iptables 1.4.x and xt_recent: my rules have fallen and they can't get up!

iptables 1.4.x and xt_recent: my rules have fallen and they can't get up!

[Weedy]

[-- Attachment #1: Type: text/plain, Size: 843 bytes --]

So apparently this has become illegal, and neither google or me playing 
around has figured out how to update it. Input is most welcome.

+ iptables -t nat -A prerouting_rule -i br-lan -p tcp --dport 80 -j 
REDIRECT --to-port 3128
+ iptables -t nat -A prerouting_rule -p tcp --dport 2020 -m state 
--state NEW -m recent --name ATTACKER_SSH --rsource --update --seconds 
120 --hitcount 5 -j DROP
iptables v1.4.3.2:
The "nat" table is not intended for filtering, the use of DROP is 
therefore inhibited.

Try `iptables -h' or 'iptables --help' for more information.

This is a openwrt router running the old firewall (not supported or I 
would have asked on their mailing list) I will attach it encase anyone 
wants to give it a quick peek and finds anything terribly wrong/outdated 
(but it does currently work fine).

Thank you for your time.

[-- Attachment #2: firewall --]
[-- Type: text/plain, Size: 4120 bytes --]

#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org

## Please make changes in /etc/firewall.user
START=45
start() {
	include /lib/network
	scan_interfaces
	
	config_get WAN wan ifname
	config_get WANDEV wan device
	config_get LAN lan ifname
	config_get_bool NAT_LAN lan nat 1
	if [ $NAT_LAN -ne 0 ]
	then
		config_get LAN_MASK lan netmask
		config_get LAN_IP lan ipaddr
		LAN_NET=$(/bin/ipcalc.sh $LAN_IP $LAN_MASK | grep NETWORK | cut -d= -f2)
	fi
	
	## CLEAR TABLES
	for T in filter nat; do
		iptables -t $T -F
		iptables -t $T -X
	done
	
	iptables -N input_rule
	iptables -N input_wan
	iptables -N output_rule
	iptables -N forwarding_rule
	iptables -N forwarding_wan

	iptables -t nat -N NEW
	iptables -t nat -N prerouting_rule
	iptables -t nat -N prerouting_wan
	iptables -t nat -N postrouting_rule
	
	iptables -N LAN_ACCEPT
	[ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
	[ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j RETURN
	iptables -A LAN_ACCEPT -j ACCEPT
	
	### INPUT
	###  (connections with the router as destination)
	
	# base case
	iptables -P INPUT DROP
	iptables -A INPUT -m state --state INVALID -j DROP
	iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j  DROP
	
	#
	# insert accept rule or to jump to new accept-check table here
	#
	iptables -A INPUT -j input_rule
	[ -z "$WAN" ] || iptables -A INPUT -i $WAN -j input_wan
	
	# allow
	iptables -A INPUT -j LAN_ACCEPT	# allow from lan/wifi interfaces 
	iptables -A INPUT -p icmp	-j ACCEPT	# allow ICMP
	iptables -A INPUT -p gre	-j ACCEPT	# allow GRE
	
	# reject (what to do with anything not allowed earlier)
	iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
	iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
	
	### OUTPUT
	### (connections with the router as source)
	
	# base case
	iptables -P OUTPUT DROP
	iptables -A OUTPUT -m state --state INVALID -j DROP
	iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	
	#
	# insert accept rule or to jump to new accept-check table here
	#
	iptables -A OUTPUT -j output_rule
	
	# allow
	iptables -A OUTPUT -j ACCEPT		#allow everything out
	
	# reject (what to do with anything not allowed earlier)
	iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
	iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
	
	### FORWARDING
	### (connections routed through the router)
	
	# base case
	iptables -P FORWARD DROP 
	iptables -A FORWARD -m state --state INVALID -j DROP
	iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
	iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
	
	#
	# insert accept rule or to jump to new accept-check table here
	#
	iptables -A FORWARD -j forwarding_rule
	[ -z "$WAN" ] || iptables -A FORWARD -i $WAN -j forwarding_wan
	
