[SOLVED] Iptables
by maddy0 from LinuxQuestions.org on (#6JP0A)
Hello, what's wrong with my Iptables rues?
sudo systemctl status iptables
netfilter-persistent.service - netfilter persistent configuration
Loaded: loaded (/lib/systemd/system/netfilter-persistent.service; enabled; preset: enabled)
Drop-In: /usr/lib/systemd/system/netfilter-persistent.service.d
iptables.conf
Active: active (exited) since Fri 2024-02-16 05:39:18 CET; 17min ago
Docs: man:netfilter-persistent(8)
Main PID: 8439 (code=exited, status=0/SUCCESS)
CPU: 13ms
Feb 16 05:39:18 xxxx systemd[1]: Starting netfilter-persistent.service - netfilter persistent configuration...
Feb 16 05:39:18 xxxx netfilter-persistent[8441]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
Feb 16 05:39:18 xxx netfilter-persistent[8442]: Warning: skipping IPv4 (no rules to load)
Feb 16 05:39:18 xxxx netfilter-persistent[8441]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
Feb 16 05:39:18 xxxx netfilter-persistent[8443]: Warning: skipping IPv6 (no rules to load)
Feb 16 05:39:18 xxxx netfilter-persistent[8443]: /usr/share/netfilter-persistent/plugins.d/25-ip6tables: 39: cannot open /etc/iptables/rules.v6: No such file
Feb 16 05:39:18 xxxx netfilter-persistent[8443]: Error: IPv6 rules failed test load. New rules NOT loaded
Feb 16 05:39:18 xxxx systemd[1]: Finished netfilter-persistent.service - netfilter persistent configuration.
sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N port-scan
-N syn-flood
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p icmp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "IPTABLES NULL-SCAN:"
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "IPTABLES XMAS-SCAN:"
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j LOG --log-prefix "IPTABLES SYNFIN-SCAN:"
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "IPTABLES NMAP-XMAS-SCAN:"
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j LOG --log-prefix "IPTABLES FIN-SCAN:"
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j LOG --log-prefix "IPTABLES NMAP-ID:"
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "IPTABLES SYN-RST:"
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood
-A INPUT -i eth0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "IPTABLES SYN-FLOOD:"
-A INPUT -i eth0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j port-scan
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j DROP
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A port-scan -m limit --limit 1/sec --limit-burst 4 -j RETURN
-A port-scan -j LOG --log-prefix "IPTABLES PORT-SCAN:"
-A port-scan -j DROP
-A syn-flood -m limit --limit 1/sec --limit-burst 4 -j RETURN
-A syn-flood -j LOG --log-prefix "IPTABLES SYN-FLOOD:"
-A syn-flood -j DROP
sudo systemctl status iptables
netfilter-persistent.service - netfilter persistent configuration
Loaded: loaded (/lib/systemd/system/netfilter-persistent.service; enabled; preset: enabled)
Drop-In: /usr/lib/systemd/system/netfilter-persistent.service.d
iptables.conf
Active: active (exited) since Fri 2024-02-16 05:39:18 CET; 17min ago
Docs: man:netfilter-persistent(8)
Main PID: 8439 (code=exited, status=0/SUCCESS)
CPU: 13ms
Feb 16 05:39:18 xxxx systemd[1]: Starting netfilter-persistent.service - netfilter persistent configuration...
Feb 16 05:39:18 xxxx netfilter-persistent[8441]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
Feb 16 05:39:18 xxx netfilter-persistent[8442]: Warning: skipping IPv4 (no rules to load)
Feb 16 05:39:18 xxxx netfilter-persistent[8441]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
Feb 16 05:39:18 xxxx netfilter-persistent[8443]: Warning: skipping IPv6 (no rules to load)
Feb 16 05:39:18 xxxx netfilter-persistent[8443]: /usr/share/netfilter-persistent/plugins.d/25-ip6tables: 39: cannot open /etc/iptables/rules.v6: No such file
Feb 16 05:39:18 xxxx netfilter-persistent[8443]: Error: IPv6 rules failed test load. New rules NOT loaded
Feb 16 05:39:18 xxxx systemd[1]: Finished netfilter-persistent.service - netfilter persistent configuration.
sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N port-scan
-N syn-flood
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p icmp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "IPTABLES NULL-SCAN:"
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "IPTABLES XMAS-SCAN:"
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j LOG --log-prefix "IPTABLES SYNFIN-SCAN:"
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "IPTABLES NMAP-XMAS-SCAN:"
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j LOG --log-prefix "IPTABLES FIN-SCAN:"
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j LOG --log-prefix "IPTABLES NMAP-ID:"
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "IPTABLES SYN-RST:"
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood
-A INPUT -i eth0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "IPTABLES SYN-FLOOD:"
-A INPUT -i eth0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j port-scan
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j DROP
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A port-scan -m limit --limit 1/sec --limit-burst 4 -j RETURN
-A port-scan -j LOG --log-prefix "IPTABLES PORT-SCAN:"
-A port-scan -j DROP
-A syn-flood -m limit --limit 1/sec --limit-burst 4 -j RETURN
-A syn-flood -j LOG --log-prefix "IPTABLES SYN-FLOOD:"
-A syn-flood -j DROP