私はFail2banのような機能が追加される前に最も多くの保護を提供しなければならない一連の規則を持っています。問題は、テストですべてが確認されている間にテストservice iptables restart
を実行すると正しく閉じられますが、ルールを適用すると中断されることです。これがコレクションです
# Allow all traffic.
#---------------------------------------------------------
*filter
:INPUT ACCEPT [81:5076]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [44:3868]
#---------------------------------------------------------
# protection based on http://thelowedown.wordpress.com/2008/07/03/iptables-how-to-use-the-limits-module/
# and https://gist.github.com/virtualstaticvoid/1024546
# and http://www.cyberciti.biz/tips/howto-limit-linux-syn-attacks.html
#---------------------------------------------------------
#---------------------------------------------------------
# General rules
#---------------------------------------------------------
# it is gerenally view as best practice to drop all and add
# just what is needed. Drop and reject to prevent abuse
# of the system and sour the milk
#---------------------------------------------------------
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
# Allow incoming HTTP
#---------------------------------------------------------
-A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# Allow incoming HTTPS
#---------------------------------------------------------
-A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
# Allow loopback access
#---------------------------------------------------------
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Allow packets from internal network to reach external network.
# if eth1 is connected to external network (internet)
# if eth0 is connected to internal network (192.168.1.x)
#---------------------------------------------------------
-A FORWARD -i eth0 -o eth1 -j ACCEPT
# Allow outbound DNS
#---------------------------------------------------------
-A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
-A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
#---------------------------------------------------------
# DATABASE Connections
#---------------------------------------------------------
# Allow MySQL connection only from a specific network
#---------------------------------------------------------
-A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
#---------------------------------------------------------
# SSH
#---------------------------------------------------------
# Allow ALL incoming SSH
#---------------------------------------------------------
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# Allow outgoing SSH
#---------------------------------------------------------
-A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# limit ssh to 10 connections in 10mins
# note 198.255.255.255 is fake for this post
#---------------------------------------------------------
-I INPUT -p tcp -s 0/0 -d 198.255.255.255 --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
-I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 11 -j DROP
-A OUTPUT -p tcp -s 198.255.255.255 -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
#---------------------------------------------------------
# DoS
#---------------------------------------------------------
# Prevent general DoS attack
#---------------------------------------------------------
-A INPUT -p tcp --dport 22 -m limit --limit 5/minute --limit-burst 10 -j ACCEPT
-A INPUT -p tcp --dport 80 -m limit --limit 5/minute --limit-burst 100 -j ACCEPT
-A INPUT -p tcp --dport 443 -m limit --limit 5/minute --limit-burst 100 -j ACCEPT
# Syn-flood protection
#---------------------------------------------------------
-A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Interface 0 incoming syn-flood protection
#---------------------------------------------------------
-N syn_flood
-A INPUT -p tcp --syn -j syn_flood
-A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
-A syn_flood -j DROP
# Furtive port scanner
#---------------------------------------------------------
#-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
#-A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
#-A port-scan -j DROP
# Ping of death
#---------------------------------------------------------
#-A FORWARD -p icmp --icmp-type echo-request -m limit \ --limit 1/s -j ACCEPT
# Limiting the incoming icmp ping request
#---------------------------------------------------------
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
-A INPUT -p icmp -j DROP
-A OUTPUT -p icmp -j ACCEPT
#---------------------------------------------------------
# Logging
#---------------------------------------------------------
# Log dropped packets
#---------------------------------------------------------
-N LOGGING
-A INPUT -j LOGGING
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
-A LOGGING -j DROP
COMMIT
# End
port-scan
テストに失敗したため、ping and deathルールを削除する必要がありました。これも修正したいです。
テストに合格しながらも常にルールを適用する必要があるのはなぜですか?
修正する
以下を除き、これまですべての内容にコメントしました。
# Allow all traffic.
#---------------------------------------------------------
*filter
:INPUT ACCEPT [81:5076]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [44:3868]
iptables
バックアップの開始時に停止して起動できないなどの奇妙な結果が表示されますyum install *
。今すぐ再起動してルールを修正するだけです!