	# allow
	iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT
	[ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
	
	# reject (what to do with anything not allowed earlier)
	# uses the default -P DROP
	
	### MASQ
	iptables -t nat -A PREROUTING -m state --state NEW -p tcp -j NEW 
	iptables -t nat -A PREROUTING -j prerouting_rule
	[ -z "$WAN" ] || iptables -t nat -A PREROUTING -i "$WAN" -j prerouting_wan
	iptables -t nat -A POSTROUTING -j postrouting_rule
	### Only LAN, unless told not to
	if [ $NAT_LAN -ne 0 ]
	then
		[ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src $LAN_NET/$LAN_MASK -o $WAN -j MASQUERADE
	fi

	iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \
		iptables -t nat -A NEW -j DROP

	## USER RULES
	[ -f /etc/firewall.user ] && . /etc/firewall.user
	[ -n "$WAN" -a -e /etc/firewall.config ] && {
		export WAN
		awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/firewall.config | ash
	}
}

stop() {
	iptables -P INPUT ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -P FORWARD ACCEPT
	iptables -F
	iptables -X
	iptables -t nat -P PREROUTING ACCEPT
	iptables -t nat -P POSTROUTING ACCEPT
	iptables -t nat -P OUTPUT ACCEPT
	iptables -t nat -F
	iptables -t nat -X
}

[-- Attachment #3: firewall.user --]
[-- Type: text/plain, Size: 3843 bytes --]

#!/bin/sh
# Copyright (C) 2006 OpenWrt.org
# $Id: firewall.user 69 2009-04-29 17:58:40Z weedy $

WAN="$(uci -P /var/state get network.wan.ifname)"
LAN="$(uci -P /var/state get network.lan.ifname)"
WANIP=$(ifconfig $WAN | grep 'inet addr' | awk '{print $2}' | cut -d':' -f 2)
LANIP=$(ifconfig $LAN | grep 'inet addr' | awk '{print $2}' | cut -d':' -f 2)

iptables -A input_rule -p esp              -j ACCEPT # allow IPSEC
iptables -A input_rule -p 17  --dport 500  -j ACCEPT # allow ISAKMP
iptables -A input_rule -p udp --dport 4500 -j ACCEPT # allow NAT-T
iptables -A forwarding_rule -m policy --dir in  --pol ipsec --mode tunnel -j ACCEPT 
iptables -A forwarding_rule -m policy --dir out --pol ipsec --mode tunnel -j ACCEPT  
iptables -t nat -A postrouting_rule -d 10.0.0.0/8 -j ACCEPT
iptables -t nat -A postrouting_rule -d 172.16.0.0/12 -j ACCEPT
iptables -t nat -A postrouting_rule -d 192.168.0.0/16 -j ACCEPT
#iptables        -A output_rule             -p 47               -j ACCEPT
#iptables        -A input_rule              -p 47               -j ACCEPT
#iptables -t nat -A prerouting_rule -p tcp --dport 8888 -j DNAT --to ${LANIP%.*}.251:80
#iptables        -A forwarding_rule -p tcp --dport 80 -d $WANIP -j ACCEPT
#iptables -t nat -A prerouting_rule -p tcp --dport 2222 -j DNAT --to $WANIP:22
#iptables        -A forwarding_rule -p tcp --dport 22 -d $WANIP -j ACCEPT
# iptables -t nat -A prerouting_rule -j DNAT --to ${LANIP%.*}.170
# iptables        -A forwarding_rule -d ${LANIP%.*}.170 -j ACCEPT
iptables -t nat -A prerouting_rule -i $LAN -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A prerouting_rule -p tcp --dport 2020  -m state --state NEW \
  -m recent --name ATTACKER_SSH --rsource --update --seconds 120 --hitcount 5 -j DROP
iptables -t nat -A prerouting_rule -p tcp --dport 2020  -m state --state NEW \
  -m recent --name ATTACKER_SSH --rsource --set
iptables -t nat -A prerouting_rule -p tcp --dport 2020 -j ACCEPT
iptables        -A input_rule      -p tcp --dport 2020 -j ACCEPT
#iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 81 -j DNAT --to-destination ${LANIP%.*}.251
#iptables        -A forwarding_rule -i $WAN -p tcp --dport 81 -d ${LANIP%.*}.251 -j ACCEPT
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 2080 -j DNAT --to-destination ${LANIP%.*}.250
iptables        -A forwarding_rule -i $WAN -p tcp --dport 2080 -d ${LANIP%.*}.250 -j ACCEPT
# iptables -A forwarding_rule -p TCP -i $LAN -s ${LANIP%.*}.5 -j ACCEPT
# iptables -A forwarding_rule -p UDP -i $LAN -s ${LANIP%.*}.5 -j ACCEPT
iptables -A forwarding_rule -p TCP -i $LAN -s ${LANIP%.*}.247 -m multiport --dport 21,80,3128,2000 -j ACCEPT
iptables -A forwarding_rule -p UDP -i $LAN -s ${LANIP%.*}.200 --dport 9999 -j ACCEPT
# iptables -A forwarding_rule -p TCP -i $LAN -m iprange --src-range ${LANIP%.*}.11-${LANIP%.*}.254 -j ACCEPT
iptables -A forwarding_rule -p TCP -i $LAN -m iprange --src-range ${LANIP%.*}.2-${LANIP%.*}.10 -m multiport --dport 21,22,53,80,443,1433,3128,3579,3580,8000,8765,9865 -j ACCEPT
iptables -A forwarding_rule -p UDP -i $LAN -m iprange --src-range ${LANIP%.*}.2-${LANIP%.*}.10 -m multiport --dport 53 -j ACCEPT

