[arch-general] Iptables

siefke_listen at web.de siefke_listen at web.de
Tue Feb 11 09:37:48 UTC 2020


Hi Andy,

On Tue, 11 Feb 2020 09:10:03 +0000
Andy Pieters <arch-general at andypieters.me.uk> wrote:

> A more detailed description of what you're trying to do would be helpful.

I have different servers, most with Arch but also with Debian. So I try 
to generate a firewall script for both systems that is customized depending 
on what the server is run. 

So the script try to find the ethernet adapter, the IP, the all open ports
which are listen on 0.0.0.0 and the SERVER IP and set this in the multiport
rules for tcp or udp. 

If on the server is used wireguard, then also rules should be activated and 
when running monitoring tools should be also open the ports but only from
my home server.

This is my goal and the script should be checked from peoples which know
iptables more as me. Is this so okay, will it work or give trouble. When 
understand the wiki right must be the rules be in the right position. So 
special spoofing and bruteforce rules will be correct? 

There are improvements to query the Ethernet adapters, the server IP, 
the open ports.

# port scanning
$IPT -I TCP -p tcp -m recent --update --rsource --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-reset
$IPT -D INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPT -A INPUT -p tcp -m recent --set --rsource --name TCP-PORTSCAN -j REJECT --reject-with tcp-reset
$IPT -I UDP -p udp -m recent --update --rsource --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
$IPT -D INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
$IPT -A INPUT -p udp -m recent --set --rsource --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
$IPT -D INPUT -j REJECT --reject-with icmp-proto-unreachable
$IPT -A INPUT -j REJECT --reject-with icmp-proto-unreachable

This for example my english not perfect and hope understand the wiki right. But is
there a reason why is insert, delete and append active? Is it enough only use
$IPT -A and rest not used? 


Thank you & Nice day
Silvio 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20200211/2838f1de/attachment.sig>


More information about the arch-general mailing list