Good afternoon! I've problem with resetting iptables after restarting system. Here's my /usr/local/bin/fwall-rules file:
#!/bin/bash IPTABLES=/sbin/iptables IP6TABLES=/sbin/ip6tables echo -e "\n ** clean rules ** \n" echo " * flushing old rules" ${IPTABLES} --flush ${IPTABLES} --delete-chain ${IPTABLES} --table nat --flush ${IPTABLES} --table nat --delete-chain ${IP6TABLES} --flush ${IP6TABLES} --delete-chain ${IP6TABLES} --table nat --flush ${IP6TABLES} --table nat --delete-chain echo " * setting default policies" ${IPTABLES} -P INPUT DROP ${IPTABLES} -P FORWARD DROP ${IPTABLES} -P OUTPUT ACCEPT ${IP6TABLES} -P INPUT DROP ${IP6TABLES} -P FORWARD DROP ${IP6TABLES} -P OUTPUT ACCEPT echo -e "\n ** input chain rules ** \n" echo " * allowing loopback devices" ${IPTABLES} -A INPUT -i lo -j ACCEPT ${IPTABLES} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP ${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ${IP6TABLES} -A INPUT -i lo -j ACCEPT ${IP6TABLES} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP ${IP6TABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ## BLOCK ABUSING IPs HERE ## #echo " * BLACKLIST" #${IPTABLES} -A INPUT -s _ABUSIVE_IP_ -j DROP #${IPTABLES} -A INPUT -s _ABUSIVE_IP2_ -j DROP echo " * allowing ssh on port 16960" ${IPTABLES} -A INPUT -p tcp --dport 16960 -m state --state NEW -j ACCEPT ${IP6TABLES} -A INPUT -p tcp --dport 16960 -m state --state NEW -j ACCEPT #echo " * allowing ftp on port 21" #${IPTABLES} -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT echo " * allowing dns on port 53 udp" ${IPTABLES} -A INPUT -p udp -m udp --dport 53 -j ACCEPT ${IP6TABLES} -A INPUT -p udp -m udp --dport 53 -j ACCEPT echo " * allowing dns on port 53 tcp" ${IPTABLES} -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT ${IP6TABLES} -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT echo " * allowing http on port 80" ${IPTABLES} -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT ${IP6TABLES} -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT echo " * allowing https on port 443" ${IPTABLES} -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT ${IP6TABLES} -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT echo " * allowing smtp on port 25" ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT ${IP6TABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT echo " * allowing smtps on port 465" ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT ${IP6TABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT echo " * allowing submission on port 587" ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT ${IP6TABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT echo " * allowing imaps on port 993" ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT ${IP6TABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT echo " * allowing pop3s on port 995" ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT ${IP6TABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT echo " * allowing imap on port 143" ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT ${IP6TABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT echo " * allowing pop3 on port 110" ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT ${IP6TABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT echo " * allowing ping responses" ${IPTABLES} -A INPUT -p ICMP -j ACCEPT ${IP6TABLES} -A INPUT -p ICMPv6 -j ACCEPT # DROP everything else and Log it ${IPTABLES} -A INPUT -j LOG --log-prefix "iptables-reject " ${IPTABLES} -A INPUT -j REJECT --reject-with icmp-host-prohibited ${IP6TABLES} -A INPUT -j LOG --log-prefix "ip6tables-reject " ${IP6TABLES} -A INPUT -j REJECT --reject-with icmp6-adm-prohibited # # Save settings # echo -e " * SAVING RULES\n" iptables-save > /etc/iptables/rules.v4 iptables-apply /etc/iptables/rules.v4 ip6tables-save > /etc/iptables/rules.v6 ip6tables-apply /etc/iptables/rules.v6 echo -e "\n * DONE!\n" Here's my iptables config before restarting system: # iptables-save # Generated by iptables-save v1.6.0 on Fri Aug 10 22:24:06 2018 *nat :PREROUTING ACCEPT [893:55496] :INPUT ACCEPT [31:1408] :OUTPUT ACCEPT [118:7908] :POSTROUTING ACCEPT [118:7908] COMMIT # Completed on Fri Aug 10 22:24:06 2018 # Generated by iptables-save v1.6.0 on Fri Aug 10 22:24:06 2018 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [7920:1029798] :f2b-nginx-botsearch - [0:0] :f2b-nginx-http-auth - [0:0] :f2b-nginx-limit-req - [0:0] :f2b-php-url-fopen - [0:0] :f2b-sshd - [0:0] :f2b-sshd-ddos - [0:0] -A INPUT -p tcp -j f2b-php-url-fopen -A INPUT -p tcp -j f2b-nginx-botsearch -A INPUT -p tcp -j f2b-nginx-limit-req -A INPUT -p tcp -j f2b-nginx-http-auth -A INPUT -p tcp -j f2b-sshd-ddos -A INPUT -p tcp -j f2b-sshd -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 16960 -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -j LOG --log-prefix "iptables-reject " -A INPUT -j REJECT --reject-with icmp-host-prohibited -A f2b-nginx-botsearch -j RETURN -A f2b-nginx-http-auth -j RETURN -A f2b-nginx-limit-req -j RETURN -A f2b-php-url-fopen -s 212.237.44.247/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-php-url-fopen -j RETURN -A f2b-sshd -j RETURN -A f2b-sshd-ddos -j RETURN COMMIT # Completed on Fri Aug 10 22:24:06 2018 And after restarting system: $ sudo iptables-save # Generated by iptables-save v1.6.0 on Fri Aug 10 22:26:45 2018 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [496:168660] :f2b-nginx-botsearch - [0:0] :f2b-nginx-http-auth - [0:0] :f2b-nginx-limit-req - [0:0] :f2b-php-url-fopen - [0:0] :f2b-sshd - [0:0] :f2b-sshd-ddos - [0:0] -A INPUT -p tcp -j f2b-php-url-fopen -A INPUT -p tcp -j f2b-nginx-botsearch -A INPUT -p tcp -j f2b-nginx-limit-req -A INPUT -p tcp -j f2b-nginx-http-auth -A INPUT -p tcp -j f2b-sshd-ddos -A INPUT -p tcp -j f2b-sshd -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 16960 -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -j LOG -A INPUT -j DROP -A OUTPUT -o lo -j ACCEPT -A f2b-nginx-botsearch -j RETURN -A f2b-nginx-http-auth -j RETURN -A f2b-nginx-limit-req -j RETURN -A f2b-php-url-fopen -s 212.237.44.247/32 -j REJECT --reject-with icmp-port-unreachable -A f2b-php-url-fopen -j RETURN -A f2b-sshd -j RETURN -A f2b-sshd-ddos -j RETURN COMMIT # Completed on Fri Aug 10 22:26:45 2018 # Generated by iptables-save v1.6.0 on Fri Aug 10 22:26:45 2018 *nat :PREROUTING ACCEPT [41:2652] :INPUT ACCEPT [4:240] :OUTPUT ACCEPT [37:2897] :POSTROUTING ACCEPT [37:2897] COMMIT # Completed on Fri Aug 10 22:26:45 2018 Running command fwall-rules after restarting system works. What am I doing wrong? -- Best regards, Hubert Hauser.
0x63D031274518F606.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature