Linux/iptables

Clear IP Tables
reset_iptables.sh:
 * 1) !/bin/bash

IPTABLES=/sbin/iptables

if [ ! -x $IPTABLES ]; then die "iptables: can't execute $IPTABLES" fi

$IPTABLES -P INPUT  ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -F $IPTABLES -X

for table in filter nat mangle; do   $IPTABLES -t $table -F $IPTABLES -t $table -X $IPTABLES -t $table -Z done

Source: http://pikt.org/pikt/samples/reset_iptables.html
 * (with the modification of DROP to ACCEPT and iptables path)

General
Destination NAT with netfilter (DNAT)

Using DNAT for all protocols (and ports) on one IP iptables -t nat -A PREROUTING -d 10.10.20.99 -j DNAT --to-destination 10.10.14.2

Using DNAT for a single port iptables -t nat -A PREROUTING -p tcp -d 10.10.20.99 --dport 80 -j DNAT --to-destination 10.10.14.2

Log event: iptables -A INPUT ... -j LOG --log-level 4 iptables -A INPUT ... -j LOG --log-level 4 --log-prefix "** BLOCKED **"

Simulating full NAT with SNAT and DNAT: iptables -t nat -A PREROUTING -d 205.254.211.17 -j DNAT --to-destination 192.168.100.17 iptables -t nat -A POSTROUTING -s 192.168.100.17 -j SNAT --to-destination 205.254.211.17

Block DHCP: -A RH-Firewall-1-INPUT -p udp --dport 67:68 -j DROP
 * 1) block UDP ports 67 and 68

Ports: 22 TCP - SSH 80 TCP - HTTP 443 TCP - HTTPS

Port forwarding: /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx --dport 8888 -j DNAT --to 192.168.0.2:80 /sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j ACCEPT

iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.50:80 iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j ACCEPT

ip_conntrack
ip_conntrack: table full, dropping packet | Racker Hacker

dmesg: ip_conntrack: table full, dropping packet

Generally, the ip_conntrack_max is set to the total MB of RAM installed multiplied by 16. However, this server had 4GB of RAM, but ip_conntrack_max was set to 65536. I’m not sure if this is a known Red Hat issue, or if it’s just set to a standard value out of the box. 65536
 * 1) cat /proc/sys/net/ipv4/ip_conntrack_max

If you want to check your server’s current tracked connections, just run the following: cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count

If you want to adjust it (as I did), just run the following as root: echo 131072 > /proc/sys/net/ipv4/ip_conntrack_max

To make this persistent you have to add a line like net.ipv4.ip_conntrack_max=131072′ to /etc/sysctl.conf

NAT
Linux Firewall – iptables and NAT « Sachin’s Weblog

NAT, Network Address translation basically is of two types SNAT and DNAT.

SNAT, Source NAT is when you alter the source address of the first packet: i.e. you are changing where the connection is coming from. Source NAT is always done post-routing, just before the packet goes out onto the wire. Masquerading is a specialized form of SNAT.

DNAT, Destination NAT is when you alter the destination address of the first packet: i.e. you are changing where the connection is going to. Destination NAT is always done before routing, when the packet first comes off the wire. Port forwarding, load sharing, and transparent proxying are all forms of DNAT.

---

echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 * 1) /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
 * 2) /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

iptables-save > /etc/sysconfig/iptables service iptables restart

/etc/sysctl.conf net.ipv4.ip_forward = 1

Source: HOWTO: Linux NAT in Four Steps using iptables - http://www.revsys.com/writings/quicktips/nat.html

transparent firewall
Securing Debian Manual - Setting up a bridge firewall - http://www.debian.org/doc/manuals/securing-debian-howto/ap-bridge-fw.en.html

RedHat sysconfig iptables
Default /etc/sysconfig/iptables:
 * 1) Firewall configuration written by system-config-securitylevel
 * 2) Manual customization of this file is not recommended.
 * filter
 * INPUT ACCEPT [0:0]
 * FORWARD ACCEPT [0:0]
 * OUTPUT ACCEPT [0:0]
 * RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT

Modified /etc/sysconfig/iptables:
 * 1) Firewall configuration written by system-config-securitylevel
 * 2) Manual customization of this file is not recommended.
 * filter
 * INPUT ACCEPT [0:0]
 * FORWARD ACCEPT [0:0]
 * OUTPUT ACCEPT [0:0]
 * RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
 * 1) SSH

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
 * 1) WEB

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
 * 1) SAMBA

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
 * 1) NFS4

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 2049 -j ACCEPT -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 892 -j ACCEPT -A RH-Firewall-1-INPUT -m udp -p udp --dport 892 -j ACCEPT
 * 1) NFS3
 * 2) Uncomment MOUNTD_PORT in /etc/sysconfig/nfs

