Attackers getting past IPTables

Issues related to configuring your network
gwatson
Posts: 15
Joined: 2018/08/10 14:53:02

Attackers getting past IPTables

Post by gwatson » 2019/05/21 20:59:31

Hello all,

Running Centos 7 and have IPTables set to block most inbound traffic. However some attackers are getting past the firewall.

System is a pbx running Asterisk software and port 5060 is forwarded from the hardware firewall. I want to be able to accept traffic from only a few IP Addresses (or subnets).

I have a small script setup that was suggested on the Wiki of this site. I expect I have something out of place, or missing something completely.

I even put Drop instructions, but these addresses are still getting by on port 5060

Can anyone see anything wrong with this?

Code: Select all

#!/bin/bash
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
 iptables -F
#
# Allow SSH connections on tcp port 22
# This is essential when working on remote servers via SSH to prevent locking yourself out of the system
#
 iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT
#
# Set access for localhost
#
 iptables -A INPUT -i lo -j ACCEPT
#
# Accept packets belonging to established and related connections
#
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Accept packets from trusted IP addresses
 iptables -A INPUT -m state --state NEW -s 215.0.0.0/8 -j DROP
 iptables -A INPUT -m state --state NEW -s 164.0.0.0/8 -j DROP
 iptables -A INPUT -m state --state NEW -s 37.0.0.0/8 -j DROP
 iptables -A INPUT -m state --state NEW -s 185.0.0.0/8 -j DROP
 iptables -A INPUT -m state --state NEW -s 82.0.0.0/8 -j DROP
 iptables -A INPUT -m state --state NEW -s 212.0.0.0/8 -j DROP
 iptables -A INPUT -m state --state NEW -s 91.0.0.0/8 -j DROP
 iptables -A INPUT -m state --state NEW -s 170.0.0.0/8 -j DROP
 iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
 iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
 iptables -A INPUT -s 143.0.0.0/8 -j ACCEPT -m comment --comment "allow network"
 iptables -A INPUT -s 96.0.0.0/8 -j ACCEPT -m comment --comment "allow network"

# Save settings
#
 /sbin/service iptables save
#
# List rules
#
 iptables -L -v
Thanks in advance

GW

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Attackers getting past IPTables

Post by TrevorH » 2019/05/21 22:12:54

If you're running CentOS 7 then the default firewall is firewalld. That runs all the time and watches the running rules and will promptly change them back to how it thinks they ought to be so if you are running your script on a system using firewalld and not iptables-services then your newly added rules are probably immediately deleted.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

gwatson
Posts: 15
Joined: 2018/08/10 14:53:02

Re: Attackers getting past IPTables

Post by gwatson » 2019/05/22 02:22:41

Pretty sure Firewalld is not running - it is using iptables

firewall-cmd --state
not running


[root]# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all -- 215.0.0.0/8 0.0.0.0/0 state NEW
DROP all -- 77.0.0.0/8 0.0.0.0/0 state NEW
DROP all -- 164.0.0.0/8 0.0.0.0/0 state NEW
DROP all -- 37.0.0.0/8 0.0.0.0/0 state NEW
DROP all -- 185.0.0.0/8 0.0.0.0/0 state NEW
DROP all -- 82.0.0.0/8 0.0.0.0/0 state NEW
DROP all -- 212.0.0.0/8 0.0.0.0/0 state NEW
DROP all -- 91.0.0.0/8 0.0.0.0/0 state NEW
DROP all -- 170.0.0.0/8 0.0.0.0/0 state NEW
ACCEPT all -- 192.168.0.0/16 0.0.0.0/0
ACCEPT all -- 10.0.0.0/8 0.0.0.0/0
ACCEPT all -- 143.0.0.0/8 0.0.0.0/0 /* allow network */
ACCEPT all -- 96.0.0.0/8 0.0.0.0/0 /* allow network */

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-BadBots (0 references)
target prot opt source destination

Chain fail2ban-FTP (0 references)
target prot opt source destination

Chain fail2ban-SIP (0 references)
target prot opt source destination

Chain fail2ban-SSH (0 references)
target prot opt source destination

Chain fail2ban-apache-auth (0 references)
target prot opt source destination

Chain fail2ban-recidive (0 references)
target prot opt source destination

stevemowbray
Posts: 519
Joined: 2012/06/26 14:20:47

Re: Attackers getting past IPTables

Post by stevemowbray » 2019/05/22 10:37:36

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
is accepting everything before you get to your drop rules.

gwatson
Posts: 15
Joined: 2018/08/10 14:53:02

Re: Attackers getting past IPTables

Post by gwatson » 2019/05/22 11:04:58

Are you able to point out where that is directive is coming from based on that script I have setting up the rules?

Do I have something out of place? I dont see any accept all

The only thing before the DROP commands are
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
# Set access for localhost
#
iptables -A INPUT -i lo -j ACCEPT


Here's a excerpt form tcpdump - is this just the attackers hitting the firewall?

