Someone to check my iptables File (Ubuntu 10.4)

Hi there. I moved to linode.com yesterday after migrating from slicehost.com and I have reason to believe that my iptables File may be wrongly configured and open to malicious traffic. The reason I believe that is that I had on my old host a sudden traffic spike of malicious attacks after setting this up. I also could not SSH on Linode when the "SSH" portion was under the "CLoudFlare" portion.

In short: I want to be sure I got it right this time. If someone would be kind enough to take a look at them and correct any errors, I'd really appreciate it.

I use Ubuntu 10.4

> *filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Allows SSH connections

-A INPUT -p tcp -m state --state NEW --dport 6969 -j ACCEPT

Whitelist CloudFlare Service IP Ranges

-A INPUT -p tcp --dport 80 -m iprange --src-range 204.93.240.0-204.93.240.255 -j ACCEPT

-A INPUT -p tcp --dport 80 -m iprange --src-range 204.93.177.0-204.93.177.255 -j ACCEPT

-A INPUT -p tcp --dport 80 -m iprange --src-range 199.27.128.0-199.27.135.255 -j ACCEPT

-A INPUT -p tcp --dport 80 -m iprange --src-range 173.245.48.0-173.245.63.255 -j ACCEPT

-A INPUT -p tcp --dport 80 -m iprange --src-range 103.22.200.0-103.22.203.255 -j ACCEPT

-A INPUT -p tcp --dport 80 -m iprange --src-range 141.101.64.0-141.101.127.255 -j ACCEPT

Allow ping

-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

log iptables denied calls

-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

Reject all other inbound

-A INPUT -j REJECT --reject-with icmp-port-unreachable

-A FORWARD -j REJECT --reject-with icmp-port-unreachable

COMMIT

5 Replies

> *filter

-A INPUT -p tcp -m tcp –dport 80 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Whitelist CloudFlare Service IP Ranges

-A INPUT -p tcp --dport 80 -m iprange --src-range 204.93.240.0-204.93.240.255 -j ACCEPT

-A INPUT -p tcp --dport 80 -m iprange --src-range 204.93.177.0-204.93.177.255 -j ACCEPT

-A INPUT -p tcp --dport 80 -m iprange --src-range 199.27.128.0-199.27.135.255 -j ACCEPT

-A INPUT -p tcp --dport 80 -m iprange --src-range 173.245.48.0-173.245.63.255 -j ACCEPT

-A INPUT -p tcp --dport 80 -m iprange --src-range 103.22.200.0-103.22.203.255 -j ACCEPT

-A INPUT -p tcp --dport 80 -m iprange --src-range 141.101.64.0-141.101.127.255 -j ACCEPT
I don't see anything wrong per say, but if you check the counters for the rules, you'll find out the first rule will match before the CloudFlare rules.

Travis

Thank you Travis for taking a look at my iptables. Unfortunately I am not sure what you are trying to tell me as I am very newbie with these things (else I wouldn't ask :))

Can you please explain to me what the counters are that you mean?

Did you mean that I should move the CloudFlare acceptances before the port 80 and port 443? Or did you mean that they should be moved before this line:
> # cloudflare here

the other rules

-A INPUT -i lo -j ACCEPT

-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

Sorry for being such a newbie :)

Yes, there's that too, but the port 80 rule makes all the cloudflare rules redundant. There's no need to whitelist port 80 for those IP ranges when you already explicitly allow port 80 from any IP address…

I'm no IPTABLES whiz, but I believe it's a first-match-wins type system. The first rule that matches for a given packet is used and halts evaluation of any further rules.

@Genjin:

Can you please explain to me what the counters are that you mean?
If you execute 'iptables -vnL' you will see the counters for each iptable rule. You'll be able to see how many packets/bytes are being match by your rules.

@Genjin:

Sorry for being such a newbie :)
Don't be, that is how we all learn, by asking questions.

Each packet is evaluated from top to bottom by your iptables rules. Thus the order of the rules are important. As Guspaz noted first rule match wins.

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 

It is unnecessary to have the firewall evaluated all traffic hitting your linode for your cloudflare rules when the above rule will allow all http port 80 traffic to be accepted (first rule matched wins). Thus you should removed the cloudflare rules as they will not have any matches. If you want to reject/drop all http port 80 traffic except for traffic from cloudflare, then what you have won't accomplish that.

Travis

Now I understand! Thanks for being so patient, I really appreciate that. I took the CloudFlare rules out.

I hope it really is more or less secure. When I googled around on that topic I saw iptables that were at least 2-3 pages long - it's scary. That makes me respect trained security experts even more ;)

So thank you two again for taking a look and helping me out, I am glad that the Linode Community is so friendly and helpful :)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct