I AM BLOCKED OUT FROM MY SERVER

[stevenh]

I don't understand what you mean Travor

[TrevorH]

There is a command called iptables-save. Run it. Post its output.

[babinlonston]

Here is currently iptables rules:

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:10099
DROP all -- 24.114.37.34 anywhere
DROP all -- 74.91.26.202 anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Seems you using virtualbox ?

Here is my iptables rules, But before applying in production server you should play around virtual-box vm's. Try to understand what the each and every line do then apply in test virtual machine's if it works go-head with production server's. Here i have used Default Chain Policy as Drop. In this situation we have to write the rules for both incoming and outgoing rules.

# Flush every Rules, Flush the NAT table Rules, Delete the NAT Chain

iptables -F
iptables -t nat -F
iptables -t nat -X

# Flush the Mangle table Rules, Delete the Mangle Chain.

iptables -t mangle -F
iptables -t mangle -X

# Set the INPUT, OUTPUT, FORWARD chain Policy to default as DROP.

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Accept the incomming & Outgoing request in localhost adapter into in-interface & out-interface.

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Match the state of connection which established and accept it in incomming & outgoing interface traffic.

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -m state --state INVALID -j DROP

# Null packets are, simply said, recon packets. see how we configured the VPS and find out weaknesses, Reject is a syn-flood attack, XMAS packets, also a recon packet.

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# Ethernet allows ICMP echo (PING) with rate limiting.
iptables -A INPUT -i eth+ -m state --state NEW -p icmp -m icmp --icmp-type echo-request -j ACCEPT
iptables -I INPUT -i eth+ -m icmp -p icmp --icmp-type echo-request -m recent --set
iptables -I INPUT -i eth+ -m icmp -p icmp --icmp-type echo-request -m recent --update --seconds 10 --hitcount 10 -j DROP

# Allow the ssh port for incoming & outgoing traffic to accept NEW & already Established connection in both tcp/udp protocols.
# Here my ssh Port was 2222

iptables -A INPUT -i eth0 -p tcp --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 2222 -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -i eth0 -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 2222 -m recent --update --seconds 10 --hitcount 5 -j DROP
iptables -I OUTPUT -o eth0 -m state --state ESTABLISHED -m tcp -p tcp --dport 2222 -m recent --update --seconds 10 --hitcount 5 -j DROP
iptables -A INPUT -i eth0 -p udp --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 2222 -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -i eth0 -m state --state NEW,ESTABLISHED -m udp -p udp --dport 2222 -m recent --update --seconds 10 --hitcount 5 -j DROP
iptables -I OUTPUT -o eth0 -m state --state ESTABLISHED -m udp -p udp --dport 2222 -m recent --update --seconds 10 --hitcount 5 -j DROP


# Allow the ntp port for incoming & outgoing traffic to accept NEW & already Established connection in udp protocols.

iptables -A INPUT -i eth0 -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT

# Allow the http & https incoming & outgoing traffic to accept NEW & already Established connection in both tcp/udp protocols.

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 80 -m recent --update --seconds 10 --hitcount 5 -j DROP
iptables -I OUTPUT -o eth0 -m state --state NEW -m tcp -p tcp --dport 80 -m recent --update --seconds 10 --hitcount 5 -j DROP
iptables -I INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 80 -m recent --update --seconds 10 --hitcount 5 -j DROP
iptables -I OUTPUT -o eth0 -m state --state NEW -m udp -p udp --dport 80 -m recent --update --seconds 10 --hitcount 5 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 443 -m recent --update --seconds 10 --hitcount 5 -j DROP
iptables -I OUTPUT -o eth0 -m state --state NEW -m tcp -p tcp --dport 443 -m recent --update --seconds 10 --hitcount 5 -j DROP
iptables -I INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 443 -m recent --update --seconds 10 --hitcount 5 -j DROP
iptables -I OUTPUT -o eth0 -m state --state NEW -m udp -p udp --dport 443 -m recent --update --seconds 10 --hitcount 5 -j DROP

# Create a New Chain LOGGING and allow logging for INPUT chain.

iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 10/min -j LOG --log-prefix "Iptables packet's Dropped: " --log-level 7

# Except every above rules reject the traffic.

iptables -A INPUT -j DROP

[stevenh]

Hi Trevor,

Here is the result when i type command iptables-save:
[pbx1.vinatelecom.ca ~]# iptables-save
# Generated by iptables-save v1.3.5 on Fri Jan 23 08:09:44 2015
*nat
:PREROUTING ACCEPT [75883:4836248]
:POSTROUTING ACCEPT [4759:312892]
:OUTPUT ACCEPT [4759:312892]
-A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Fri Jan 23 08:09:44 2015
# Generated by iptables-save v1.3.5 on Fri Jan 23 08:09:44 2015
*filter
:INPUT ACCEPT [688478:78825658]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [896419:279441356]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10099 -j ACCEPT
-A INPUT -s 24.114.37.34 -j DROP
-A INPUT -s 74.91.26.202 -j DROP
-A INPUT -s 108.175.157.211 -j DROP
-A FORWARD -d 192.168.122.0/255.255.255.0 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/255.255.255.0 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Jan 23 08:09:44 2015

[stevenh]

Dear Babin Lonston,

Thanks for your help. In your instructions I see the rule " iptables -P INPUT DROP" with this rule I will be blcoked out because I control the server remotely. So , if I add all other rules from your instruction but not " iptables -P INPUT DROP" it will work or not ? Please give me your advice.

Best regards,
Steven

[TrevorH]

Your problem is that you have no rules to allow any traffic and your firewall has a default policy of ACCEPT so currently, everything is accepted and nothing is denied except those few things that are explicitly stopped. When you change your default policy to DROP then everything is denied and because you have no ACCEPT rules nothing gets past. The only traffic that would be allowed if you change to DROP mode is on port 10099. In addition, your current DROP rules for those named ip addresses really need to be at the very top of the rule set.

I suggest that you edit /etc/sysconfig/iptables (making a backup of the current file first to somewhere safe) and make it look like this:

Code: Select all

# Generated by iptables-save v1.3.5 on Fri Jan 23 08:09:44 2015
*nat
:PREROUTING ACCEPT [75883:4836248]
:POSTROUTING ACCEPT [4759:312892]
:OUTPUT ACCEPT [4759:312892]
-A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Fri Jan 23 08:09:44 2015
# Generated by iptables-save v1.3.5 on Fri Jan 23 08:09:44 2015
*filter
:INPUT ACCEPT [688478:78825658]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [896419:279441356]
-A INPUT -s 24.114.37.34 -j DROP
-A INPUT -s 74.91.26.202 -j DROP
-A INPUT -s 108.175.157.211 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 10099 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/255.255.255.0 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/255.255.255.0 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Jan 23 08:09:44 2015

I have moved your DROP rules to the top of the INPUT chain, added lines to allow existing connections to continue, added stateful checking to the existing port 10099 rule and added a rule to allow traffic on the default ssh port of 22 (you'll need to change 22 to another number if you have changed the port on which sshd listens). Run service iptables stop then replace the contents of /etc/sysconfig/iptables with those rules, run service iptables start and check that you can still access the server. If you can then try to put the default policy for INPUT to DROP. If that works then run service iptables save to make it permanent. If it doesn't then reboot the box