Re:Share some iptables configuration options

eXcalibre

Not sure if i am allowed to post here, but

I am looking for an IPtables config that will try to stop brute force imap logins.

is there a way i can put a time limit on the amount of attempts that an ip has to log into IMAP port and block the address if its exceeded?

Many thanks in advance.

mfillpot

This is my old firewall script with the comments included, this simple one worked pretty well.

Since then I have made a much more complicated and modular one, I will share that when it is complete.

#!/bin/bash
########################################################
# START THE FIREWALL SCRIPT                            #
########################################################
 
 
# Flush the current rules
iptables -F
 
# Block all forwarding
iptables -A FORWARD -s 0/0 -j DROP
 
# Allow all input into loopback
iptables -A INPUT -i lo -j ACCEPT
 
# Allow 4 pings per minute to block ping DOS attacks
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 4/m -j ACCEPT
 
# Allow all echo replies including destination unreachable and time exceeded
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
 
# Block all other icmp traffic
iptables -A INPUT -p icmp -j DROP
 
# Allow all response traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# block all other incoming traffic
iptables -A INPUT -j DROP
 
# Display confirmation message
RED=$'\e[31;01m'
NORMAL=$'\e[0m'
echo "${RED}Firewall Started.....${NORMAL}"

mfillpot

That is a nice addition, that can be usful to work with the invalid attempt option in sshd to prevent breakins.

mfillpot

I am not fully versed in the communication methods and ports used for IMAP communication, but if you can pin down the basic packet structure of IMAP logins then you can develop n iptable rule to accomplish your task.

sebastiangarciahelguera

I think the best way to prevent brute force attack's to your logins on any service is not in the firewall, try using pam modules, for ssh try pam-abl (http://tech.tolero.org/blog/en/linux/ssh-password-brute-force-protection).

mfillpot

Tha pam option is definitely a good recommendation, in general I prefer to avoid pam because of the frequency in which vulnerabilities are discovered.

roobal

I don't know now that you'd like firewall setings for servers or desktops but I think that for desktops it's enough this simple rules:

iptables -F
 
# Security policy
 
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
 
# Accept loopback
 
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT
 
# Incoming and forward rules
 
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Outgoing rules
 
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

If someone want, can also log traffics and attacks attempt

mfillpot

Thank you for the script roobal, your submission is simple and clean which makes it perfect for new users.