### Blocking IP's so most popular instant messengers programs will not work
if [ -f /etc/blockips.txt ]; then
	while read BLOCK_IPS JUNK; do # may not need JUNK, but it doesn't hurt
		iptables -I forwarding_rule -d $BLOCK_IPS -i $LAN -m iprange --src-range ${LANIP%.*}.2-${LANIP%.*}.10 -j DROP
	done < "/etc/blockips.txt"
fi
if [ -f /etc/mac.txt ]; then
	while read MAC JUNK; do # may not need JUNK, but it doesn't hurt
		iptables -A forwarding_rule -p TCP -i $LAN -m mac --mac-source $MAC -j ACCEPT
		iptables -A forwarding_rule -p UDP -i $LAN -m mac --mac-source $MAC -j ACCEPT
	done < "/etc/mac.txt"
fi
### Drop all outbound ports by default
iptables -A forwarding_rule -j DROP

[-- Attachment #4: iptables-save --]
[-- Type: text/plain, Size: 4907 bytes --]

# Generated by iptables-save v1.4.3.2 on Sat May  2 03:38:55 2009
*nat
:PREROUTING ACCEPT [4:771]
:POSTROUTING ACCEPT [38:2729]
:OUTPUT ACCEPT [41:2981]
:NEW - [0:0]
:postrouting_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan - [0:0]
-A PREROUTING -p tcp -m state --state NEW -j NEW 
-A PREROUTING -j prerouting_rule 
-A PREROUTING -i eth0.1 -j prerouting_wan 
-A POSTROUTING -j postrouting_rule 
-A POSTROUTING -s 172.17.17.0/24 -o eth0.1 -j MASQUERADE 
-A NEW -m limit --limit 50/sec --limit-burst 100 -j RETURN 
-A postrouting_rule -d 10.0.0.0/8 -j ACCEPT 
-A postrouting_rule -d 172.16.0.0/12 -j ACCEPT 
-A postrouting_rule -d 192.168.0.0/16 -j ACCEPT 
-A prerouting_rule -i br-lan -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 
-A prerouting_rule -p tcp -m tcp --dport 2020 -m state --state NEW -m recent --set --name ATTACKER_SSH --rsource 
-A prerouting_rule -p tcp -m tcp --dport 2020 -j ACCEPT 
-A prerouting_rule -i eth0.1 -p tcp -m tcp --dport 2080 -j DNAT --to-destination 172.17.17.250 
COMMIT
# Completed on Sat May  2 03:38:55 2009
# Generated by iptables-save v1.4.3.2 on Sat May  2 03:38:55 2009
*raw
:PREROUTING ACCEPT [370:31230]
:OUTPUT ACCEPT [326:44408]
COMMIT
# Completed on Sat May  2 03:38:55 2009
# Generated by iptables-save v1.4.3.2 on Sat May  2 03:38:55 2009
*mangle
:PREROUTING ACCEPT [376:31470]
:INPUT ACCEPT [369:30660]
:FORWARD ACCEPT [7:810]
:OUTPUT ACCEPT [332:45080]
:POSTROUTING ACCEPT [335:45662]
COMMIT
# Completed on Sat May  2 03:38:55 2009
# Generated by iptables-save v1.4.3.2 on Sat May  2 03:38:55 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LAN_ACCEPT - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan - [0:0]
:input_rule - [0:0]
:input_wan - [0:0]
:output_rule - [0:0]
-A INPUT -m state --state INVALID -j DROP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp ! --tcp-option 2 --tcp-flags SYN SYN -j DROP 
-A INPUT -j input_rule 
-A INPUT -i eth0.1 -j input_wan 
-A INPUT -j LAN_ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -p gre -j ACCEPT 
