Linux/iptables

From Omnia
Jump to: navigation, search

Clear IP Tables

reset_iptables.sh:

#!/bin/bash

IPTABLES=/sbin/iptables

if [ ! -x $IPTABLES ]; then
    die "iptables: can't execute $IPTABLES"
fi

$IPTABLES -P INPUT   ACCEPT
$IPTABLES -P OUTPUT  ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F
$IPTABLES -X

for table in filter nat mangle; do
    $IPTABLES -t $table -F
    $IPTABLES -t $table -X
    $IPTABLES -t $table -Z
done

Source: http://pikt.org/pikt/samples/reset_iptables.html

  • (with the modification of DROP to ACCEPT and iptables path)

General

Destination NAT with netfilter (DNAT)

Using DNAT for all protocols (and ports) on one IP

iptables -t nat -A PREROUTING -d 10.10.20.99 -j DNAT --to-destination 10.10.14.2

Using DNAT for a single port

iptables -t nat -A PREROUTING -p tcp -d 10.10.20.99 --dport 80 -j DNAT --to-destination 10.10.14.2

Log event:

iptables -A INPUT ... -j LOG --log-level 4
iptables -A INPUT ... -j LOG --log-level 4 --log-prefix "** BLOCKED **"

Simulating full NAT with SNAT and DNAT: [1] [2]

iptables -t nat -A PREROUTING -d 205.254.211.17 -j DNAT --to-destination 192.168.100.17
iptables -t nat -A POSTROUTING -s 192.168.100.17 -j SNAT --to-destination 205.254.211.17

Block DHCP: [3]

# block UDP ports 67 and 68
-A RH-Firewall-1-INPUT -p udp --dport 67:68 -j DROP

Ports:

 22 TCP - SSH
 80 TCP - HTTP
443 TCP - HTTPS

Port forwarding: [4] [5]

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx
		 --dport 8888 -j DNAT --to 192.168.0.2:80
/sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j ACCEPT
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.50:80
iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j ACCEPT

ip_conntrack

ip_conntrack: table full, dropping packet | Racker Hacker

dmesg:

ip_conntrack: table full, dropping packet

Generally, the ip_conntrack_max is set to the total MB of RAM installed multiplied by 16. However, this server had 4GB of RAM, but ip_conntrack_max was set to 65536. I’m not sure if this is a known Red Hat issue, or if it’s just set to a standard value out of the box.

# cat /proc/sys/net/ipv4/ip_conntrack_max
65536

If you want to check your server’s current tracked connections, just run the following:

cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count

If you want to adjust it (as I did), just run the following as root:

echo 131072 > /proc/sys/net/ipv4/ip_conntrack_max

To make this persistent you have to add a line like

net.ipv4.ip_conntrack_max=131072′ to /etc/sysctl.conf

NAT

Linux Firewall – iptables and NAT « Sachin’s Weblog

NAT, Network Address translation basically is of two types SNAT and DNAT.

SNAT, Source NAT is when you alter the source address of the first packet: i.e. you are changing where the connection is coming from. Source NAT is always done post-routing, just before the packet goes out onto the wire. Masquerading is a specialized form of SNAT.

DNAT, Destination NAT is when you alter the destination address of the first packet: i.e. you are changing where the connection is going to. Destination NAT is always done before routing, when the packet first comes off the wire. Port forwarding, load sharing, and transparent proxying are all forms of DNAT.

---

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables-save > /etc/sysconfig/iptables
service iptables restart
/etc/sysctl.conf
  net.ipv4.ip_forward = 1

Source: HOWTO: Linux NAT in Four Steps using iptables - http://www.revsys.com/writings/quicktips/nat.html

transparent firewall

Securing Debian Manual - Setting up a bridge firewall - http://www.debian.org/doc/manuals/securing-debian-howto/ap-bridge-fw.en.html

RedHat sysconfig iptables

Default /etc/sysconfig/iptables:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


Modified /etc/sysconfig/iptables:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

# WEB
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

# SAMBA
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT

# NFS4
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT

# NFS3
# Uncomment MOUNTD_PORT in /etc/sysconfig/nfs
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 892 -j ACCEPT

# FTP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT

# MYSQL
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT

# LOG AND BLOCK
-A RH-Firewall-1-INPUT -j LOG --log-level 4 --log-prefix "** BLOCKED **"
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


t0e data modified:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT

# ESTABLISHED
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# LOCAL
-A RH-Firewall-1-INPUT -i lo -j ACCEPT

# PING
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

# IPSec
# 50  ESP   Encap Security Payload          [RFC4303]
# 51  AH    Authentication Header           [RFC4302]
#-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
#-A RH-Firewall-1-INPUT -p 51 -j ACCEPT

# MULTICAST (DNS)
#-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j REJECT --reject-with icmp-host-prohibited

# Internet Printing Protocol
#-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT


# SSH
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s 10.10.10.5 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s 10.10.10.1 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s 10.10.20.5 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s 216.119.0.0/16 -j ACCEPT

# WEB
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

# MAIL
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT

# SAMBA
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT

# VNC
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5900 -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT

# VMWARE
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 902 -j ACCEPT

# UNKNOWN
###-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 69 -j ACCEPT
###
####-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
####-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 784 -j ACCEPT
####-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 765 -j ACCEPT
####-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 787 -j ACCEPT
####-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 618 -j ACCEPT
####-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 621 -j ACCEPT
###

# NFS
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 4001 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 4001 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 4002 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 4002 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 4003 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 4003 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 4004 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 4004 -j ACCEPT



# MYSQL
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT

# LOGGING AND BLOCKING
-A RH-Firewall-1-INPUT -j LOG --log-level 4 --log-prefix "*** BLOCKED ***"
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

Basic NAT Routing Example

# Generated by iptables-save v1.3.5 on Sun Aug  5 10:02:44 2012
*nat
:PREROUTING ACCEPT [1:65]
:POSTROUTING ACCEPT [1:65]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Sun Aug  5 10:02:44 2012
# Generated by iptables-save v1.3.5 on Sun Aug  5 10:02:44 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [138:20068]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j LOG --log-level 4 --log-prefix "** BLOCKED **"
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sun Aug  5 10:02:44 2012

Stop SSH Brute Force Attacks

here's an easy fix. It drops new ssh connections coming from the same IP with less than 15s intervals (or any timeout you
want). In my server, this has shown to stop the automated attempts on the first failed connection - and even if the
attacker waits for the 15s, it makes brute-force attempts not practical.

For legit sessions, 15s is reasonable (at least for me) between session starts.

It's just two lines on the iptables configuration. No other change required:

iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT

This assumes you already have
iptables -A INPUT -j ACCEPT -p tcp ! --syn -s <REMOTENET> -d <OUTERNET>
above that, to accept established connection packets.
look up a program called denyhosts.

we have a lot of problems with ssh brute attacks. denyhost has helped a lot.

See Linux/Security#DenyHosts

SSH tricks -- any way to block failed attempts by IP address - http://www.linuxquestions.org/questions/linux-security-4/ssh-tricks-any-way-to-block-failed-attempts-by-ip-address-342359/

Quick Block Ping

Block Ping:

iptables -A INPUT -p icmp --icmp-type 8 -j DROP

Flush tables:

iptables -F

notes

Quick HOWTO : Ch14 : Linux Firewalls Using iptables - Linux Home Networking

"Network security is a primary consideration in any decision to host a website as the threats are becoming more widespread and persistent every day. One means of providing additional protection is to invest in a firewall. Though prices are always falling, in some cases you may be able to create a comparable unit using the Linux iptables package on an existing server for little or no additional expenditure. "