Proxmox Advanced firewall Configuration

P

pejman_view

Guest
Hello,

I know maybe this issue is irrelevant to Proxmox, but seems many users have same problem and situation that I stuck in.

I reported abuse that my network has been used for torrent. I investigate on internet and find a IPp2p as Solution. But appears it has unstable with debian and I wonder what should I do to resolve my problem.

Plus need to add that I am using the Iptables rule like below on Proxmox Server:
IPTABLES

-A FORWARD -m string --algo bm --string "BitTorrent" -j DROP
-A FORWARD -m string --algo bm --string "BitTorrent protocol" -j DROP
-A FORWARD -m string --algo bm --string "peer_id=" -j DROP
-A FORWARD -m string --algo bm --string ".torrent" -j DROP
-A FORWARD -m string --algo bm --string "announce.php?passkey=" -j DROP
-A FORWARD -m string --algo bm --string "torrent" -j DROP
-A FORWARD -m string --algo bm --string "announce" -j DROP
-A FORWARD -m string --algo bm --string "info_hash" -j DROP


I followed:
https://wiki.debian.org/iptables
But seems doesn't work

Thank you.
 
Last edited by a moderator:
Hello Again,

No body is Over there couldl help me out?
 
Last edited by a moderator:
Trying to give a reply, but the editor of the forum is confusing text.

Something bad with chrome. Now it works... look below =)
 
Last edited:
When you says its not working, is something about you did't able to block it?

Run this: iptables -L -v --line-numbers
And paste here.

You will get something like this:
Code: 
[root@testkvm ~]# iptables -L -v --line-numbers
Chain INPUT (policy ACCEPT 46830 packets, 2500K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     udp  --  virbr0 any     anywhere             anywhere            udp dpt:domain
2        0     0 ACCEPT     tcp  --  virbr0 any     anywhere             anywhere            tcp dpt:domain
3        0     0 ACCEPT     udp  --  virbr0 any     anywhere             anywhere            udp dpt:bootps
4        0     0 ACCEPT     tcp  --  virbr0 any     anywhere             anywhere            tcp dpt:bootps

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 SOLUSVM_TRAFFIC_IN  all  --  any    any     anywhere             anywhere
2        0     0 SOLUSVM_TRAFFIC_OUT  all  --  any    any     anywhere             anywhere
3        0     0 ACCEPT     all  --  any    virbr0  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
4        0     0 ACCEPT     all  --  virbr0 any     192.168.122.0/24     anywhere
5        0     0 ACCEPT     all  --  virbr0 virbr0  anywhere             anywhere
6        0     0 REJECT     all  --  any    virbr0  anywhere             anywhere            reject-with icmp-port-unreachable
7        0     0 REJECT     all  --  virbr0 any     anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 4129 packets, 136M bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain SOLUSVM_TRAFFIC_IN (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0            all  --  any    any     anywhere             199.2xx.1xx.55
2        0     0            all  --  any    any     anywhere             199.2xx.1xx.56

Chain SOLUSVM_TRAFFIC_OUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0            all  --  any    any     199.2xx.1xx.55       anywhere
2        0     0            all  --  any    any     199.2xx.1xx.56       anywhere

Lokking at this, you see, the forward has 2 rules at top. TRAFFIC_IN / TRAFFIC_OUT.
That says you will forward the traffic to the new chain rules traffic in and out.

When you use iptables with -A option, you add a rule at finish, and on this case in this exemple, if you do it, these rules will not work, because the rules are after the in and out chain rules.

Give a try to use with option -I instead of -A, with -I you will put the rules at top of the forward chain rule, then this will block first and will not forward to the next rules.

Another think, add bad boots to this rules too:
block bat bots - see http://puntapirata.com/

Anonymizer
Attributor
Bork-edition
DataCha0s
Deepnet Explorer
desktopsmiley
DigExt
feedfinder
gamingharbor
heritrix
ia_archiver
Indy Library
Jakarta
Java
juicyaccess
larbin
Missigua
MRSPUTNIK
Nutch
panscient
plaNETWORK
Snapbot
Sogou
TinEye
TwengaBot
Twitturly
User-Agent
Viewzi
WebCapture
XX
Yandex
YebolBot

Also add hard spammers bot
baidu
hinet
Baidu
Hinet


I love iptables, if you have some time, give a try to learn how to do some scripts to automatic update your rules. Like this GREAT script from: http://sysadminnotebook.blogspot.com.br/2013_07_01_archive.html

