Block Incoming IP Using dd-wrt (iptables)

While reviewing logs on the email server I noticed trying to authenticate via SASL.
This is not a normal IP that would be relaying email through the server, so I decided to block it at the firewall.
Undoubtedly, someone was trying to relay spam, whether they were aware or not.

First, I logged into my firewall via ssh to get a rule in place immediately:

iptables -I CHAIN -s -j DROP

Listing the rules:

iptables -L --line-number

1 DROP 0 — anywhere

Shows the new rule at the top of the chain. Exactly where I need it.

Now I have to make sure this rule survives rebooting the firewall.
To do this, I used the web interface and added a command to Administration >> Commands.

iptables -I CHAIN -s -j DROP
Clicked the “Save Firewall” button.

I went ahead and rebooted to confirm the new rule was loaded at startup.
No more auth attempts from that IP.

NOTE 1: This method will drop ALL TRAFFIC from the listed IP. Play for keeps.
NOTE 2: If this is your IP, you need to check yo’ self before you wreck yo’ self…

Ongoing Additions:
High Frequency POP3 attempts (multiple a second):
iptables -I CHAIN -s -j DROP

Hits: 32

First IPTables Frackas

I decided to start firewalling all my internal servers… Ok, what that really means is I decided to try it out on a junk box.

I went for the complete “nothing in, nothing out unless I expressly permitted it” approach. Below is what I came up with (with some help from the LUG).

—-Start Script

# Setup variables

# Flush all chains
/sbin/iptables –flush

# Set default policies
/sbin/iptables –policy INPUT DROP
/sbin/iptables –policy OUTPUT DROP
/sbin/iptables –policy FORWARD DROP

# Allow unlimited traffic on the loopback interface
/sbin/iptables -A INPUT -i $OURLO -j ACCEPT
/sbin/iptables -A OUTPUT -o $OURLO -j ACCEPT

# Drop all inbound packets that claim to be from us
/sbin/iptables -A INPUT -i $OURIF -s $OURIP -j DROP

# Drop all outbound packets that claim NOT to be from us
/sbin/iptables -A OUTPUT -o $OURIF -s ! $OURIP -j DROP

# Allow any established or related connections (based on input/output rules)
/sbin/iptables -A INPUT -i $OURIF -m state –state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -o $OURIF -m state –state ESTABLISHED,RELATED -j ACCEPT

Everything to here is pretty basic I think. Dropping everything, could careless about logging on this box. Threw in a little spoof protection as well as allowing established connections to run their course.

# Allowing incoming SSH (from anywhere)
/sbin/iptables -A INPUT -p tcp –dport 22 -j ACCEPT

I’m too lazy to walk back to the console for this thing, so I allowed ssh in from anywhere (this anywhere just happens to be from my network. No internet connectivity for this junker

# Access to internal DNS servers
/sbin/iptables -A OUTPUT -o $OURIF -p udp -s $OURIP –dport 53 -d $OURDNS1 -j ACCEPT
/sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP –dport 53 -d $OURDNS1 -j ACCEPT
/sbin/iptables -A OUTPUT -o $OURIF -p udp -s $OURIP –dport 53 -d $OURDNS2 -j ACCEPT
/sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP –dport 53 -d $OURDNS2 -j ACCEPT

Sure, I *COULD* remember all those IPs. Or better yet, use nmap to discover everything over and over and over and ….

# Access to internal SYSLOG server
/sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP –dport 514 -d $OURLOG -j ACCEPT

One day, I hope to be allowed on the back playground with big kids. Encrypt my syslog-ng output, look like a stud at the next lan party geekery. But stunnel pissed me off so bad today, I uninstalled it. Let that be a less to ya!

# Access to internal NTP server
/sbin/iptables -A OUTPUT -o $OURIF -p udp -s $OURIP –dport 123 -d $OURNTP1 -j ACCEPT
/sbin/iptables -A OUTPUT -o $OURIF -p udp -s $OURIP –dport 123 -d $OURNTP2 -j ACCEPT

If only NTP would keep track of important dates like anniversaries. Hmmm, maybe I should write up an RFC… Nah, too much work and I’m lazy as pointed out previously

# Access to internal SMTP server
/sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP –dport 25 -d $OURSMTP -j ACCEPT

Not really necessary, but if my servers weren’t sending/receiving spam too, I’d feel lonely.

# Allow ssh out to perform backups
/sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP –dport 22 -d $OURBACK -j ACCEPT

Yeah! Why can’t syslog-ng work like rsync, right over ssh? Are they lazy too?

I wouldn’t try to yy/p this without removing all my snide comments between the —-s.

Hits: 29