Page 1 of 2
Attackers getting past IPTables
Posted: 2019/05/21 20:59:31
by gwatson
Hello all,
Running Centos 7 and have IPTables set to block most inbound traffic. However some attackers are getting past the firewall.
System is a pbx running Asterisk software and port 5060 is forwarded from the hardware firewall. I want to be able to accept traffic from only a few IP Addresses (or subnets).
I have a small script setup that was suggested on the Wiki of this site. I expect I have something out of place, or missing something completely.
I even put Drop instructions, but these addresses are still getting by on port 5060
Can anyone see anything wrong with this?
Code: Select all
#!/bin/bash
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
iptables -F
#
# Allow SSH connections on tcp port 22
# This is essential when working on remote servers via SSH to prevent locking yourself out of the system
#
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
# Set access for localhost
#
iptables -A INPUT -i lo -j ACCEPT
#
# Accept packets belonging to established and related connections
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Accept packets from trusted IP addresses
iptables -A INPUT -m state --state NEW -s 215.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 164.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 37.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 185.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 82.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 212.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 91.0.0.0/8 -j DROP
iptables -A INPUT -m state --state NEW -s 170.0.0.0/8 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -s 143.0.0.0/8 -j ACCEPT -m comment --comment "allow network"
iptables -A INPUT -s 96.0.0.0/8 -j ACCEPT -m comment --comment "allow network"
# Save settings
#
/sbin/service iptables save
#
# List rules
#
iptables -L -v
Thanks in advance
GW
Re: Attackers getting past IPTables
Posted: 2019/05/21 22:12:54
by TrevorH
If you're running CentOS 7 then the default firewall is firewalld. That runs all the time and watches the running rules and will promptly change them back to how it thinks they ought to be so if you are running your script on a system using firewalld and not iptables-services then your newly added rules are probably immediately deleted.
Re: Attackers getting past IPTables
Posted: 2019/05/22 02:22:41
by gwatson
Pretty sure Firewalld is not running - it is using iptables
firewall-cmd --state
not running
[root]# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all -- 215.0.0.0/8 0.0.0.0/0 state NEW
DROP all -- 77.0.0.0/8 0.0.0.0/0 state NEW
DROP all -- 164.0.0.0/8 0.0.0.0/0 state NEW
DROP all -- 37.0.0.0/8 0.0.0.0/0 state NEW
DROP all -- 185.0.0.0/8 0.0.0.0/0 state NEW
DROP all -- 82.0.0.0/8 0.0.0.0/0 state NEW
DROP all -- 212.0.0.0/8 0.0.0.0/0 state NEW
DROP all -- 91.0.0.0/8 0.0.0.0/0 state NEW
DROP all -- 170.0.0.0/8 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.0.0/16 0.0.0.0/0
ACCEPT all -- 10.0.0.0/8 0.0.0.0/0
ACCEPT all -- 143.0.0.0/8 0.0.0.0/0 /* allow network */
ACCEPT all -- 96.0.0.0/8 0.0.0.0/0 /* allow network */
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-BadBots (0 references)
target prot opt source destination
Chain fail2ban-FTP (0 references)
target prot opt source destination
Chain fail2ban-SIP (0 references)
target prot opt source destination
Chain fail2ban-SSH (0 references)
target prot opt source destination
Chain fail2ban-apache-auth (0 references)
target prot opt source destination
Chain fail2ban-recidive (0 references)
target prot opt source destination
Re: Attackers getting past IPTables
Posted: 2019/05/22 10:37:36
by stevemowbray
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
is accepting everything before you get to your drop rules.
Re: Attackers getting past IPTables
Posted: 2019/05/22 11:04:58
by gwatson
Are you able to point out where that is directive is coming from based on that script I have setting up the rules?
Do I have something out of place? I dont see any accept all
The only thing before the DROP commands are
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
# Set access for localhost
#
iptables -A INPUT -i lo -j ACCEPT
Here's a excerpt form tcpdump - is this just the attackers hitting the firewall?
808 23:20:59.925451 195.154.46.118 10.10.10.2 SIP/SDP 682 Request: INVITE sip:99999011972592277524@xxx.xxx.xxx.136 |
Re: Attackers getting past IPTables
Posted: 2019/05/22 12:12:02
by stevemowbray
Hmm, I think iptables -L is not easily understood. I usually use iptables-save to look at current rules.What does that say?
