Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

swatch -- it adds the rules but they are not enforced
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Hayl
Guru
Guru


Joined: 28 Jan 2003
Posts: 442
Location: Calgary, Alberta, Canada
PostPosted: Tue Jun 14, 2005 4:09 pm    Post subject: swatch -- it adds the rules but they are not enforced Reply with quote
I am trying to set up swatch to "guard" a box with ssh. It is all working including adding the rules to iptables but... iptables doesn't really enforce the rules. IPs that are blocked can continue to try to login as many times as they want with the side effect being that iptables ends up with many rules for the exact same machine/IP.

here is a dump of iptables -L:
Code:
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            state ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            state ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh flags:FIN,SYN,RST,PSH,ACK,URG/SYN
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https flags:FIN,SYN,RST,PSH,ACK,URG/SYN
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1723 flags:FIN,SYN,RST,PSH,ACK,URG/SYN
ACCEPT     udp  --  anywhere             anywhere            udp dpt:1723
ACCEPT     gre  --  anywhere             anywhere
ACCEPT     all  --  localhost            anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain swatch_rejects (0 references)
target     prot opt source               destination
DROP       all  --  65.166.159.14        anywhere


^^ this last chain is where the rules added by swatch go.

Here is how I start my firewall:
Code:

#!/bin/sh
#IPTABLES=/sbin/iptables is where iptables files are normally placed. Change as needed:
IPTABLES=/sbin/iptables

case "$1" in
start|reload|restart)
#flush existing rules
${IPTABLES} -F INPUT

${IPTABLES} -P INPUT DROP

#Setup SWatch
${IPTABLES} -N swatch_rejects
${IPTABLES} -I 1 INPUT -j swatch_rejects

#This allows all data that has been sent out for this machine to be
#replied to.
${IPTABLES} -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
${IPTABLES} -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp

#Allow incoming SSH requests
${IPTABLES} -A INPUT -p tcp --tcp-flags ALL SYN --dport ssh -j ACCEPT

#Allow incoming https for web.
${IPTABLES} -A INPUT -p tcp --tcp-flags ALL SYN --dport https -j ACCEPT

#Allow VPN requests
${IPTABLES} -A INPUT -p tcp --tcp-flags ALL SYN --dport 1723 -j ACCEPT
${IPTABLES} -A INPUT -p udp --dport 1723 -j ACCEPT
${IPTABLES} -A INPUT -s 0/0 -p 47 -j ACCEPT

#Allow all local loopback data
${IPTABLES} -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT

;;
stop)
#flush existing rules
${IPTABLES} -P INPUT ACCEPT
${IPTABLES} -F INPUT
;;
status)
${IPTABLES} -L -v -n
;;
*)
echo "Usage: $0 {start|restart|reload|stop|status}"
exit 1
esac
exit 0


Can anyone see anything wrong with what I have set up with iptables that would make it not enforce the swatch_rejects chain?
_________________
"I do not fear computers. I fear lack of them." - Isaac Asimov
Back to top
View user's profile Send private message
Frain
n00b
n00b


Joined: 19 Jun 2002
Posts: 32
PostPosted: Tue Jun 14, 2005 5:41 pm    Post subject: Reply with quote
The swatch_rejects chain isn't used in your current setup, you have to include a rule in the chain you want to enforce it in to forward it to the swatch_rejects chain, for example:
Code:
iptables -I INPUT -j swatch_rejects


edit: That's weird, looking at your script, it seems to be doing just that. Try changing
Code:
${IPTABLES} -I 1 INPUT -j swatch_rejects
to
Code:
${IPTABLES} -I INPUT -j swatch_rejects
Back to top
View user's profile Send private message
Hayl
Guru
Guru


Joined: 28 Jan 2003
Posts: 442
Location: Calgary, Alberta, Canada
PostPosted: Tue Jun 14, 2005 7:49 pm    Post subject: Reply with quote
thanks Frain,

I am about to try it and see.

(Hopefully someone tries to crack me soon so I can see :P)
_________________
"I do not fear computers. I fear lack of them." - Isaac Asimov
Back to top
View user's profile Send private message
Frain
n00b
n00b


Joined: 19 Jun 2002
Posts: 32
PostPosted: Tue Jun 14, 2005 11:11 pm    Post subject: Reply with quote
If this shows up when you do iptables -L INPUT, it should work:
Code:
Chain INPUT (policy DROP)
target              prot opt source               destination         
swatch_rejects      all  --  anywhere             anywhere           
Back to top
View user's profile Send private message
sedeuce
n00b
n00b


Joined: 22 Jun 2005
Posts: 17
PostPosted: Wed May 02, 2007 7:51 pm    Post subject: Reply with quote
Frain wrote:
If this shows up when you do iptables -L INPUT, it should work:
Code:
Chain INPUT (policy DROP)
target              prot opt source               destination         
swatch_rejects      all  --  anywhere             anywhere           


Hi Frain-

I have a question about this.

My INPUT chain has a policy ACCEPT (I got my firewall setup from Gentoo Home Router Guide):
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     udp  --  anywhere             anywhere            udp dpt:bootps reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere            udp dpt:domain reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:xmpp-client
DROP       tcp  --  anywhere             anywhere            tcp dpts:0:1023
DROP       udp  --  anywhere             anywhere            udp dpts:0:1023
swatch_rejects  all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             192.168.0.0/16
ACCEPT     all  --  192.168.0.0/16       anywhere
ACCEPT     all  --  anywhere             192.168.0.0/16

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain swatch_rejects (1 references)
target     prot opt source               destination
DROP       all  --  ns6.telem8.com       anywhere
DROP       all  --  125.248.148.10       anywhere
DROP       all  --  222.216.222.2        anywhere
DROP       all  --  aro180.internetdsl.tpnet.pl  anywhere


Rules that get automatically added to chain swatch_rejects seem to be ignored and rules get added over and over again:
Code:
4    DROP       all  --  83.17.200.180        0.0.0.0/0
...  "  "  "  "  "
64   DROP       all  --  83.17.200.180        0.0.0.0/0
65   DROP       all  --  83.17.200.180        0.0.0.0/0


Do I need to modify my INPUT chain so that it is DROP by default? I'm having a hard time following the intention of the DROP by default on the INPUT chain. Sorry this seems a bit of a noob question but would appreciate your answer.

thanks,
sedeuce
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy