How to combine OS firewall with one that comes with DA instructions to block ip

[lonerunner]

After i suffered with alot of brute force attacks i readed manual where i can have automatic ip blocking of attackers, this is instruction from here.

http://help.directadmin.com/item.php?id=380

In instructions it's required to change server iptables with one that came in instructions. Now i need to add another rule to my firewall that looks like this:

# create chain
iptables -N quake3_ddos

# accept real client/player traffic
iptables -A quake3_ddos -m u32 ! --u32 "0x1c=0xffffffff" -j ACCEPT

# match "getstatus" queries and remember their address
iptables -A quake3_ddos -m u32 --u32 "0x20=0x67657473&&0x24=0x74617475&&0x25&0xff=0x73" -m recent --name getstatus --set

# drop packet if "hits" per "seconds" is reached
#
# NOTE: if you run multiple servers on a single host, you will need to higher these limits
# as otherwise you will block regular server queries, like Spider or QConnect
# e.g. they will query all of your servers within a second to update the list
iptables -A quake3_ddos -m recent --update --name getstatus --hitcount 5 --seconds 2 -j DROP

# accept otherwise
iptables -A quake3_ddos -j ACCEPT

#
#
# finally insert the chain as the top most input filter

# single server
# iptables -I INPUT 1 -p udp --dport 27960 -j quake3_ddos

And when i add it output error of u32 module not loading.

Im runing centos 5.8 version, and in default iptables configuration module is loading and this rule works, but than i don't know how to add rule to block ip's of brute force attacks.

So to sumarize:

With centos iptables new firewall rule works but not brute force blocking from directadmin

In directadmin instructions and iptables from instructions, brute force attacks are blocked but when i add rule it's not working and output u32 module not loading.

Is there way that i can combine these 2 iptable configurations so i can have brute force attacks blocking ip's and runing new rule that works and with loaded modules?

 

[zEitEr]

Hello,

You should then load the module u32 priorly before loading iptables rules:

modprobe u32

 

[lonerunner]

Hello,

You should then load the module u32 priorly before loading iptables rules:

modprobe u32

and how do i load it, in firewall it's written, like this,

MODPROBE="/sbin/modprobe"

and later on in file it has again some modules loaded

dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp

I have searched for u32 module if there is any separated file, but there isn't.

I have tried to insert it with various commands like
MODPROBE u32
/sbin/modprobe u32
and some more but i guess im too dumb to do this.

How do i insert this u32 module into firewall ?

 

[nobaloney]

It's a kernel module. Do any of these help?

http://www.linuxquestions.org/questions/linux-software-2/about-iptables-with-u32-module-736452/ (linuxquestins.org)

http://www.linuxtopia.org/online_books/centos_linux_guides/centos_enterprise_linux_sysadmin_guide/ch-kernel-modules.html (linuxtopia.org)

Is this a dedicated server or a VPS?

Jeff

 

[lonerunner]

It's dedicated server.

Kernel version Linux 2.6.18-308.4.1.el5 on i686 CentOS 5.8

I have read somewhere module u32 is not available on centos, but somehow they made some workaround in default iptables and you still can use command above, i don't know how much of that is true but when i use it with default iptables i don't get any errors. But since i changed iptables with one described in "I wish to have a block_ip.sh so I can block IPs through DirectAdmin" tutorial, command is not working.

There is possibility to change it with " -m connlimit " but i don't know how.

Most of gaming servers are configured different than web servers and there is no other explanation how to prevent ddos attacks on quake3 game except this in first post which i need to implement somehow in my iptables.

I also looked in /sbin/modprobe there is no u32 module (actual file should be called libipt_u32.so)

Is it possible that i can install this module from some rpm source or to try with command -m connlimit --connlimit-above 4 -j DROP < but this probably can drop regular players

 

[zEitEr]

And when i add it output error of u32 module not loading.

Will you then post here exact text of the error? Or even attach a screenshot?

 

[lonerunner]

Will you then post here exact text of the error? Or even attach a screenshot?

iptables v1.3.5: Couldn't load match `u32':/lib/iptables/libipt_u32.so: cannot open shared object file: No such file or directory

 

[scsi]

quake3 seriously....didnt notice it was 2001 still.

You are trying to use a seriously outdated iptables module.

Find a better tutorial.

 

[lonerunner]

quake3 seriously....didnt notice it was 2001 still.

You are trying to use a seriously outdated iptables module.

Find a better tutorial.

There isn't other tutorial, i have searched up and down the internet and everywhere is same tutorial.

 

[zEitEr]

http://www.linuxquestions.org/questions/red-hat-31/u32-lib-not-in-red-hat-iptables-1-3-5-a-787037/
http://forums.fedoraforum.org/archive/index.php/t-179812.html

So make sure your rule gets loaded with default iptables, just run this

iptables-save

to see what is loaded.

