iptables + resolv.conf questions

zhennlash

Heya.

I've got the required keys and configs via the generator, and all is well when using openvpn.

I've noticed my resolv.conf is frequently overwritten (at startup), how can I prevent this from happening? I'm using NetworkManager, and have the connection set to use airvpn's DNS. As things are now, I've got to manually enter the nameserver each time the system starts. The only clue here is that "generated by resolvconf" is prepended to the revised resolv.conf.

As for iptables, I've noticed there's airvpn client functionality to block all non-local and non-airvpn node traffic in/out of the machine. Could some please share an example iptable table (lol) that achieves the same effect?

Thanks =)

cm0s

yeah network mangler does that

i never got used to it, at all

just set your local to static and get a opensource router or flash an old one ya got layen around

shut off yer dhcp server on that

this does a couple of things for ya:

first, you now have full control over your local, meaning your isp STOPS at the router

that right there gives me a warm fuzzy feeling

second you can do this for all the things conneting to your local, meaning ya don't have boxes and phones

running junk they don't need that hey, lets face it, first thing they tell ya at bandcamp: don't talk about bandcamp

well i mean they say things too like 'don't lead with your chin' or sumthin like that

the less junk i got purren and runnen the less for me to break is my point before i have had 30 cups of coffee

ok that iptalbes example:

i'm not a guru at this so if ya see sumthin wrong or can be improved on etc yeah lemme know please....

