Did I accomplish what I wanted? ephemeral/dynamic ports secure as possible!!!
by PROBLEMCHYLD from LinuxQuestions.org on (#5F1W4)
This is what I did,
1. Create an ipset
create ephemeral hash:ip,port family inet hashsize 8192 maxelem 800000
2. Add all of the ports for udp and tcp from 1024-65535 (129024) entries
add ephemeral 192.168.0.12,udp:1024
add ephemeral 192.168.0.12,tcp:1024
(every port in between)
add ephemeral 192.168.0.12,udp:65535
add ephemeral 192.168.0.12,tcp:65535
3. Add two rules
-A OUTPUT -p tcp -m set --match-set ephemeral src,src -j ACCEPT
-A OUTPUT -p udp -m set --match-set ephemeral src,src -j ACCEPT
This allows me to use I2P, tor with snowflake which uses stun and I don't have to open up a port range which qBittorrent requires
1024-65535 udp
1024-65535 tcp
my firewall.log goes from 129 MB in 1 hr to 40 MB in 3 hrs. Something is working. I would like confirmation.
Thanks
P.SCode:Generated by iptables-save v1.6.0 on Sun Mar 7 14:24:15 2021
*mangle
:PREROUTING ACCEPT [28341:27930043]
:INPUT ACCEPT [28279:27925379]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [21351:7790497]
:POSTROUTING ACCEPT [20785:7650020]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Mar 7 14:24:15 2021
# Generated by iptables-save v1.6.0 on Sun Mar 7 14:24:15 2021
*nat
:PREROUTING ACCEPT [203:58548]
:INPUT ACCEPT [134:49558]
:OUTPUT ACCEPT [1434:166578]
:POSTROUTING ACCEPT [928:67953]
-A PREROUTING -j LOG
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -j LOG
COMMIT
# Completed on Sun Mar 7 14:24:15 2021
# Generated by iptables-save v1.6.0 on Sun Mar 7 14:24:15 2021
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:FORWARDING - [0:0]
:INBOUND - [0:0]
:OUTBOUND - [0:0]
:POSTROUTE - [0:0]
:PREROUTE - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -j LOG
-A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --sport 1:65535 --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -s 127.0.0.1/32 -i wlan0 -j DROP
-A INPUT -s 192.168.122.0/24 -i virbr0 -j DROP
-A INPUT -p icmp -m icmp --icmp-type any -j DROP
-A INPUT -p tcp -m tcp --dport 43 -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -f -j DROP
-A INPUT -p udp -m multiport --dports 513,33434:33524 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m set --match-set upnp dst,dst -j ACCEPT
-A INPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -m set --match-set intruders src,dst -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m iprange --src-range 192.168.0.0-192.168.0.254 -j ACCEPT
-A INPUT -m iprange --src-range 192.168.43.0-192.168.43.255 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -p udp -m udp -j DROP
-A INPUT -p tcp -m tcp -j DROP
-A INPUT -j DROP
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j LOG
-A FORWARD -m set --match-set intruders src,dst -j DROP
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -j LOG
-A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p ah -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -p gre -j ACCEPT
-A OUTPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 631 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 853 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 873 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1723 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3389 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3690 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 9418 -m state --state NEW -j ACCEPT
-A OUTPUT -d 185.xxx.27.46/32 -p tcp -m multiport --dports 20,21,1024:65535 -m state --state NEW -j ACCEPT
-A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist
-A OUTPUT -p tcp -m multiport --dports 25,110,143,465,587,993,995 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m multiport --dports 137,138 -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 139,445 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m multiport --dports 500,1701,4500 -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 6667,6668,6697,7000 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m set --match-set ephemeral src,src -j ACCEPT
-A OUTPUT -p udp -m set --match-set ephemeral src,src -j ACCEPT
-A OUTPUT -d 127.0.0.1/32 -j DROP
-A OUTPUT -d 192.168.122.0/24 -j DROP
-A OUTPUT -p udp -m udp -j DROP
-A OUTPUT -p tcp -m tcp -j DROP
-A OUTPUT -j DROP
-A FORWARDING -j DROP
-A INBOUND -j DROP
-A OUTBOUND -j DROP
-A POSTROUTE
-A PREROUTE
COMMIT
# Completed on Sun Mar 7 14:24:15 2021
1. Create an ipset
create ephemeral hash:ip,port family inet hashsize 8192 maxelem 800000
2. Add all of the ports for udp and tcp from 1024-65535 (129024) entries
add ephemeral 192.168.0.12,udp:1024
add ephemeral 192.168.0.12,tcp:1024
(every port in between)
add ephemeral 192.168.0.12,udp:65535
add ephemeral 192.168.0.12,tcp:65535
3. Add two rules
-A OUTPUT -p tcp -m set --match-set ephemeral src,src -j ACCEPT
-A OUTPUT -p udp -m set --match-set ephemeral src,src -j ACCEPT
This allows me to use I2P, tor with snowflake which uses stun and I don't have to open up a port range which qBittorrent requires
1024-65535 udp
1024-65535 tcp
my firewall.log goes from 129 MB in 1 hr to 40 MB in 3 hrs. Something is working. I would like confirmation.