-A INPUT -p tcp -j REJECT --reject-with tcp-reset 
-A INPUT -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -m state --state INVALID -j DROP 
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -j forwarding_rule 
-A FORWARD -i eth0.1 -j forwarding_wan 
-A FORWARD -i br-lan -o br-lan -j ACCEPT 
-A FORWARD -i br-lan -o eth0.1 -j ACCEPT 
-A OUTPUT -m state --state INVALID -j DROP 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -j output_rule 
-A OUTPUT -j ACCEPT 
-A OUTPUT -p tcp -j REJECT --reject-with tcp-reset 
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable 
-A LAN_ACCEPT -i eth0.1 -j RETURN 
-A LAN_ACCEPT -j ACCEPT 
-A forwarding_rule -d 63.135.80.0/20 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP 
-A forwarding_rule -d 1.0.0.0/8 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP 
-A forwarding_rule -d 205.188.0.0/16 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP 
-A forwarding_rule -d 74.125.0.0/16 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP 
-A forwarding_rule -d 69.147.64.0/18 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP 
-A forwarding_rule -d 207.68.192.0/20 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP 
-A forwarding_rule -d 207.68.128.0/18 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP 
-A forwarding_rule -d 205.188.0.0/16 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP 
-A forwarding_rule -d 64.12.0.0/16 -i br-lan -m iprange --src-range 172.17.17.2-172.17.17.10 -j DROP 
-A forwarding_rule -m policy --dir in --pol ipsec --mode tunnel -j ACCEPT 
-A forwarding_rule -m policy --dir out --pol ipsec --mode tunnel -j ACCEPT 
-A forwarding_rule -d 172.17.17.250/32 -i eth0.1 -p tcp -m tcp --dport 2080 -j ACCEPT 
-A forwarding_rule -s 172.17.17.247/32 -i br-lan -p tcp -m multiport --dports 21,80,3128,2000 -j ACCEPT 
-A forwarding_rule -s 172.17.17.200/32 -i br-lan -p udp -m udp --dport 9999 -j ACCEPT 
-A forwarding_rule -i br-lan -p tcp -m iprange --src-range 172.17.17.2-172.17.17.10 -m multiport --dports 21,22,53,80,443,1433,3128,3579,3580,8000,8765,9865 -j ACCEPT 
-A forwarding_rule -i br-lan -p udp -m iprange --src-range 172.17.17.2-172.17.17.10 -m multiport --dports 53 -j ACCEPT 
-A forwarding_rule -i br-lan -p tcp -m mac --mac-source 08:FA:KE:FA:KE:28 -j ACCEPT 
-A forwarding_rule -i br-lan -p udp -m mac --mac-source 08:FA:KE:FA:KE:28 -j ACCEPT 
-A forwarding_rule -j DROP 
-A input_rule -p esp -j ACCEPT 
-A input_rule -p udp -m udp --dport 500 -j ACCEPT 
-A input_rule -p udp -m udp --dport 4500 -j ACCEPT 
-A input_rule -p tcp -m tcp --dport 2020 -j ACCEPT 
COMMIT
# Completed on Sat May  2 03:38:55 2009

Re: iptables 1.4.x and xt_recent: my rules have fallen and they can't get up!