808 23:20:59.925451 195.154.46.118 10.10.10.2 SIP/SDP 682 Request: INVITE sip:99999011972592277524@xxx.xxx.xxx.136 |

stevemowbray
Posts: 519
Joined: 2012/06/26 14:20:47

Re: Attackers getting past IPTables

Post by stevemowbray » 2019/05/22 12:12:02

Hmm, I think iptables -L is not easily understood. I usually use iptables-save to look at current rules.What does that say?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Attackers getting past IPTables

Post by TrevorH » 2019/05/22 14:50:25

The reason we prefer iptables-save over iptables -L is because of that confusion: the "Accept all" mentioned above as causing the issue is actually

iptables -A INPUT -i lo -j ACCEPT

so is not the problem.

Yes, tcpdump sees packets before they hit iptables so you see rejected or dropped traffic in tcpdump output. Once it hits iptables it gets dropped. You can use iptables -nvL to see the packet and byte counters and see that your rules are being hit.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

gwatson
Posts: 15
Joined: 2018/08/10 14:53:02

Re: Attackers getting past IPTables

Post by gwatson » 2019/05/23 00:59:38

Here's output from iptables -nvL

Code: Select all

[root~]# iptables -nvL
Chain INPUT (policy DROP 1466 packets, 559K bytes)
 pkts bytes target     prot opt in     out     source               destination
  395 30566 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
 633K 1735M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
4845K 1013M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 DROP       all  --  *      *       215.0.0.0/8          0.0.0.0/0            state NEW
26584   19M DROP       all  --  *      *       102.0.0.0/8          0.0.0.0/0            state NEW
   71 46661 DROP       all  --  *      *       195.0.0.0/8          0.0.0.0/0            state NEW
 1609  605K DROP       all  --  *      *       77.0.0.0/8           0.0.0.0/0            state NEW
    0     0 DROP       all  --  *      *       164.0.0.0/8          0.0.0.0/0            state NEW
    0     0 DROP       all  --  *      *       37.0.0.0/8           0.0.0.0/0            state NEW
   75 11845 DROP       all  --  *      *       185.0.0.0/8          0.0.0.0/0            state NEW
    0     0 DROP       all  --  *      *       82.0.0.0/8           0.0.0.0/0            state NEW
    1   650 DROP       all  --  *      *       212.0.0.0/8          0.0.0.0/0            state NEW
    0     0 DROP       all  --  *      *       91.0.0.0/8           0.0.0.0/0            state NEW
    0     0 DROP       all  --  *      *       170.0.0.0/8          0.0.0.0/0            state NEW
 448K   47M ACCEPT     all  --  *      *       192.168.0.0/16       0.0.0.0/0
 9276 4451K ACCEPT     all  --  *      *       10.0.0.0/8           0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       143.0.0.0/8          0.0.0.0/0            /* allow network */
    0     0 ACCEPT     all  --  *      *       96.0.0.0/8           0.0.0.0/0            /* allow network*/

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 5357K packets, 2749M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain fail2ban-BadBots (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain fail2ban-FTP (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain fail2ban-SIP (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain fail2ban-SSH (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain fail2ban-apache-auth (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain fail2ban-recidive (0 references)
 pkts bytes target     prot opt in     out     source               destination

Results from iptables-save

Code: Select all

[root~]# iptables-save
# Generated by iptables-save v1.4.21 on Wed May 22 20:48:20 2019
*filter
:INPUT DROP [1470:561560]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5366548:2769351496]
:fail2ban-BadBots - [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-SIP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache-auth - [0:0]
:fail2ban-recidive - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 215.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 102.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 195.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 77.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 164.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 37.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 185.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 82.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 212.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 91.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 170.0.0.0/8 -m state --state NEW -j DROP
-A INPUT -s 192.168.0.0/16 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j ACCEPT
-A INPUT -s 143.0.0.0/8 -m comment --comment "allow network" -j ACCEPT
-A INPUT -s 96.0.0.0/8 -m comment --comment "allow network" -j ACCEPT
COMMIT
# Completed on Wed May 22 20:48:20 2019

gwatson
Posts: 15
Joined: 2018/08/10 14:53:02

Re: Attackers getting past IPTables

Post by gwatson » 2019/05/23 01:06:31

So I shouldnt be worried about seeing that traffic? Is there a way to check on the other side of the firewall to see if anything is getting past?

I would rather not have to explicitly block an address or subnet, is there a way I can block all traffic and only allow certain ip addresses or subnets?

Thank you everyone for your assistance, much appreciated

G

billwest
Posts: 154
Joined: 2006/11/19 10:50:31
Location: Perth, Western Australia

Re: Attackers getting past IPTables

Post by billwest » 2019/05/23 01:19:10

I generally put:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

as one of my last lines in the INPUT section.

Post Reply