAR_SUBSYS_IPTABLES
return $ret
}
|