Home / server / Questions / 1059338
In Process
baboon
Asked: 2021-04-05 04:52:48 +0800 CST

IPTABLES - block IPs that do not complete handshake/visit webpage

  • 772

i am trying to figure out how to achieve something am not sure is achievable and need help. I did my research but couldnt find credible information. Hope this question is not duplicate.

SET UP: I am using iptables as my firewall to block malicious ip activity. currently i am manually writing the entries in a file and then execute with iptables-restore < /etc/iptables/rules. Within those rules i have one that logs every inbound connection -A INPUT -m state --state NEW -j LOGALL. I have also set up apache to log ip that connect to the webpages. (different logs for each page, and different log file for iptables)

PROBLEM: I get numerous iptables logs of this kind:

Apr  4 14:52:18 kernel: [53326.219105] LOGALL IN=eth0 OUT= MAC=xxxxxxxxxxxx SRC=174.111.111.206 DST=192.168.1.5 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=40132 PROTO=TCP SPT=179 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0 
Apr  4 14:53:27 kernel: [53395.130551] LOGALL IN=eth0 OUT= MAC=xxxxxxxxxxxx  SRC=45.146.164.211 DST=192.168.1.5 LEN=44 TOS=0x04 PREC=0x00 TTL=247 ID=26977 PROTO=TCP SPT=55172 DPT=443 WINDOW=1024 RES=0x00 SYN URGP=0

from thousands of different IPs per day. I can tell from the LOG that they only send a SYN packet. I have used Wireshark to inspect the traffic and what i can tell is most dont answer after my server responds with SYN,ACK

54215   187.717006840   180.234.40.115  192.168.1.5 TCP 60  56412 ? 443 [SYN] Seq=0 Win=5840 Len=0 MSS=1460
54216   187.717251257   192.168.1.5 180.234.40.115  TCP 58  443 ? 56412 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460
54411   188.716638340   192.168.1.5 180.234.40.115  TCP 58  [TCP Retransmission] 443 ? 56412 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460

I have tried many differnt ways with iptables to limit those SYN only packets. But those connections are not SYN floods attacks (i have limited SYN connections), but probably some crawlers and scans. I also tried https://inai.de/documents/Chaostables.pdf which gave me a lot of hope....but it didnt work or i cant get it to work.

I have also looked into fail2ban (havent used it yet), but since i write the entries to iptables myself and execute with iptables-restore < /etc/iptables/rules, and failt2ban uses iptables too, i dont know how would both work together.

QUESTION: Is it possible to block IPs that show up in iptables's LOG file but do NOT show in apache LOG files? (for me that would mean the IP did not come to my server to open the webpage, thus is doing smth else) example: 1.1.1.1 IP opens my webpage, meaning there will be LOG in iptables and in apache. BUT if that 1.1.1.1 IP only sends SYN packet to port 443, only iptables LOG will show that -> block that ip?

I hope i have been clear enough. Any help would be appreciated. Thank you

iptables syn block

1 Answers

  1. since i write the entries to iptables myself and execute with iptables-restore < /etc/iptables/rules, and failt2ban uses iptables too, i dont know how would both work together.

    You can:

    1. either use --noflush option with iptables-restore to avoid removal of fail2ban (and other rules), and filter f2b-* chains by iptables-save.
    2. or switch to nftables (since fail2ban support this action) and it can target the tables by dump and restore separately, so they would not remove or overwrite fail2ban chains.
    • 3