Own Notes – Iptables
Allow Incoming SSH only from a Specific Network
- The following rules allow incoming ssh connections only from 192.168.100.0/24 network
root@home# iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
root@home# iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
Combine Multiple Rules Together using MultiPorts
- The following example allows all incoming SSH, HTTP and HTTPS traffic
root@home# iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
root@home# iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
Load Balance Incoming Web Traffic
- Load balance incoming web traffic using iptables firewall rules
This uses the iptables nth extension. The following example load balances the HTTP (tcp/80) traffic to three different ip-address. For every 3th packet, it is load balanced to the appropriate server (using the counter 0)
root@home# iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:80
root@home# iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:80
root@home# iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:80
Port Forwarding
- The first thing to do is do enable IP forwarding. This is done either by using
- Then, add a rule to forward the traffic on port 1111 to ip 2.2.2.2 on port 2222
- and finally, we ask IPtables to masquerade
root@home# echo "1" > /proc/sys/net/ipv4/ip_forward
or
root@home# sysctl net.ipv4.ip_forward=1
or permanently edit file /etc/sysctl.conf and change the specified line into
root@home# vi /etc/sysctl.conf
net.ipv4.ip_forward=1
then run
root@home# sysctl -p
root@home# iptables -t nat -A PREROUTING -p tcp --dport 1111 -j DNAT --to-destination 2.2.2.2:2222
root@home# iptables -t nat -A POSTROUTING -j MASQUERADE
Prevent DoS Attack
- The following iptables rule will help to prevent the Denial of Service (DoS) attack on webserver
root@home# iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
In the above example:
-m limit: This uses the limit iptables extension
–limit 25/minute: This limits only maximum of 25 connection per minute. Change this value based on your specific requirement
–limit-burst 100: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level.
Log Dropped Packets
- First, create a new chain called LOGGING
- Next, make sure all the remaining incoming connections jump to the LOGGING chain as shown below
- Next, log these packets by specifying a custom “log-prefix”
- Finally, drop these packets
root@home# iptables -N LOGGING
root@home# iptables -A INPUT -j LOGGING
root@home# iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
root@home# iptables -A LOGGING -j DROP
References
https://www.debuntu.org/how-to-redirecting-network-traffic-to-a-new-ip-using-iptables/
Recent Comments