Firewall

Just felt like implementing a firewall tonight.

#!/bin/sh

# Flush the tables to apply changes
iptables -F

# Remove existing non-built in chains
iptables -X

# Default policy to drop 'everything' but our output to internet
iptables -P FORWARD DROP
iptables -P INPUT   DROP
iptables -P OUTPUT  ACCEPT

# Allow established connections (the responses to our outgoing traffic)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow local programs that use loopback (Unix sockets)
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT

## Allow ALL incoming connections on certain ports
# allow incoming SSH/SCP conections to this machine.
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# allow incoming HTTP conections to this machine.
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# allow incoming IMAP conections to this machine.
iptables -A INPUT -p tcp --dport 143 -j ACCEPT

# Open udp 123 for NTPD (possibly not needed, since established traffic is
# already allowed)
iptables -A INPUT -p udp --dport 123 -j ACCEPT

# Allow TOR SOCKs, but only from our private LAN
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 9100 -j ACCEPT

# Open other TOR stuff (relay traffic, not traffic through SOCKs) to everyone
iptables -A INPUT -p tcp --dport 9001 -j ACCEPT

# Allow ping for everyone
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

## Harmless stuff
# Accept Dropbox LAN sync, even if we don't run dropbox here (we just don't want
# to cause failures or dropped packages)
# Open udp 17500 for Dropbox LAN sync
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 17500 -j ACCEPT

# allow multicast
iptables -A INPUT -d 255.255.255.255 -j ACCEPT
iptables -A INPUT -d 192.168.0.255 -j ACCEPT

## log whenever we drop something
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix \
         "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP

The fun part with having a firewall is of course to see who is trying to hack you: (Timestamps in UTC)

Nov 12 22:07:42 raspberrypi kernel: [ 9357.214354] IPTables-Dropped: IN=eth0 OUT= MAC=b8:27:eb:3d:93:44:00:0f:b5:a5:ee:60:08:00:45:00:00:28:01:00:00:00:68:06:9e:e4 SRC=122.141.119.180 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=104 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
Nov 12 22:22:17 raspberrypi kernel: [10232.240203] IPTables-Dropped: IN=eth0 OUT= MAC=b8:27:eb:3d:93:44:00:0f:b5:a5:ee:60:08:00:45:00:01:b0:00:00:40:00:31:11:a1:32 SRC=188.138.41.214 DST=192.168.0.2 LEN=432 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP SPT=5277 DPT=5060 LEN=412
Nov 12 22:24:44 raspberrypi kernel: [10378.525498] IPTables-Dropped: IN=eth0 OUT= MAC=b8:27:eb:3d:93:44:00:0f:b5:a5:ee:60:08:00:45:00:00:3c:82:cd:40:00:32:06:19:d6 SRC=81.173.153.193 DST=192.168.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=33485 DF PROTO=TCP SPT=32897 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0
Nov 12 22:27:39 raspberrypi kernel: [10554.285497] IPTables-Dropped: IN=eth0 OUT= MAC=b8:27:eb:3d:93:44:00:0f:b5:a5:ee:60:08:00:45:00:00:28:5a:9b:00:00:ff:06:ae:48 SRC=122.141.119.180 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=23195 PROTO=TCP SPT=6000 DPT=1433 WINDOW=0 RES=0x00 RST URGP=0
Nov 12 22:40:53 raspberrypi kernel: [11347.563872] IPTables-Dropped: IN=eth0 OUT= MAC=b8:27:eb:3d:93:44:00:0f:b5:a5:ee:60:08:00:45:00:00:40:53:ea:40:00:2d:06:0f:13 SRC=124.11.174.5 DST=192.168.0.2 LEN=64 TOS=0x00 PREC=0x00 TTL=45 ID=21482 DF PROTO=TCP SPT=2691 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 12 22:40:56 raspberrypi kernel: [11350.625007] IPTables-Dropped: IN=eth0 OUT= MAC=b8:27:eb:3d:93:44:00:0f:b5:a5:ee:60:08:00:45:00:00:40:55:22:40:00:2d:06:0d:db SRC=124.11.174.5 DST=192.168.0.2 LEN=64 TOS=0x00 PREC=0x00 TTL=45 ID=21794 DF PROTO=TCP SPT=2691 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 12 22:42:12 raspberrypi kernel: [11426.823820] IPTables-Dropped: IN=eth0 OUT= MAC=b8:27:eb:3d:93:44:00:0f:b5:a5:ee:60:08:00:45:00:01:b7:00:00:40:00:30:11:a9:3e SRC=188.138.34.195 DST=192.168.0.2 LEN=439 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=5063 DPT=5060 LEN=419
Nov 12 22:43:14 raspberrypi kernel: [11488.607579] IPTables-Dropped: IN=eth0 OUT= MAC=b8:27:eb:3d:93:44:00:0f:b5:a5:ee:60:08:00:45:00:01:b0:00:00:40:00:2f:11:d9:0e SRC=71.122.105.10 DST=192.168.0.2 LEN=432 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=5061 DPT=5060 LEN=412
...

Or, in a more readable form:

IP Domain WhoIS Protocol Port Service type
122.141.119.180 ip-pool.com PlusServer AG (Germany) TCP 1433 Microsoft SQL Server
188.138.41.214 ip-pool.com PlusServer AG (Germany) UDP 5060 SIP (Voice over IP)
81.173.153.193 netcologne.de NetCologne Ges. fuer Telekommunikation mbH (Germany) TCP 23 Telnet
122.141.119.180 ip-pool.com PlusServer AG (Germany) TCP 1433 Microsoft SQL Server
124.11.174.5 tfn.net.tw Taiwan Mobile Co., Ltd TCP 25 Email
188.138.34.195 ip-pool.com PlusServer AG (Germany) UDP 5060 SIP (Voice over IP)
71.122.105.10 verizon.net Verizon Trademark Services LLC (US) UDP 5060 SIP (Voice over IP)
59.44.47.194 ctnt.com.cn ant-706058 (Corea) TCP 5631 pcAnywhere
202.22.205.143 accesstel.net Access Telecom (BD) Ltd (Dhaka, Bangladesh) TCP 443 HTTPS
61.147.70.25 ptt.js.cn jt-28f1d_00 (Corea) TCP 8080 web proxy servers

These hackers operates in Germany, US, Corea, Taiwan and Bangladesh (or, at least, they control computers that reside in these locations). None of these is a Tor exit node.

References

comments powered by Disqus

Back to the index

Blog roll

R-bloggers, Debian Weekly
Valid XHTML 1.0 Strict [Valid RSS] Valid CSS! Emacs Muse Last modified: oktober 17, 2019