IPTables debugging

The following command will only show rules that have the action set to DROP or REJECT and omit the rules that didn't had any matches:

watch -n1 "iptables -nvL | grep -i 'DROP\|REJECT\' | egrep -v '^\s*0\s*0'"

This one does the same but with some colour highlighting, it will only show rules with matches, the words DROP and REJECT will appear in red and the word ACCEPT will be in green:

watch --color -n1 "iptables -nvL | egrep -v '^\s*0\s*0' | sed 's/\(DROP\|REJECT\)/\x1b[49;31m\1\x1b[0m/g' | sed 's/\(ACCEPT\)/\x1b[49;32m\1\x1b[0m/g'"

Iptables blacklists

Many of you already use online blacklists to fight spam. Recently I've dicovered http://www.openbl.org/ and started using their lists on my firewall to prevent attacks from hosts that are known to be preforming attacks. It works in a very similar way to all the spam blacklists out there, and this is how I've implemented them on my Firewall.

First of all you'll need to  have some packages installed:

sudo apt-get install iptables ipset wget

now create an ipset to store all the abusing IP addresses and use iptables to block them:

#!/bin/bash
BLOCKDB="block.txt"
WORKDIR="/tmp"
pwd=$(pwd)
cd $WORKDIR
#List of ips to block
ipset --create blackips iphash
## Obtain List of badguys from openbl.org
wget -q -c --output-document=$BLOCKDB http://www.openbl.org/lists/base.txt
if [ -f $BLOCKDB ]; then
    IPList=$(grep -Ev "^#" $BLOCKDB | sort -u)
    for i in $IPList
    do
        ipset --add blackips $i
    done
fi
rm $BLOCKDB
## Obtain List of badguys from ciarmy.com
wget -q -c --output-document=$BLOCKDB http://www.ciarmy.com/list/ci-badguys.txt
if [ -f $BLOCKDB ]; then
    IPList=$(grep -Ev "^#" $BLOCKDB | sort -u)
    for i in $IPList
    do
        ipset --add blackips $i
    done
fi
rm $BLOCKDB
## Obtain List of badguys from dshield.org
wget -q -c --output-document=$BLOCKDB http://feeds.dshield.org/top10-2.txt
if [ -f $BLOCKDB ]; then
    IPList=$(grep -E "^[1-9]" $BLOCKDB | cut -f1 | sort -u)
    for i in $IPList
    do
        ipset --add blackips $i
    done
fi
rm $BLOCKDB
#List of networks to block
ipset --create blacknets nethash
## Obtain List of badguys from dshield.org
wget -q -c --output-document=$BLOCKDB http://feeds.dshield.org/block.txt
if [ -f $BLOCKDB ]; then
    IPList=$(grep -E "^[1-9]" $BLOCKDB | cut -f1,3 | sed "s/\t/\//g" | sort -u)
    for i in $IPList
    do
        ipset --add blacknets $i
    done
fi
rm $BLOCKDB
## Obtain List of badguys from spamhaus.org
    wget -q -c --output-document=$BLOCKDB http://www.spamhaus.org/drop/drop.lasso
    if [ -f $BLOCKDB ]; then
      IPList=$(grep -E "^[1-9]" $BLOCKDB | cut -d" " -f1 | sort -u)
      for i in $IPList
      do
        ipset --add blacknets $i
      done
    fi
    rm $BLOCKDB
#Drop blacklisted ips
iptables -A FORWARD -m set --match-set blackips src -j DROP
iptables -A FORWARD -m set --match-set blacknets src -j DROP
cd $pwd

In the above script I've used two ipsets, one for storing IP addresses and another to store network addresses, you can add this scritp to your existing firewall and start taking advantage of the blacklists.
OpenBL is accepting donations http://www.openbl.org/donations.html if you can you should help.

Permanent iptables Configuration

You can save the configuration, and have it start up automatically. To save the configuration, you can use iptables-save and iptables-restore.

Save your firewall rules to a file:

sudo sh -c "iptables-save > /etc/iptables.rules"

At this point you have several options. You can make changes to /etc/network/interfaces or add scripts to /etc/network/if-pre-up.d/ and /etc/network/if-post-down.d/ to achieve similar ends. The script solution allows for slightly more flexibility.

Solution #1 - /etc/network/interfaces

Modify the /etc/network/interfaces configuration file to apply the rules automatically.
Open your /etc/network/interfaces file:

sudo vi /etc/network/interfaces

Add a single line (shown below) just after ‘iface lo inet loopback’:

pre-up iptables-restore < /etc/iptables.rules

You can also prepare a set of down rules, save them into second file /etc/iptables.downrules and apply it automatically using the above steps:

post-down iptables-restore < /etc/iptables.downrules

A fully working example using both from above:

auto eth0
iface eth0 inet dhcp
pre-up iptables-restore < /etc/iptables.rules
post-down iptables-restore < /etc/iptables.downrules

You may also want to keep information from byte and packet counters.

sudo sh -c "iptables-save -c > /etc/iptables.rules"

The above command will save the whole rule-set to a file called /etc/iptables.rules with byte and packet counters still intact.

Solution #2 /etc/network/if-pre-up.d and ../if-post-down.d


NOTE: This solution uses iptables-save -c to save the counters. Just remove the -c to only save the rules.

Alternatively you could add the iptables-restore and iptables-save to the if-pre-up.d and if-post-down.d directories in the /etc/network directory instead of modifying /etc/network/interface directly.

The script /etc/network/if-pre-up.d/iptablesload will contain:

#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0
and /etc/network/if-post-down.d/iptablessave will contain:
#!/bin/sh
iptables-save -c > /etc/iptables.rules
if [ -f /etc/iptables.downrules ]; then
iptables-restore < /etc/iptables.downrules
fi
exit 0

Then be sure to give both scripts execute permissions:

sudo chmod +x /etc/network/if-post-down.d/iptablessave
sudo chmod +x /etc/network/if-pre-up.d/iptablesload

Solution #3 iptables-persistent


Install and use the iptables-persistent package.

Tips

If you manually edit iptables on a regular basis
The above steps go over how to setup your firewall rules and presume they will be relatively static (and for most people they should be). But if you do a lot of development work, you may want to have your iptables saved everytime you reboot. You could add a line like this one in /etc/network/interfaces:

pre-up iptables-restore < /etc/iptables.rules
post-down iptables-save > /etc/iptables.rules

The line "post-down iptables-save > /etc/iptables.rules" will save the rules to be used on the next boot.