linux networking – Mitigating TCP reset attack via iptables

I appear to be a victim of TCP reset attacks with the purpose of preventing me from downloading specific data. I know this is the case at this stage.

For the time being I am staying at a hotel and so I do not have access to the router firewall here, but my question is: Would it be possible to prevent TCP reset style attacks through iptables?

What I have attempted to do is block RST (and FIN) packets with iptables like so:

iptables -I OUTPUT -p tcp –tcp-flags ALL RST -j DROP iptables -I INPUT -p tcp –tcp-flags ALL RST -j DROP (Same for FIN packets)

However, the attacker still appears able to kill the connection — from analysing wireshark I can see that an RST packet was still sent from my IP to the server. I do not see why it would send this given the iptables settings.

Would it not still be possible for an attacker connected to the same LAN to send an RST packet to the server and kill my connection? In that case I guess I will need control over the networks firewall – which I don’t at this time.

A VPN does not prevent the attack — presumably because the attacker is aware of the server I am using.

I also want to point out that I am using qubes, with all Internet traffic going through the sys-net qube where the iptables rules are active.

Centos Docker iptables block all traffics except domain

I’m trying to block all outgoing traffic from iptables for docker’s interface docker0. But I would like to open the access for a few domains:

How can I do that?

I tried that:

iptables -I OUTPUT -o docker0 -j DROP 
iptables -I DOCKER -i docker0 -p udp --dport 53 -j ACCEPT 
iptables -I DOCKER -i docker0 -p tcp -d mydomain.com --dport 80 -j ACCEPT 
iptables -I DOCKER -i docker0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

linux – iptables not logging to dmesg (or anywhere else)

Googling this question has been a nightmare because so many people have trouble getting iptables logs out of the kernel log and into syslog that finding other kinds of logging problems/solutions becomes very hard.

Platform: Ubuntu 18.04.4 LTS running 5.3.0-24-generic on x86-64

Problem summary: I have a couple of logging chains in my iptables setup, and the counters clearly show there’s a ton of messages that I should be getting, but not a single one appears anywhere in the kernel log or syslog or anywhere

Chain ERROR (2 references)
 pkts bytes target     prot opt in     out     source               destination
1279K   73M LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "iptables packet dropped! "
1279K   73M DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LOGDROP (1 references)
 pkts bytes target     prot opt in     out     source               destination
 2755  769K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 6 prefix "iptables packet dropped: "
 4021 1112K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

I’ve tried changing the log level to error but I still don’t see them in dmesg or anywhere under /var/log

# lsmod | grep xt_LOG
xt_LOG                 20480  3
x_tables               40960  18 ebtables,ip6table_filter,xt_conntrack,iptable_filter,xt_LOG,xt_tcpudp,xt_addrtype,xt_CHECKSUM,xt_nat,xt_set,ip6_tables,xt_mac,xt_tls,ipt_REJECT,ip_tables,xt_limit,xt_MASQUERADE,iptable_mangle

xt_LOG is loaded and I don’t see any errors related to xt_LOG or iptables anywhere

nat – Masking network behind another using Iptables MARK and NETMAP targets

Aoa,
Hello I have faced similar scinario mentioned in following link during vpn tunnel implementation using Strongswan:

https://www.strongswan.org/testing/testresults/ikev2/net2net-same-nets/

Here it is mention that:
necessary network mappings are done on gateway sun using the iptables MARK and NETMAP targets.

But I dont know to add these configuration mappings and iptables.

My Configuration IPs with gateways are mentioned below and I have to mask one network behind another network:

Cli1(10.10.3.12) gw(10.10.3.1)—(10.10.3.10) gw(10.10.3.1)Dev1(192.168.0.2) gw(192.168.0.1)====(192.168.0.3) gw(192.168.0.1)Dev2(10.10.3.11) gw(10.10.3.1)—(10.10.3.13) gw(10.10.3.1)Cli2

Here I have to mask 10.10.3.0/24 network with another network at both source and destination ends.
Kindly guide me how to do this.
Thanks

networking – basic IPTABLES config for a linux network interface

To access the internet I used a linux interface named enp2s0 with a mac address -> router -> internet provider.