Code: 
#!/bin/bash
BLOCKDB="block.txt"
WORKDIR="/tmp"
pwd=$(pwd)
cd $WORKDIR
#List of ips to block
ipset --create blackips iphash
## Obtain List of badguys from openbl.org
wget -q -c --output-document=$BLOCKDB http://www.openbl.org/lists/base.txt
if [ -f $BLOCKDB ]; then
    IPList=$(grep -Ev "^#" $BLOCKDB | sort -u)
    for i in $IPList
    do
        ipset --add blackips $i
    done
fi
rm $BLOCKDB
## Obtain List of badguys from ciarmy.com
wget -q -c --output-document=$BLOCKDB http://www.ciarmy.com/list/ci-badguys.txt
if [ -f $BLOCKDB ]; then
    IPList=$(grep -Ev "^#" $BLOCKDB | sort -u)
    for i in $IPList
    do
        ipset --add blackips $i
    done
fi
rm $BLOCKDB
## Obtain List of badguys from dshield.org
wget -q -c --output-document=$BLOCKDB http://feeds.dshield.org/top10-2.txt
if [ -f $BLOCKDB ]; then
    IPList=$(grep -E "^[1-9]" $BLOCKDB | cut -f1 | sort -u)
    for i in $IPList
    do
        ipset --add blackips $i
    done
fi
rm $BLOCKDB
#List of networks to block
ipset --create blacknets nethash
## Obtain List of badguys from dshield.org
wget -q -c --output-document=$BLOCKDB http://feeds.dshield.org/block.txt
if [ -f $BLOCKDB ]; then
    IPList=$(grep -E "^[1-9]" $BLOCKDB | cut -f1,3 | sed "s/\t/\//g" | sort -u)
    for i in $IPList
    do
        ipset --add blacknets $i
    done
fi
rm $BLOCKDB
## Obtain List of badguys from spamhaus.org
    wget -q -c --output-document=$BLOCKDB http://www.spamhaus.org/drop/drop.lasso
    if [ -f $BLOCKDB ]; then
      IPList=$(grep -E "^[1-9]" $BLOCKDB | cut -d" " -f1 | sort -u)
      for i in $IPList
      do
        ipset --add blacknets $i
      done
    fi
    rm $BLOCKDB
#Drop blacklisted ips
iptables -A FORWARD -m set --match-set blackips src -j DROP
iptables -A FORWARD -m set --match-set blacknets src -j DROP
cd $pwd
 
Another thing that you can do, is:

Create your CHAIN RULE, and add your CHAIN RULE at the top of FORWARD rule.
 
Hello Thank you for your reply
Code: 
  root@us2:~# iptables -L -v --line-numbers
Chain INPUT (policy ACCEPT 329K packets, 45M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       13  8037 DROP       all  --  any    any     anywhere             anywhere             STRING match  "BitTorrent" ALGO name bm TO 65535
2        0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "BitTorrent protocol" ALGO name bm TO 65535
3        0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "peer_id=" ALGO name bm TO 65535
4        0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  ".torrent" ALGO name bm TO 65535
5        0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "announce.php?passkey=" ALGO name bm TO 65535
6        0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "torrent" ALGO name bm TO 65535
7        0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "announce" ALGO name bm TO 65535
8        0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "info_hash" ALGO name bm TO 65535
9        0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "peer_id" ALGO name kmp TO 65535
10       0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "BitTorrent" ALGO name kmp TO 65535
11       0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "BitTorrent protocol" ALGO name kmp TO 65535
12       0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "bittorrent-announce" ALGO name kmp TO 65535
13       0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "announce.php?passkey=" ALGO name kmp TO 65535
14       0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "find_node" ALGO name kmp TO 65535
15       0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "info_hash" ALGO name kmp TO 65535
16       0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "get_peers" ALGO name kmp TO 65535
17       0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "announce" ALGO name kmp TO 65535
18       0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "announce_peers" ALGO name kmp TO 65535

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "BitTorrent" ALGO name bm TO 65535
2        0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "BitTorrent protocol" ALGO name bm TO 65535
3        0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "peer_id=" ALGO name bm TO 65535
4        0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  ".torrent" ALGO name bm TO 65535
5        0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "announce.php?passkey=" ALGO name bm TO 65535
6        0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "torrent" ALGO name bm TO 65535
7        0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "announce" ALGO name bm TO 65535
8        0     0 DROP       all  --  any    any     anywhere             anywhere             STRING match  "info_hash" ALGO name bm TO 65535

Chain OUTPUT (policy ACCEPT 359K packets, 76M bytes)
num   pkts bytes target     prot opt in     out     source               destination

Really I am not a linux superuser. Hence It's so difficult to me work with IPTABLEs. I think it's take too long time to learn iptable and writing proper rule.
 