Thanks
P.SCode:Generated by iptables-save v1.6.0 on Sun Mar 7 14:24:15 2021
*mangle
:PREROUTING ACCEPT [28341:27930043]
:INPUT ACCEPT [28279:27925379]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [21351:7790497]
:POSTROUTING ACCEPT [20785:7650020]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Mar 7 14:24:15 2021
# Generated by iptables-save v1.6.0 on Sun Mar 7 14:24:15 2021
*nat
:PREROUTING ACCEPT [203:58548]
:INPUT ACCEPT [134:49558]
:OUTPUT ACCEPT [1434:166578]
:POSTROUTING ACCEPT [928:67953]
-A PREROUTING -j LOG
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -j LOG
COMMIT
# Completed on Sun Mar 7 14:24:15 2021
# Generated by iptables-save v1.6.0 on Sun Mar 7 14:24:15 2021
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:FORWARDING - [0:0]
:INBOUND - [0:0]
:OUTBOUND - [0:0]
:POSTROUTE - [0:0]
:PREROUTE - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -j LOG
-A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --sport 1:65535 --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -s 127.0.0.1/32 -i wlan0 -j DROP
-A INPUT -s 192.168.122.0/24 -i virbr0 -j DROP
-A INPUT -p icmp -m icmp --icmp-type any -j DROP
-A INPUT -p tcp -m tcp --dport 43 -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -f -j DROP
-A INPUT -p udp -m multiport --dports 513,33434:33524 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m set --match-set upnp dst,dst -j ACCEPT
-A INPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -m set --match-set intruders src,dst -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m iprange --src-range 192.168.0.0-192.168.0.254 -j ACCEPT
-A INPUT -m iprange --src-range 192.168.43.0-192.168.43.255 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -p udp -m udp -j DROP
-A INPUT -p tcp -m tcp -j DROP
-A INPUT -j DROP
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j LOG
-A FORWARD -m set --match-set intruders src,dst -j DROP
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -j LOG
-A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p ah -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -p gre -j ACCEPT
-A OUTPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 631 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 853 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 873 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1723 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3389 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3690 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 9418 -m state --state NEW -j ACCEPT
-A OUTPUT -d 185.xxx.27.46/32 -p tcp -m multiport --dports 20,21,1024:65535 -m state --state NEW -j ACCEPT
-A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist
-A OUTPUT -p tcp -m multiport --dports 25,110,143,465,587,993,995 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m multiport --dports 137,138 -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 139,445 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp -m multiport --dports 500,1701,4500 -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 6667,6668,6697,7000 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m set --match-set ephemeral src,src -j ACCEPT
-A OUTPUT -p udp -m set --match-set ephemeral src,src -j ACCEPT
-A OUTPUT -d 127.0.0.1/32 -j DROP
-A OUTPUT -d 192.168.122.0/24 -j DROP
-A OUTPUT -p udp -m udp -j DROP
-A OUTPUT -p tcp -m tcp -j DROP
-A OUTPUT -j DROP
-A FORWARDING -j DROP
-A INBOUND -j DROP
-A OUTBOUND -j DROP
-A POSTROUTE
-A PREROUTE
COMMIT
# Completed on Sun Mar 7 14:24:15 2021