 

[lonerunner]

http://www.linuxquestions.org/questions/red-hat-31/u32-lib-not-in-red-hat-iptables-1-3-5-a-787037/
http://forums.fedoraforum.org/archive/index.php/t-179812.html

So make sure your rule gets loaded with default iptables, just run this

iptables-save

to see what is loaded.

Sometimes its very important to doublecheck everything and not give up. 2 days ago i found on search second link you posted but page wasn't loading i got error, now i found instructions on that same link. Ill try to rebuild iptables with that other rpm package and see if it works.

 

[lonerunner]

Ok i installed this http://rpm.pbone.net/index.php3/stat/4/idpl/6009692/dir/pld/com/iptables-1.3.3-18.i386.rpm.html

Than i got huge error on every possible line, like

/etc/init.d/iptables: line 334: /sbin/iptables: No such file or directory

Error was generated because in directadmin firewall there is path IPTABLES="/sbin/iptables"

Than on every rule its written like this:

$IPTABLES -A INPUT -p tcp --dport 25 --syn -j DROP

And i just changed

$IPTABLES

with

iptables

and now i have only one error, this:

iptables: Chain already exists
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name

Isn't maybe somewhere iptables remembered some old rules ?

I checked in /etc/init.d/iptables and i have chain as i posted in first post. In that folder i have iptables, iptables.backup(generated by me) and iptables.rpmsave(its probably generated from iptables when i installed rpm)

I checked /etc/sysconfig/iptables and its default generated file. I have iptables.save it's also default generated file, ip6tables-config, iptables.new, iptables.old are generated by me and probably not loading.

iptables-save command not working, it output error /sbin/iptables-save no such file.

Would this work with all mess i made now. I have testing it arround, and i get messages about brute force attempts, but i don't see emails in block list.

EDIT: so far it looks like it works, except i didn't tested if ddos attacks on quake are working, will see about that, and i get "iptables: No chain/target/match by that name" error

And i think i found a bug in blocking brute force ips. Apparently if ip like 209.85.160.20 is blocked - than ip 209.85.160.2 wont be blocked. And in DA admin when i click block it say it's already blocked but when i check blocked_ips.txt it's not blocked. Well if it's really bug and not some kind of mistake by me this should be another topic, or there is one already?

 

[nobaloney]

/etc/init.d/iptables: line 334: /sbin/iptables: No such file or directory

Error was generated because in directadmin firewall there is path IPTABLES="/sbin/iptables"

Than on every rule its written like this:

$IPTABLES -A INPUT -p tcp --dport 25 --syn -j DROP

And i just changed

$IPTABLES

with

iptables

$IPTABLES is a variable, and is replaced by the value /sbin/iptables; obviously your version is located somewhere else in the path. If you care to find out where you can run:

# whereis iptables

and now i have only one error, this:

iptables: Chain already exists

Either you weren't starting with an empty configuration, or you've got something out of order.

iptables: No chain/target/match by that name
iptables: No chain/target/match by that name

Possibly a followup on the first error; possibly a misspelling somewhere.
[/quote]Isn't maybe somewhere iptables remembered some old rules ?[/quote]
These lines will probably delete them:

    $IPTABLES -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -F
    iptables -L -n

(Note I took the above lines from the kiss firewall rules for shutting of the firewall.)

Jeff

 

[nobaloney]

And i think i found a bug in blocking brute force ips. Apparently if ip like 209.85.160.20 is blocked - than ip 209.85.160.2 wont be blocked. And in DA admin when i click block it say it's already blocked but when i check blocked_ips.txt it's not blocked. Well if it's really bug and not some kind of mistake by me this should be another topic, or there is one already?

Might be a bug, as .2 is included in .20. Hopefully John can look into it.

Jeff

 

[lonerunner]

$IPTABLES is a variable, and is replaced by the value /sbin/iptables; obviously your version is located somewhere else in the path. If you care to find out where you can run:

I found that, iptables are now located in usr/ folder

Either you weren't starting with an empty configuration, or you've got something out of order.

I managed to remove duplicated chain. used command iptables -X chain-name. I started to get duplicated chain code when i inserted from terminal iptables -N quake3_ddos. I still don't know where this was written because i searched for iptables and opened all files i found and none of them contained rule. So i guess it can be only somewhere in cache.

iptables: No chain/target/match by that name
iptables: No chain/target/match by that name

I also found that this errors are coming from these 2 lines

# accept real client/player traffic
iptables -A quake3_ddos -m u32 ! --u32 "0x1c=0xffffffff" -j ACCEPT

# match "getstatus" queries and remember their address
iptables -A quake3_ddos -m u32 --u32 "0x20=0x67657473&&0x24=0x74617475&&0x25&0xff=0x73" -m recent --name getstatus --set

So i guess this has to be rewritten or there is misspelling that i dont see


And i was looking furthermore at that instructions "I wish to have a block_ip.sh so I can block IPs through DirectAdmin" http://help.directadmin.com/item.php?id=380 going through tutorial again and everything on server is as written in tutorial, and these are headers from my emails.

New Message: Brute-Force Attack detected in service log from IP(s) 209.85.160.12
New Message: Brute-Force Attack detected in service log from IP(s) 74.125.82.15
New Message: Brute-Force Attack detected in service log from IP(s) 209.85.160.13, 209.85.210.16, 209.85.210.3
Brute-Force Attack detected in service log from IP(s) 124.229.53.248

And this is when i check if ip's are blocked

iptables -L -n --line | grep 209.85.160.12
375 DROP all -- 209.85.160.129 0.0.0.0/0

iptables -L -n --line | grep 74.125.82.15
199 DROP all -- 74.125.82.150 0.0.0.0/0
279 DROP all -- 74.125.82.154 0.0.0.0/0
313 DROP all -- 74.125.82.156 0.0.0.0/0
402 DROP all -- 74.125.82.151 0.0.0.0/0
535 DROP all -- 74.125.82.152 0.0.0.0/0
562 DROP all -- 74.125.82.158 0.0.0.0/0
647 DROP all -- 74.125.82.157 0.0.0.0/0
708 DROP all -- 74.125.82.159 0.0.0.0/0
942 DROP all -- 74.125.82.155 0.0.0.0/0
979 DROP all -- 74.125.82.153 0.0.0.0/0

iptables -L -n --line | grep 124.229.53.248
3754 DROP all -- 124.229.53.248 0.0.0.0/0

Notice how those first 2 ip's checked are not blocked because there are already ip's containing those numbers, and third one is blocked.

Also when i try to block it through DA control panel Brute force option i get this

Error Blocking IP

Details

209.85.160.12 already exists in /root/blocked_ips.txt (1). Not blocking.

But ip doesn't exist in /root/blocked_ips.txt

 

[DirectAdmin Support]

Thanks for the report. Grab a new block_ip.sh as I've added a fix with the correct newline regex characters, and a followup = character.
http://files1.directadmin.com/services/all/block_ip.sh

COUNT=`grep -c "^${ip}=" $BF`;

This assume you're using the:
IP=dateblocked=1332496141

format in your /root/blocked_ips.txt file.
If it's only got the format:
IP

without =dateblocked=1332496141, then it won't work correclty. (just add = characters after all IPs in the blocked_ips.txt, so that grep can see them)

John

 

[lonerunner]

Thanks for the report. Grab a new block_ip.sh as I've added a fix with the correct newline regex characters, and a followup = character.
http://files1.directadmin.com/services/all/block_ip.sh

COUNT=`grep -c "^${ip}=" $BF`;

This assume you're using the:
IP=dateblocked=1332496141

format in your /root/blocked_ips.txt file.
If it's only got the format:
IP

without =dateblocked=1332496141, then it won't work correclty. (just add = characters after all IPs in the blocked_ips.txt, so that grep can see them)

John

Since it would be very hard to add = characters after all ips in blocked_ips.txt file because i have 3700 ips, i removed all ips and now new ips are written like this

209.85.215.3=dateblocked=1338456165

And when i restart iptables i get this

iptables v1.3.3: host/network `209.85.215.3=dateblocked=1338456165' not found

And ip is not blocked again. But in DA administration it say it's blocked because ip is in blocked_ips.txt list.

Maybe some other rule in iptables that will remove =dateblocked=1338456165 from list and just parse list of ip's ?

 

[DirectAdmin Support]

Hello,

In your /etc/init.d/iptables script, you should see this:

if [ -s $BLOCK_LIST ]; then
	for i in `cat $BLOCK_LIST | cut -d= -f1`; do
	{
		b $i
	};
	done;
fi

where yours is likely just missing the | cut -d= -f1 part.

John

 

[lonerunner]

Hello,

In your /etc/init.d/iptables script, you should see this:

if [ -s $BLOCK_LIST ]; then
	for i in `cat $BLOCK_LIST | cut -d= -f1`; do
	{
		b $i
	};
	done;
fi

where yours is likely just missing the | cut -d= -f1 part.

John

Yes, exactly this was missing from my iptables, added it and it works now, hopefully now i will get rid of these brute force attacks.

Thanks John

Now i just need to figure out how to resolve "iptables: No chain/target/match by that name" errors