this script is a server config
comment out what ya don't want
mod block ipz or botz with your stuff
# 051317_edit
geo blocking/spam filter
ge0z/country codez
# -----
# server config
#
# to reconnect...
# iptables -F
# iptables -X
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# test firewall with nmap...
# nmap -v -f/-sX/-sN ip_addy
# check status
# iptables -L -n -v
# for arch: pacman -S ipset/modprobe -v ip_set | ipset -n list
# if non-vpn comment out '# -->' section
# to start scratch w/geo, -X,-F tables, ipset destroy geoz, accpet traffic
# check with ipset list, rm the wget file also
# ipset save > /your/directory/blacklist.save | ipset restore < /your/directory/blacklist.save
echo "-> waking wald0 up..."
#
echo "-> remove rules from chains..."
iptables -F
iptables -t nat -F
iptables -t mangle -F
#
echo "-> remove user definez..."
iptables -X
iptables -t nat -X
iptables -t mangle -X
#
echo "-> droppen shit..."
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
# input/output/vpn
echo "-> setten up the flow..."
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # connectionz
# --> # comment out if not vpn
iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT #communicate with any DHCP server/router
iptables -A INPUT -s 255.255.255.255 -j ACCEPT #communicate with any DHCP server/router
iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT #communicate within lan
iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -i enp2s1 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o enp2s1 -j ACCEPT # make sure enp2s2/tun0 can communicate
iptables -t nat -A PREROUTING -s 0/0 -p udp --dport 53 -j DNAT --to 10.5.0.1 #use vpn dns
iptables -t nat -A PREROUTING -s 0/0 -p tcp --dport 53 -j DNAT --to 10.5.0.1 # use vpn dns
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE # map tun0 outgoing IP addy,
iptables -A OUTPUT -o enp2s1 ! -d 127.0.0.1 -p tcp --dport 1413 -j DROP # if traffic isn't vpn
# --> #
iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT # ssh, net, ssl
#
# blocking spam...
sleep 2
ipset -N blacklist hash:net
sleep 2
# change directory listing here for server 
IP_TMP=/yourdirectory/ip.tmp
IP_BLACKLIST=/yourdirectory/ip-blacklist.conf
IP_BLACKLIST_TMP=/yourdirectory/ip-blacklist.tmp
list="chinese nigerian russian lacnic exploited-servers"
BLACKLISTS=(
"http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1"  # TOR Exit Nodes
"http://www.maxmind.com/en/anonymous_proxies" # MaxMind GeoIP Anonymous Proxies
"http://danger.rulez.sk/projects/bruteforceblocker/blist.php" # BruteForceBlocker IP List
"http://blocklist.greensnow.co/greensnow.txt" # greenz ETz rbn-ips replacement
"http://www.spamhaus.org/drop/drop.lasso" # Spamhaus Don't Route Or Peer List (DROP)
"http://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious IP List
"http://www.autoshun.org/files/shunlist.csv" # Autoshun Shun List
"http://rules.emergingthreats.net/blockrules/compromised-ips.txt" # bad ipz by emergingz
"https://zeustracker.abuse.ch/blocklist.php?download=badips" # mohrr bad ipz
"https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist" # mohrrz ipz
"http://malc0de.com/bl/IP_Blacklist.txt" # malc0dz recentz 2016
"http://lists.blocklist.de/lists/all.txt" # blocklist.de attackers
)
for i in "${BLACKLISTS[@]}"
do
    curl "$i" > $IP_TMP
    grep -Po '(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?' $IP_TMP >> $IP_BLACKLIST_TMP
done
for i in `echo $list`; do
        # Download if needed change directory for server 
        wget --quiet /yourdirectory/ http://www.wizcrafts.net/$i-iptables-blocklist.html
        # Grep out all but ip blocks
        cat $i-iptables-blocklist.html | grep -v \< | grep -v \: | grep -v \; | grep -v \# | grep [0-9] > $i.txt
        # Consolidate blocks into master list
        cat $i.txt >> $IP_BLACKLIST_TMP
done
#
sort $IP_BLACKLIST_TMP -n | uniq > $IP_BLACKLIST
rm $IP_BLACKLIST_TMP
wc -l $IP_BLACKLIST
#
ipset flush blacklist
grep -E -v "^#|^$" $IP_BLACKLIST | while IFS= read -r ip
do
        ipset add blacklist $ip
done
#
sleep 2
#
iptables -A INPUT -m set --match-set blacklist src -j DROP
sleep 2
#
# snag sum zonez...
sleep 2
ipset -N geoz1 hash:net
sleep 2
wget -O /yourdirectory/spamz1/1.txt http://www.ipdeny.com/ipblocks/data/countries/{sa,so,sv,sy,ua,mn,bo,cz,pl}.zone
sleep 1
wget -O /yourdirectory/spamz1/2.txt http://www.ipdeny.com/ipblocks/data/countries/{va,za,tw,zm,zw,is,jp,ru,uz}.zone
sleep 1
wget -O /yourdirectory/spamz1/3.txt http://www.ipdeny.com/ipblocks/data/countries/{se,au,ge,pe,ug,md,ca,by,fr}.zone
sleep 1
# add each IP address from the downloaded list into the ipset-db'geoz1' 
for i in $(cat /yourdirectory/spamz1/*.txt); do ipset -A geoz1 $i; done # for server
sleep 2
#
ipset -N geoz2 hash:net
sleep 2
wget -O /yourdirectory/spamz2/4.txt http://www.ipdeny.com/ipblocks/data/countries/{bg,ba,cn,iq,ir,it,cf,es,il}.zone
sleep 1
wget -O /yourdirectory/spamz2/5.txt http://www.ipdeny.com/ipblocks/data/countries/{hk,kr,kp,kw,kz,in,br,dz,be}.zone
sleep 1
wget -O /yourdirectory/spamz2/6.txt http://www.ipdeny.com/ipblocks/data/countries/{ly,mx,pk,ps,rw,ar,az,de,dm}.zone
# add each IP address from the downloaded list into the ipset-db'geoz2' 
for i in $(cat /yourdirectory/spamz2/*.txt); do ipset -A geoz2 $i; done # for server
sleep 2
# blocking geoz...
echo "-> blocking country codz..."
iptables -I INPUT -m set --match-set geoz1 src -j DROP
iptables -I INPUT -m set --match-set geoz2 src -j DROP
