Home > Firewall, LiNuX (based on debian), Networking > Own Notes – Iptables

Own Notes – Iptables

Allow Incoming SSH only from a Specific Network

    The following rules allow incoming ssh connections only from 192.168.100.0/24 network

    root@home# iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    root@home# iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Combine Multiple Rules Together using MultiPorts

    The following example allows all incoming SSH, HTTP and HTTPS traffic

    root@home# iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
    root@home# iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT

Load Balance Incoming Web Traffic

    Load balance incoming web traffic using iptables firewall rules
    This uses the iptables nth extension. The following example load balances the HTTP (tcp/80) traffic to three different ip-address. For every 3th packet, it is load balanced to the appropriate server (using the counter 0)

    root@home# iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:80
    root@home# iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:80
    root@home# iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:80

Port Forwarding

  1. The first thing to do is do enable IP forwarding. This is done either by using
  2. root@home# echo "1" > /proc/sys/net/ipv4/ip_forward

    or

    root@home# sysctl net.ipv4.ip_forward=1

    or permanently edit file /etc/sysctl.conf and change the specified line into

    root@home# vi /etc/sysctl.conf
    net.ipv4.ip_forward=1

    then run

    root@home# sysctl -p

  3. Then, add a rule to forward the traffic on port 1111 to ip 2.2.2.2 on port 2222
  4. root@home# iptables -t nat -A PREROUTING -p tcp --dport 1111 -j DNAT --to-destination 2.2.2.2:2222

  5. and finally, we ask IPtables to masquerade
  6. root@home# iptables -t nat -A POSTROUTING -j MASQUERADE

Prevent DoS Attack

    The following iptables rule will help to prevent the Denial of Service (DoS) attack on webserver

    root@home# iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

    In the above example:
    -m limit: This uses the limit iptables extension
    –limit 25/minute: This limits only maximum of 25 connection per minute. Change this value based on your specific requirement
    –limit-burst 100: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level.

Log Dropped Packets

  1. First, create a new chain called LOGGING
  2. root@home# iptables -N LOGGING

  3. Next, make sure all the remaining incoming connections jump to the LOGGING chain as shown below
  4. root@home# iptables -A INPUT -j LOGGING

  5. Next, log these packets by specifying a custom “log-prefix”
  6. root@home# iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7

  7. Finally, drop these packets
  8. root@home# iptables -A LOGGING -j DROP

References

https://www.debuntu.org/how-to-redirecting-network-traffic-to-a-new-ip-using-iptables/
http://www.thegeekstuff.com/2011/06/iptables-rules-examples/

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: