๐ iptables geo whitelist logging lots of blocked connection attemps
๐ก Newskategorie: Linux Tipps
๐ Quelle: reddit.com
I am from Australia and I have a Raspberry Pi server open on port 443, and a few other random ports for other things. Since I wanted to secure it, I looked into making a whitelist for Australia on iptables and ipset (to allow Australian IPs and block everything else), this includes a script that automatically runs on boot to add the rules and another separate script that periodically updates the list of IPs for Australia. I can post the setup a bit later if you're interested.
It all works ok, but I'm curious why there are so many logged events showing up in /var/log/kern.log
Here are my iptables rules:
*filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -i lo -m comment --comment "Allow loopback connections" -j ACCEPT -A INPUT -s 192.168.1.0/24 -m comment --comment "Allow local network" -j ACCEPT -A INPUT -s 10.8.0.0/24 -m comment --comment "Allow openvpn network" -j ACCEPT -A INPUT -p tcp -m set --match-set australia src --match multiport --dports 21,80,443 -j ACCEPT -A INPUT -p udp -m set --match-set australia src --dport 1194 -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "INPUT DROP: " --log-level 4 -A INPUT -j DROP COMMIT
As an example here are a whole bunch from only the last 10 minutes in /var/log/kern.log:
Jan 28 21:52:28 RASP-PI kernel: [11066.426546] INPUT DROP: IN=eth0 OUT= MAC=[] SRC=74.125.24.188 DST=192.168.1.100 LEN=903 TOS=0x00 PREC=0x00 TTL=123 ID=33830 PROTO=TCP SPT=5228 DPT=8999 WINDOW=403 RES=0x00 ACK PSH URGP=0 Jan 28 21:52:32 RASP-PI kernel: [11070.910190] INPUT DROP: IN=eth0 OUT= MAC=[] SRC=74.125.24.188 DST=192.168.1.100 LEN=903 TOS=0x00 PREC=0x00 TTL=123 ID=36374 PROTO=TCP SPT=5228 DPT=8999 WINDOW=403 RES=0x00 ACK PSH URGP=0 Jan 28 21:52:41 RASP-PI kernel: [11079.612522] INPUT DROP: IN=eth0 OUT= MAC=[] SRC=74.125.24.188 DST=192.168.1.100 LEN=903 TOS=0x00 PREC=0x00 TTL=123 ID=40801 PROTO=TCP SPT=5228 DPT=8999 WINDOW=403 RES=0x00 ACK PSH URGP=0 Jan 28 21:52:50 RASP-PI kernel: [11088.704625] INPUT DROP: IN=eth0 OUT= MAC=[] SRC=185.153.198.211 DST=192.168.1.100 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=46926 PROTO=TCP SPT=59243 DPT=443 WINDOW=1024 RES=0x00 SYN URGP=0 Jan 28 21:52:58 RASP-PI kernel: [11097.017849] INPUT DROP: IN=eth0 OUT= MAC=[] SRC=74.125.24.188 DST=192.168.1.100 LEN=903 TOS=0x00 PREC=0x00 TTL=123 ID=52096 PROTO=TCP SPT=5228 DPT=8999 WINDOW=403 RES=0x00 ACK PSH URGP=0 Jan 28 21:53:20 RASP-PI kernel: [11118.595684] INPUT DROP: IN=eth0 OUT= MAC=[] SRC=173.82.94.209 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=42575 DF PROTO=TCP SPT=47482 DPT=8080 WINDOW=29200 RES=0x00 SYN URGP=0 Jan 28 21:53:21 RASP-PI kernel: [11119.598917] INPUT DROP: IN=eth0 OUT= MAC=[] SRC=173.82.94.209 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=42576 DF PROTO=TCP SPT=47482 DPT=8080 WINDOW=29200 RES=0x00 SYN URGP=0 Jan 28 21:53:27 RASP-PI kernel: [11125.619353] INPUT DROP: IN=eth0 OUT= MAC=[] SRC=173.82.94.209 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=42578 DF PROTO=TCP SPT=47482 DPT=8080 WINDOW=29200 RES=0x00 SYN URGP=0 Jan 28 21:54:15 RASP-PI kernel: [11173.831267] INPUT DROP: IN=eth0 OUT= MAC=[] SRC=178.252.176.218 DST=192.168.1.100 LEN=40 TOS=0x00 PREC=0x00 TTL=234 ID=54321 PROTO=TCP SPT=57583 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 Jan 28 21:59:17 RASP-PI kernel: [11475.734373] INPUT DROP: IN=eth0 OUT= MAC=[] SRC=66.240.205.34 DST=192.168.1.100 LEN=44 TOS=0x00 PREC=0x00 TTL=116 ID=4496 PROTO=TCP SPT=17340 DPT=8080 WINDOW=25360 RES=0x00 SYN URGP=0
It's confusing me a bit because port 8080 isn't even forwarded on my router. A bunch of other random ports sometimes get logged too even though they shouldn't even be getting through to my pi. Any idea why this is?
According to some of these IPs, some are from the US, Ukraine, India, China, so the firewall is definitely working. I assume these IPs are bots? Should this be something to worry about?
[link] [comments] ...