iptables -I OUTPUT -m set --match-set geoz1 dst -j DROP
iptables -I OUTPUT -m set --match-set geoz2 dst -j DROP
#
# blocking botz...
echo "-> droppen sum botz/scanz..."
iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m string --string "NetcraftSurveyAgent" --algo bm --to 1000 -j DROP
iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m string --string "w3af.sourceforge.net" --algo bm --to 1000 -j DROP
iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m string --string "nikto" --algo bm --to 1000 -j DROP
iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m string --string "sqlmap" --algo bm --to 1000 -j DROP
iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m string --string "Openvas" --algo bm --to 1000 -j DROP
iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m string --string "Nmap" --algo bm --to 1000 -j DROP
iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m string --string "ZmEu" --algo bm --to 1000 -j DROP
#
# blocking mohr spam...
echo "-> droppen sum spam..."
iptables -A INPUT -p tcp -s 116.0.0.0/8 -j DROP # asia spam'ish'
iptables -A INPUT -p tcp -s 58.17.30.0/23 -j DROP #	China -ShangHai Shelian commpany  	
iptables -A INPUT -p tcp -s 59.69.128.0/19 -j DROP # China -Nanyang Institute Tech.  	
iptables -A INPUT -p tcp -s 61.164.145.0/24 -j DROP # China -Wenzhou Telecom  	
iptables -A INPUT -p tcp -s 81.196.20.0/23 -j DROP # Romania -RCS & RDS S.A.  	
iptables -A INPUT -p tcp -s 82.213.64.0/19 -j DROP # Italy -MIPIACE.COM SPA  	
iptables -A INPUT -p tcp -s 111.0.0.0/10 -j DROP # China -Mobile Comm Corp  	
iptables -A INPUT -p tcp -s 125.23.218.0/24 -j DROP # India -Bharti Tele-Ventures  	
iptables -A INPUT -p tcp -s 183.129.128.0/17 -j DROP # China -Zhejiang Telecom  	
iptables -A INPUT -p tcp -s 200.105.224.0/20 -j DROP # Ecquadore -PUNTONET S.A.  	
iptables -A INPUT -p tcp -s 203.99.130.0/23 -j DROP # Indonisia -PT Varnion Tech Semesta  	
iptables -A INPUT -p tcp -s 210.83.84.64/26 -j DROP # China -China Unicom CncNet  	
iptables -A INPUT -p tcp -s 222.96.0.0/19 -j DROP # Korea -Korea Telcom
iptables -A INPUT -p tcp -s 131.178.0.0/16 -j DROP # Mexico spam'ish'
#
echo "-> droppen spoofz..."
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP
#
echo "-> blocken icbmzzz..."
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
#
echo "-> drop off the invaldz..."
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
#
echo "-> limit the rst flow..."
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
#
echo "-> bypass the scanners..."
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
#
echo "-> block some brutez..."
iptables -N BRUTEFORCE
iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j BRUTEFORCE
iptables -A BRUTEFORCE -m recent --set
iptables -A BRUTEFORCE -m recent --update --seconds 3600 --hitcount 6 -j DROP
#
echo "-> avoid broadcasts..."
iptables -A INPUT  -i $EXTERNAL_INTERFACE -d $BROADCAST_NET -j DROP
#
echo "-> drop the fragging..."
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp --dport 113 -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
#
echo "-> not into X-Mas..."
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#
echo "-> null-la-bye..."
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#
echo "-> dropn sum fellaz..."
# uncomment to block ipz:
iptables -A INPUT -s 239.192.152.143,181.228.206.138,51.254.213.15,82.221.105.7,106.219.59.202 -j DROP 
iptables -A INPUT -s 122.162.123.217,43.246.249.217,177.83.170.134,37.214.90.130,82.221.105.7 -j DROP
iptables -A INPUT -s 208.52.154.240,213.230.72.206,107.20.135.43,197.221.129.138,123.243.167.240 -j DROP
iptables -A INPUT -s 5.133.161.202,77.81.6.234,37.153.173.10,190.117.116.177,197.221.129.138 -j DROP
iptables -A INPUT -s 217.19.216.243,212.56.214.203,155.94.254.143,67.21.104.221,50.194.147.69 -j DROP 
iptables -A INPUT -s 87.252.229.9,5.135.151.181,213.230.73.71,104.238.111.88,185.25.151.159 -j DROP
iptables -A INPUT -s 141.212.122.129,91.196.50.33,146.185.239.100,198.20.87.98,185.106.92.113 -j DROP
iptables -A INPUT -s 109.205.249.84,98.190.250.74,5.141.215.112,193.242.203.131,87.66.122.232 -j DROP
iptables -A INPUT -s 104.1.209.192,62.183.125.123,178.218.202.119,207.232.21.133 -j DROP
#
sleep 2
#
echo "-> ignore bad errerz..."
# Ignore bad error messages
    for f in /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses;
    do
       echo 1 > $f
    done        
#
echo "-> disable response to broadkastz..."
# Disable response to broadcasts 
    for f in /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts;
    do
       echo 1 > $f
    done
#
echo "-> downen source routed paketz..."
# Disable Source Routed Packets
    for f in /proc/sys/net/ipv4/conf/*/accept_source_route; 
    do
    	echo 0 > $f
	done
#
echo "-> enabling syn cookie protekshun..."
# Enable TCP SYN Cookie Protection
     for f in /proc/sys/net/ipv4/tcp_syncookies;
     do
        echo 1 > $f
     done
#
echo "-> disabling redirekz..."
# Disable ICMP Redirect Acceptance
    for f in /proc/sys/net/ipv4/conf/*/accept_redirects; 
   	do
   	   echo 0 > $f
	done
#
echo "-> not sending redirekz messuhguz..."
# Don't send Redirect Messages
    for f in /proc/sys/net/ipv4/conf/*/send_redirects; 
   	do
   	   echo 0 > $f
	done
#
echo "-> droppen spoof pakz..."
# Drop Spoofed Packets coming in 
	for f in /proc/sys/net/ipv4/conf/*/rp_filter; 
  	do
  	   echo 1 > $f
	done
#
echo "-> saven the setz Chewy..."
iptables-save
#
#

now that is waaaayyyyy over kill so take out the stuff ya don't want

cheerz

NaDre

Heya.

I've got the required keys and configs via the generator, and all is well when using openvpn.

I've noticed my resolv.conf is frequently overwritten (at startup), how can I prevent this from happening? I'm using NetworkManager, and have the connection set to use airvpn's DNS. As things are now, I've got to manually enter the nameserver each time the system starts. The only clue here is that "generated by resolvconf" is prepended to the revised resolv.conf.

...

See this:

https://airvpn.org/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/

Or if you do not want to do that, but rather make a static manual change, then with resolvconf installed you can make the change in the "head" file which on Debian Jessie is here:

/etc/resolvconf/resolv.conf.d/head

This is what is in mine:

nameserver 127.0.0.1
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

I added "nameserver 127.0.0.1" at the top so that my own name server is always used. This is where the stuff prepended by resolvconf comes from.

...
As for iptables, I've noticed there's airvpn client functionality to block all non-local and non-airvpn node traffic in/out of the machine. Could some please share an example iptable table (lol) that achieves the same effect?

Thanks =)

This would be a bit of work. I have never seen the need. In fact I normally only run rtorrent, an sshd instance and when needed web rippers over the VPN.

snaggle

To make resolv.conf immutable (prevent it from been overwritten) I use -

 sudo chattr +i /etc/resolv.conf

To reverse this -

sudo chattr -i /etc/resolv.conf

Hope this helps

NaDre

The other option is to suppress resolvconf by renaming /etc/resolv.conf, which the resolvconf install will have set as a symcolic link to /etc/resolvconf/run/resolv.conf during the install, and putting back a normal file.

The resolvconf man page says that resolvconf only changes /etc/resolvconf/run/resolv.conf after installation. It does seem to work.

Sign In

iptables + resolv.conf questions

Recommended Posts

zhennlash 0

Share this post

Link to post

cm0s 118

Share this post

Link to post

NaDre 157

Share this post

Link to post

snaggle 25

Share this post

Link to post

NaDre 157

Share this post

Link to post

Join the conversation

Home

Community