iptables - multiport rule chain exit and split to multiple single-port chains

StackOverflow https://stackoverflow.com/questions/23547215

  •  18-07-2023
  •  | 
  •  

Question

The title is probably not very helpful (sorry). Here's a better explanation of what I hope to accomplish. I'm relatively new working with iptables but have a decent understanding of the concepts. I haven't, however, found a good example online that demonstrates what I'm asking.

In order to do some brute-force intrusion mitigation, I've got a chain that includes a rule covering multiple ports (this rule originally hijacked from this blog):

-A INPUT -p tcp -m multiport -dports 21,22,110,143 -m state --state new -j INTR_CHECK
-A INTR_CHECK -m recent --set --name INTRS --rsource
-A INTR_CHECK -m recent --update --seconds 600 --hitcount 15 --name INTRS --rsource -j INTRUSION
-A INTR_CHECK -m recent --update --seconds 60 --hitcount 5 --name INTRS --rsource -j INTRUSION
-A INTR_CHECK -j [[break out to new chains vs ACCEPT]?]

What I'd like to see is a set of chains for each port in {21,22,110,143}, because I have (lengthy) established chains for allowing specific hosts/networks to use FTP and SSH. Is it passable if I put single lines in the INTR_CHECK chain for each dport and route them to an existing chain? For example, if I append this to the rules above:

-A INTR_CHECK (-m state --state NEW) -p tcp -m tcp -dport  22 -j SSHD_IN
-A INTR_CHECK (-m state --state NEW) -p tcp -m tcp -dport  21 -j FTP_IN
-A INTR_CHECK (-m state --state NEW) -p tcp -m tcp -dport 110 -j POP3_IN
-A INTR_CHECK (-m state --state NEW) -p tcp -m tcp -dport 143 -j IMAP_IN

I also wonder if I need indicate the state as NEW packets only, since RELATED and ESTABLISHED are blanket-accepted in the commonly-used rule

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Any guidance or lessons-learned would be greatly appreciated. Thanks.

Was it helpful?

Solution

I was able to work through this using the thoughts in the hypothesized solution from my question. Sharing as info.

-A INTR_CHECK -p tcp -m tcp --dport 22 -j SSHD_IN
-A INTR_CHECK -p tcp --syn --dport 25 -j SMTP_IN

#further down
-A SSHD_IN -s 1.2.3.0/24 -j ACCEPT
#other SSHD rules

#further still
-A SMTP_IN -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT
-A SMTP_IN -p tcp --syn -j DROP
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top