Re: Attackers getting past IPTables
Posted: 2019/05/22 14:50:25
by TrevorH
The reason we prefer iptables-save over iptables -L is because of that confusion: the "Accept all" mentioned above as causing the issue is actually
iptables -A INPUT -i lo -j ACCEPT
so is not the problem.
Yes, tcpdump sees packets before they hit iptables so you see rejected or dropped traffic in tcpdump output. Once it hits iptables it gets dropped. You can use iptables -nvL to see the packet and byte counters and see that your rules are being hit.
Re: Attackers getting past IPTables
Posted: 2019/05/23 00:59:38
by gwatson
Here's output from iptables -nvL
Code: Select all
[root~]# iptables -nvL
Chain INPUT (policy DROP 1466 packets, 559K bytes)
pkts bytes target prot opt in out source destination
395 30566 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
633K 1735M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4845K 1013M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 215.0.0.0/8 0.0.0.0/0 state NEW
26584 19M DROP all -- * * 102.0.0.0/8 0.0.0.0/0 state NEW
71 46661 DROP all -- * * 195.0.0.0/8 0.0.0.0/0 state NEW
1609 605K DROP all -- * * 77.0.0.0/8 0.0.0.0/0 state NEW
0 0 DROP all -- * * 164.0.0.0/8 0.0.0.0/0 state NEW
0 0 DROP all -- * * 37.0.0.0/8 0.0.0.0/0 state NEW
75 11845 DROP all -- * * 185.0.0.0/8 0.0.0.0/0 state NEW
0 0 DROP all -- * * 82.0.0.0/8 0.0.0.0/0 state NEW
1 650 DROP all -- * * 212.0.0.0/8 0.0.0.0/0 state NEW
0 0 DROP all -- * * 91.0.0.0/8 0.0.0.0/0 state NEW
0 0 DROP all -- * * 170.0.0.0/8 0.0.0.0/0 state NEW
448K 47M ACCEPT all -- * * 192.168.0.0/16 0.0.0.0/0
9276 4451K ACCEPT all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 ACCEPT all -- * * 143.0.0.0/8 0.0.0.0/0 /* allow network */
0 0 ACCEPT all -- * * 96.0.0.0/8 0.0.0.0/0 /* allow network*/
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5357K packets, 2749M bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-BadBots (0 references)
pkts bytes target prot opt in out source destination
Chain fail2ban-FTP (0 references)
pkts bytes target prot opt in out source destination
Chain fail2ban-SIP (0 references)
pkts bytes target prot opt in out source destination
Chain fail2ban-SSH (0 references)
pkts bytes target prot opt in out source destination
Chain fail2ban-apache-auth (0 references)
pkts bytes target prot opt in out source destination
Chain fail2ban-recidive (0 references)
pkts bytes target prot opt in out source destination
Results from iptables-save
Code: Select all
[root~]# iptables-save
# Generated by iptables-save v1.4.21 on Wed May 22 20:48:20 2019
*filter
:INPUT DROP [1470:561560]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5366548:2769351496]
:fail2ban-BadBots - [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-SIP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache-auth - [0:0]
:fail2ban-recidive - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 215.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 102.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 195.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 77.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 164.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 37.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 185.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 82.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 212.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 91.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 170.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 192.168.0.0/16 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j ACCEPT
-A INPUT -s 143.0.0.0/8 -m comment --comment "allow network" -j ACCEPT
-A INPUT -s 96.0.0.0/8 -m comment --comment "allow network" -j ACCEPT
COMMIT
# Completed on Wed May 22 20:48:20 2019
Re: Attackers getting past IPTables
Posted: 2019/05/23 01:06:31
by gwatson
So I shouldnt be worried about seeing that traffic? Is there a way to check on the other side of the firewall to see if anything is getting past?
I would rather not have to explicitly block an address or subnet, is there a way I can block all traffic and only allow certain ip addresses or subnets?
Thank you everyone for your assistance, much appreciated
G
Re: Attackers getting past IPTables
Posted: 2019/05/23 01:19:10
by billwest
I generally put:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
as one of my last lines in the INPUT section.