Can you tell me if these rules are wrong or if I forgot something? Thank you.

iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
iptables -N port-scanning
iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
iptables -A port-scanning -j DROP
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
iptables -A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p tcp -m mac --mac-source fa:0c:69:09:18:e4 -j ACCEPT
iptables -A INPUT -i enp2s0 -s 10.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP_SPOOF A: "
iptables -A INPUT -i enp2s0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 143 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 143 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 993 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 110 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 995 -m conntrack --ctstate ESTABLISHED -j ACCEPT

how to seperate prefixes for iptables

i hope i can ask this question here as i am bit confuse what i can and cant ask :>
So i want to achive with iptables to seperate the prefixes in iptables example:
Connection comming first time it comes to final DROP rule and after that i have tool that analyse it and add it to different prefix and chain so it will be seperated for dropping logs if it was already once drop and added to chain.
I have this but it doesnt work the HB_LOG_AND_DROP is never showing.All the time only the last DROPLOG is shown,why?

$IPTABLES -N HB_LOG_AND_DROP;
$IPTABLES -A HB_LOG_AND_DROP -j LOG --log-prefix "IPTABLES-DROPPED: " --log-level 6;
$IPTABLES -A HB_LOG_AND_DROP -j HB_LOG_AND_DROP;

$IPTABLES -N LOGPSCAN;
$IPTABLES -A LOGPSCAN -p tcp --syn -m limit --limit 2000/hour -j RETURN;
$IPTABLES -A LOGPSCAN -m limit --limit 200/hour -j LOG --log-prefix "RULE PORT-SCAN [DROP] ";
$IPTABLES -A LOGPSCAN -j LOGPSCAN;
$IPTABLES -A INPUT -p tcp --syn -j LOGPSCAN;

$IPTABLES -N DROPLOG;
$IPTABLES -A INPUT -j DROPLOG;
$IPTABLES -A DROPLOG -m limit --limit 1/sec -j LOG --log-prefix "[DROP] " --log-level 6;
$IPTABLES -A DROPLOG -j DROP

linux – Iptables in a game server

So i admin a game server of a fairly old game with a fairly large cheater problem. I’ve been using iptables/ipset to help combat some of the more persistant cheaters.

My question is: Is it possible to make it that when i drop a connection to the server they are still able to see it on the server list but unable to join it. With my current config once i decide to drop a connection it vanishes off the server list for them. Which they are using to their advantage somewhat by cylcing their ip/vpn untill they can see the server again and then join.

I have tried using REJECT instead of DROP but the server still vanishes off the game list for the affected connections. Is this something to do with the way i have the iptables configured or is “this just how things work”. I’m fairly inexperienced with ipset and iptables and i am mostly self taught taking nuggets of advice where i can get them.

Also as a 2nd question is their an easier way to blanket block VPN connections to the server, my process at the moment is identifying the VPN, getting the ips linked under the ASN and getting them to ipset under a rule to drop.

iptables – Connection refused on SMTP port 465

I’m trying to open the 465 port to secure my postfix SMTP. But when I try to open, I execute

telnet mail.example.com 465
Trying my.server.public.ip ...
telnet: Unable to connect to remote host: Connection refused

I try to open it with the command
iptables -I INPUT -p tcp -m tcp –dport 465 -j ACCEPT

How can I solve this problem?
Thanks in advance :]

How to define iptables rules for routing encapsulated VPN traffic based on destination port?

I am looking to route VPN traffic originating from one computer A differently on a connected computer B based on destination port of the traffic. Because the VPN encapsulates the original destination ports, there is no way for iptables on B to know the destination ports of the incoming traffic from A.

Is there a way to make this work using some kind of packet marking after the VPN traffic is encapsulated? Or another way to achieve the same outcome? Attached a diagram that illustrates the objective.

Thanks.

Illustration of the goal