Your rules is working, look at your first line... INPUT pkts 13 and bytes 8037 <-- Its drooped because match with this rule of BitTorrent

Code: 
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -N MYRULES
iptables -I FORWARD -j MYRULES
iptables -A MYRULES -m string --algo bm --string "BitTorrent" -j DROP           
iptables -A MYRULES -m string --algo bm --string "BitTorrent protocol" -j DROP  
iptables -A MYRULES -m string --algo bm --string "BitTorrent" -j DROP
iptables -A MYRULES -m string --algo bm --string "BitTorrent protocol" -j DROP
iptables -A MYRULES -m string --algo bm --string "peer_id=" -j DROP
iptables -A MYRULES -m string --algo bm --string ".torrent" -j DROP
iptables -A MYRULES -m string --algo bm --string "announce.php?passkey=" -j DROP
iptables -A MYRULES -m string --algo bm --string "torrent" -j DROP
iptables -A MYRULES -m string --algo bm --string "announce" -j DROP
iptables -A MYRULES -m string --algo bm --string "info_hash" -j DROP
iptables -A MYRULES -m string --algo bm --string "Anonymizer" -j DROP
iptables -A MYRULES -m string --algo bm --string "Attributor" -j DROP
iptables -A MYRULES -m string --algo bm --string "Bork-edition" -j DROP
iptables -A MYRULES -m string --algo bm --string "DataCha0s" -j DROP
iptables -A MYRULES -m string --algo bm --string "Deepnet Explorer" -j DROP
iptables -A MYRULES -m string --algo bm --string "desktopsmiley" -j DROP
iptables -A MYRULES -m string --algo bm --string "DigExt" -j DROP
iptables -A MYRULES -m string --algo bm --string "feedfinder" -j DROP
iptables -A MYRULES -m string --algo bm --string "gamingharbor" -j DROP
iptables -A MYRULES -m string --algo bm --string "heritrix" -j DROP
iptables -A MYRULES -m string --algo bm --string "ia_archiver" -j DROP
iptables -A MYRULES -m string --algo bm --string "Indy Library" -j DROP
iptables -A MYRULES -m string --algo bm --string "Jakarta" -j DROP
iptables -A MYRULES -m string --algo bm --string "Java" -j DROP
iptables -A MYRULES -m string --algo bm --string "juicyaccess" -j DROP
iptables -A MYRULES -m string --algo bm --string "larbin" -j DROP
iptables -A MYRULES -m string --algo bm --string "Missigua" -j DROP
iptables -A MYRULES -m string --algo bm --string "MRSPUTNIK" -j DROP
iptables -A MYRULES -m string --algo bm --string "Nutch" -j DROP
iptables -A MYRULES -m string --algo bm --string "panscient" -j DROP
iptables -A MYRULES -m string --algo bm --string "plaNETWORK" -j DROP
iptables -A MYRULES -m string --algo bm --string "Snapbot" -j DROP
iptables -A MYRULES -m string --algo bm --string "Sogou" -j DROP
iptables -A MYRULES -m string --algo bm --string "TinEye" -j DROP
iptables -A MYRULES -m string --algo bm --string "TwengaBot" -j DROP
iptables -A MYRULES -m string --algo bm --string "Twitturly" -j DROP
iptables -A MYRULES -m string --algo bm --string "Viewzi" -j DROP
iptables -A MYRULES -m string --algo bm --string "WebCapture" -j DROP
iptables -A MYRULES -m string --algo bm --string "XX" -j DROP
iptables -A MYRULES -m string --algo bm --string "Yandex" -j DROP
iptables -A MYRULES -m string --algo bm --string "YebolBot" -j DROP
iptables -A MYRULES -m string --algo bm --string "baidu" -j DROP
iptables -A MYRULES -m string --algo bm --string "hinet" -j DROP
iptables -A MYRULES -m string --algo bm --string "Baidu" -j DROP
iptables -A MYRULES -m string --algo bm --string "Hinet" -j DROP

Copy and paste rules for you =)

Line 1, 2 and 3 will clean up all your rules with -F (Flush chain rule name)
Line 4 will create a new chain rule called MYRULES
Line 5 will add your new created MYRULES at top of your forward rules
And other lines will add rules to your MYRULES chain

After that, you can watch this with the command:

iptables -L -v -n --line-numbers

If do you want to list only your chain rule use this:

iptables -L MYRULES -v -n --line-numbers


With this command, you will see the number of line in a chain rule. If you wants to delete a line just
iptables -D MYRULES X
Where X is the number of the line do you wants to delete.

=)

Its easy... trust me!
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back