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
 * 1) FTP

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
 * 1) MYSQL

-A RH-Firewall-1-INPUT -j LOG --log-level 4 --log-prefix "** BLOCKED **" -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
 * 1) LOG AND BLOCK

t0e data modified:
 * 1) Firewall configuration written by system-config-securitylevel
 * 2) Manual customization of this file is not recommended.
 * filter
 * INPUT ACCEPT [0:0]
 * FORWARD ACCEPT [0:0]
 * OUTPUT ACCEPT [0:0]
 * RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 * 1) ESTABLISHED

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
 * 1) LOCAL

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
 * 1) PING


 * 1) IPSec
 * 2) 50  ESP   Encap Security Payload          [RFC4303]
 * 3) 51  AH    Authentication Header           [RFC4302]
 * 4) -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
 * 5) -A RH-Firewall-1-INPUT -p 51 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j REJECT --reject-with icmp-host-prohibited
 * 1) MULTICAST (DNS)
 * 2) -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT


 * 1) Internet Printing Protocol
 * 2) -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
 * 3) -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s 10.10.10.5 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s 10.10.10.1 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s 10.10.20.5 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s 216.119.0.0/16 -j ACCEPT
 * 1) SSH
 * 2) -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
 * 1) WEB

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
 * 1) MAIL

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
 * 1) SAMBA


 * 1) VNC
 * 2) -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5900 -j ACCEPT
 * 3) -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 902 -j ACCEPT
 * 1) VMWARE


 * 1) UNKNOWN
 * 2) -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 69 -j ACCEPT
 * 3) -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
 * 4) -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 784 -j ACCEPT
 * 5) -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 765 -j ACCEPT
 * 6) -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 787 -j ACCEPT
 * 7) -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 618 -j ACCEPT
 * 8) -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 621 -j ACCEPT
 * 1) -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 621 -j ACCEPT

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 111 -j ACCEPT -A RH-Firewall-1-INPUT -m udp -p udp --dport 111 -j ACCEPT -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 2049 -j ACCEPT -A RH-Firewall-1-INPUT -m udp -p udp --dport 2049 -j ACCEPT -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 4001 -j ACCEPT -A RH-Firewall-1-INPUT -m udp -p udp --dport 4001 -j ACCEPT -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 4002 -j ACCEPT -A RH-Firewall-1-INPUT -m udp -p udp --dport 4002 -j ACCEPT -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 4003 -j ACCEPT -A RH-Firewall-1-INPUT -m udp -p udp --dport 4003 -j ACCEPT -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 4004 -j ACCEPT -A RH-Firewall-1-INPUT -m udp -p udp --dport 4004 -j ACCEPT
 * 1) NFS


 * 1) MYSQL
 * 2) -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT

-A RH-Firewall-1-INPUT -j LOG --log-level 4 --log-prefix "*** BLOCKED ***" -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
 * 1) LOGGING AND BLOCKING

COMMIT

Basic NAT Routing Example

 * 1) Generated by iptables-save v1.3.5 on Sun Aug  5 10:02:44 2012
 * nat
 * PREROUTING ACCEPT [1:65]
 * POSTROUTING ACCEPT [1:65]
 * OUTPUT ACCEPT [0:0]

-A POSTROUTING -o eth1 -j MASQUERADE COMMIT
 * 1) Completed on Sun Aug  5 10:02:44 2012
 * 2) Generated by iptables-save v1.3.5 on Sun Aug  5 10:02:44 2012
 * filter
 * INPUT ACCEPT [0:0]
 * FORWARD ACCEPT [0:0]
 * OUTPUT ACCEPT [138:20068]
 * RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -j LOG --log-level 4 --log-prefix "** BLOCKED **" -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
 * 1) Completed on Sun Aug  5 10:02:44 2012

Stop SSH Brute Force Attacks
here's an easy fix. It drops new ssh connections coming from the same IP with less than 15s intervals (or any timeout you want). In my server, this has shown to stop the automated attempts on the first failed connection - and even if the attacker waits for the 15s, it makes brute-force attempts not practical.

For legit sessions, 15s is reasonable (at least for me) between session starts.

It's just two lines on the iptables configuration. No other change required:

iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT

This assumes you already have iptables -A INPUT -j ACCEPT -p tcp ! --syn -s  -d  above that, to accept established connection packets.

look up a program called denyhosts.

we have a lot of problems with ssh brute attacks. denyhost has helped a lot.

See Linux/Security

SSH tricks -- any way to block failed attempts by IP address - http://www.linuxquestions.org/questions/linux-security-4/ssh-tricks-any-way-to-block-failed-attempts-by-ip-address-342359/

Quick Block Ping
Block Ping: iptables -A INPUT -p icmp --icmp-type 8 -j DROP

Flush tables: iptables -F

Quick Port 8080 to 80 Redirect
/etc/rc.local:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443

iptables -t nat -A OUTPUT -d localhost -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -t nat -A OUTPUT -d localhost -p tcp --dport 443 -j REDIRECT --to-port 8443

iptables -t nat -A OUTPUT -d $(hostname) -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -t nat -A OUTPUT -d $(hostname) -p tcp --dport 443 -j REDIRECT --to-port 8443