[Mart Frauenlob]

Weedy wrote:
> So apparently this has become illegal, and neither google or me 
> playing around has figured out how to update it. Input is most welcome.
>
> + iptables -t nat -A prerouting_rule -i br-lan -p tcp --dport 80 -j 
> REDIRECT --to-port 3128
> + iptables -t nat -A prerouting_rule -p tcp --dport 2020 -m state 
> --state NEW -m recent --name ATTACKER_SSH --rsource --update --seconds 
> 120 --hitcount 5 -j DROP
> iptables v1.4.3.2:
> The "nat" table is not intended for filtering, the use of DROP is 
> therefore inhibited.
>
> Try `iptables -h' or 'iptables --help' for more information.
>
> This is a openwrt router running the old firewall (not supported or I 
> would have asked on their mailing list) I will attach it encase anyone 
> wants to give it a quick peek and finds anything terribly 
> wrong/outdated (but it does currently work fine).
>
> Thank you for your time.
Hello,

since iptables 1.4.3.2 DROP is prohibited in the nat table.
It actually was never intended to be used for 'filtering'. Filtering 
should be done in the 'filter' table (hence the name).
The nat table only 'sees' state NEW connections, hence the --state NEW 
is obsolete.
Change your rules, to DROP / ACCEPT in the filter table.

greets

Mart

P.S. didn't take a look at the attached ruleset...

Re: iptables 1.4.x and xt_recent: my rules have fallen and they can't get up!

[Weedy]

So I was wondering why I didn't get a response and I noticed that I
forgot to mention I'm not subscribed to the list. :/
Anyway, I was able to fix the ssh rules but I've been trying to do the
same for the flooding rules and I've had no luck, so if someone could be
a bit more specific that would be great.
iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \
    iptables -t nat -A NEW -j DROP

ps. a: I'm subscribed now b: I hope the list software adds this to my
thread.

Re: iptables 1.4.x and xt_recent: my rules have fallen and they can't get up!

[Mart Frauenlob]

Mart Frauenlob wrote:
> Weedy wrote:
>> So apparently this has become illegal, and neither google or me 
>> playing around has figured out how to update it. Input is most welcome.
>>
>> + iptables -t nat -A prerouting_rule -i br-lan -p tcp --dport 80 -j 
>> REDIRECT --to-port 3128
>> + iptables -t nat -A prerouting_rule -p tcp --dport 2020 -m state 
>> --state NEW -m recent --name ATTACKER_SSH --rsource --update 
>> --seconds 120 --hitcount 5 -j DROP
>> iptables v1.4.3.2:
>> The "nat" table is not intended for filtering, the use of DROP is 
>> therefore inhibited.
>>
>> Try `iptables -h' or 'iptables --help' for more information.
>>
>> This is a openwrt router running the old firewall (not supported or I 
>> would have asked on their mailing list) I will attach it encase 
>> anyone wants to give it a quick peek and finds anything terribly 
>> wrong/outdated (but it does currently work fine).
>>
>> Thank you for your time.
> Hello,
>
> since iptables 1.4.3.2 DROP is prohibited in the nat table.
> It actually was never intended to be used for 'filtering'. Filtering 
> should be done in the 'filter' table (hence the name).
> The nat table only 'sees' state NEW connections, hence the --state NEW 
> is obsolete.
> Change your rules, to DROP / ACCEPT in the filter table.
>
> greets
>
> Mart
>
> P.S. didn't take a look at the attached ruleset...