TIPS iptables - how to block a target IP

[LesD]

Could anyone advise what to change in the iptables file to block all traffic targeted at a specific public IP.

I have router firewall issue - which is letting through attacks which it should be stopping.

It seems to be that on one of my Internet lines (cable) my ISP has not only allocated my fixed IP but also a 2nd IP (seems to be sort of fixed but I can force it to change). The router seems to be blocking properly for the regular fixed IP but seems to be blind to this 2nd IP and lets everything through.

Till this is sorted I would like to block all traffic to this IP using the PIAF firewall. (In the interim I have turned off port forwarding for this internet line)

(I have found what looks like a nice tool (fwbuilder) for amending iptables but with a 500 page manual to read I don't want to get this wrong)

The first issue is whether this is at all possible. As I am using NAT to port forward 5060 and 10000-20000 to my PIAF internal IP (I need that for my Anveo trunk), will the PIAF firewall actually see the public IP destination to which the original packet was sent?

The actual log lines I see are like

NOTICE[1846] chan_sip.c: Registration from '"308" <sip:[email protected]:5060>' failed for '50.30.42.12:5079' - No matching peer found
 
NOTICE[1846] chan_sip.c: Sending fake auth rejection for device 400<sip:[email protected]>;tag=f374b34e

where xx.yy.22.213 is the public IP in question. But obviously that is part of the data rather than the destination IP of the packet - which I suspect will be the IP of my PIAF machine.

Is there a way to stop these packets?

 

[phonebuff]

iptables -I INPUT -s xx.yy.22.213/255.255.255.255 -j DROP
service iptables save

If you don't save you loose the input on the next restart ---

 

[wardmundy]

Don't use service iptables save if you're using Travelin' Man 3 with FQDNs!

 

[LesD]

Thank you phonebuf. Done that and I have again enabled WAN2. I'll keep an eye on the logs.

 

[Hyksos]

LesD no, you can't block that in the host firewall. You're right, the host doesn't see this destination IP at all because it's your public IP at the router.

Your situation have to be handled at the router. If indeed your router is port forwarding multiple public IP to your PBX lan IP it's because it's somehow configured to do just that. Nothing to do about that in the host iptables ruleset.

 

[LesD]

Don't use service iptables save if you're using Travelin' Man 3 with FQDNs!

I do not have TM3 but what should someone who has do to save the change?

I presume he could add it by hand to the iptables file.

For me the above command added the following line to the top of iptables

-A INPUT -s aa.bb.cc.dd/32 -j DROP

 

[LesD]

LesD no, you can't block that in the host firewall. You're right, the host doesn't see this destination IP at all because it's your public IP at the router.

Port forwarding for my WAN2 turned off again!

Your situation have to be handled at the router. If indeed your router is port forwarding multiple public IP to your PBX lan IP it's because it's somehow configured to do just that. Nothing to do about that in the host iptables ruleset.

It is configured to forward two public IPs by default - the IPs of my two lines. Its this third phantom IP attached to my 2nd line that seems to flow through my Draytek router that is the issue.

I have opened tickets at my ISP (to take away the 2nd IP) and with Draytek (to fix the firewall) but I don't expect either to fix this quickly.

So the only solution for the moment is not to open ports for WAN2.

Thanks for the clarification.

 

[howardsl2]

LesD I am trying to help. I did a search and found this article:
http://support.zen.co.uk/kb/Knowledgebase/Vigor-2600-Series-WAN-Aliases

I guess that your "phantom IP" was configured as one of the WAN Aliases? Could it be as simple as removing the Alias?

 

[LesD]

Yes and no. As it was a 'phantom' un-asked for IP I did not know about it till it appeared in the logs. However, the router firewall seemed to be blind to packets addressed to that IP - it just let them through. So I did think of adding it to the IP alaias list of WAN2, hoping that the router will then recognise it - but the results remained unchanged.

I see from your blog that you are an expert in iptables configuration. Can you recommend any reading material so I can understand the syntax and the meaning of the various flags.

Also, is there a simple way I could capture the incoming packets and save them so I can see what exactly is coming through?

 

[howardsl2]

LesD For a basic breakdown of iptables please read:
Linux: 20 Iptables Examples For New SysAdmins

For protecting Asterisk server with iptables and other useful rules, see my blog article:
Securing Your Asterisk VoIP Server with IPTables

For basic usage of iptables on CentOS and Ubuntu:
http://wiki.centos.org/HowTos/Network/IPTables
https://help.ubuntu.com/community/IptablesHowTo
How To Setup a Basic IP Tables Configuration on Centos 6
How To Set Up a Firewall Using IP Tables on Ubuntu 12.04

Finally, a list of some more advanced articles I collected over the years:
iptables Tips & Tricks
Linux : using iptables string-matching filter to block vulnerability scanners
Xtables-Addons On Centos 6 & Iptables GeoIP Filtering
How to block countries using iptables - Debian
Rate limiting
How can I check if an iptables rule already exists?
Blocking lists of IP addresses using the iptables recent module or ipset and make fail2ban use it
Efficiently use a live blacklist feed in iptables (w/ ipset)
Debian TARPIT iptables How To
HTTP DDoS Attack Mitigation Using Tarpitting
Prevent DOS with iptables
Tutorial: Use iptables to ban IP's and prevent DDoS and Some Security 101

For capturing the incoming packets, you can try tcpdump.
The following tutorial is about capturing VoIP traffic:
http://wiki.freeswitch.org/wiki/Packet_Capture

 

[LesD]

Thank you very much! A lot of effort must have gone into compiling that list.

That lot will keep me busy for a year!!