Maverickcdn
Senior Member
So Im having a noob moment and need some advice. This is likely unnecessary but is more for peace of mind knowing these door knockers are ignored
Looking to create a custom chain in iptables to list out some banned IPs probing my VPN port, can someone take a look and let me know if Im doing this properly. VPN server is on 31194/TCP and I want to ignore requests from my OBFS server on 10.1.1.11 (has fail2ban running monitoring OBFS port connections)
I have a script that checks the status of iptables rules and a script that looks for persistent door knockers and adds them to a ban list automatically so I cant go willy nilly adding IP's to the INPUT table without breaking the script that checks the rules status, I could code the checker script to be smarter but Id like to keep the INPUT chain cleaner in the long run.
Creating a chain called VPNBANNED that will contain some IP's/CIDR's to ban
Really just want to ensure that any connection that doesnt hit a drop rule in VPNBANNED will continue down the INPUT chain to logging/throttling rules and eventually accept rules
Any input on this would be greatly appreciated.
TL/DR - Im too lazy to research this and learn to do it properly today!
Looking to create a custom chain in iptables to list out some banned IPs probing my VPN port, can someone take a look and let me know if Im doing this properly. VPN server is on 31194/TCP and I want to ignore requests from my OBFS server on 10.1.1.11 (has fail2ban running monitoring OBFS port connections)
I have a script that checks the status of iptables rules and a script that looks for persistent door knockers and adds them to a ban list automatically so I cant go willy nilly adding IP's to the INPUT table without breaking the script that checks the rules status, I could code the checker script to be smarter but Id like to keep the INPUT chain cleaner in the long run.
Creating a chain called VPNBANNED that will contain some IP's/CIDR's to ban
Code:
iptables -N VPNBANNED # create VPNBANNED chain
iptables -I INPUT ! -s 10.1.1.11 -p tcp --dport 31194 -j VPNBANNED # forward anything not from 10.1.1.11 on 31194/TCP to VPNBANNED (will be first rule in INPUT chain)
iptables -I VPNBANNED -s 'badip/cidr here' -j logdrop # jump banned hits to logging and drop
Code:
MavMAIN|>/jffs/scripts| iptables -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
VPNBANNED tcp -- !10.1.1.11 0.0.0.0/0 tcp dpt:31194
LOG tcp -- !10.1.1.11 0.0.0.0/0 tcp dpt:31194 state NEW LOG flags 0 level 1 prefix "openvpn31194 "
ACCEPT tcp -- 'workiphere' 0.0.0.0/0 tcp dpt:31194
tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:31194 state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
logdrop tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:31194 state NEW recent: UPDATE seconds: 180 hit_count: 3 name: DEFAULT side: source mask: 255.255.255.255
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:31194Really just want to ensure that any connection that doesnt hit a drop rule in VPNBANNED will continue down the INPUT chain to logging/throttling rules and eventually accept rules
Any input on this would be greatly appreciated.
TL/DR - Im too lazy to research this and learn to do it properly today!
