Tuesday, 31 August 2010

Iptables

Iptables is a very powerfull firewall. It is included in all linux distributives nowdays.
The most detailed and comprehensive iptables manual: http://www.frozentux.net/documents/iptables-tutorial/
Here, on my page, are just some brief notes about this firewall.
Iptables consist of:
  • Tables, there are 4 tables: nat, filter, mangle, raw
  • Chains, which are part of tables
  • Matches
  • Commands
Typical iptables configuration
If you are planning to use NAT, you need to switch on IP packets forwarding in /etc/sysctl.conf file:
net.ipv4.ip_forward=1
and reboot your system, or just launch command:
sysctl -w net.ipv4.ip_forward=1
Here is the sample script for basic firewall configuration with some comments.

Setting variables and flushing all rules
#!/bin/bash 
iptables="/sbin/iptables" 
$iptables --flush

Configuring policies:
iptables -P INPUT DROP 
iptables -P OUTPUT DROP 
iptables -P FORWARD DROP 

Configuring NAT
iptables -t nat -A POSTROUTING -o $inet_int -j SNAT --to-source $inet_addr 

Rules for transit packets
iptables -A FORWARD -i $lan_int -p tcp -m multiport --dport 25,110,5190 -j ACCEPT 
iptables -A FORWARD -i $lan_int -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -o eth1 –i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT 
iptables -A FORWARD -i $inet_int -p udp --sport 53 -j ACCEPT 

Drop all packets from reserved private networks
iptables -A INPUT -i $inet_int -s 10.0.0.0/8 -j DROP 
iptables -A INPUT -i $inet_int -s 192.168.0.0/16 -j DROP 
iptables -A INPUT -i $inet_int -s 172.16.0.0/12 -j DROP

Limiting bandwidth and number of connections
For example let's limit the number of new connections to our SSH server to 5 connections per minute:
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set 
iptables -A INPUT -p tcp --dport 220 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP

First line adds to a list of “recent” module information(timestamp and source ip address) abot every NEW packet with destinantion port TCP/22. In this example DEFAULT list is used, but you can use your own one:
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name ownlist 
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --name ownlist -j DROP

The second line tells iptables to drop the packet if it is fith or more packet for last 60 seconds.

Limit number of connections from one IP
For example let's set limit to 10 connections from one IP address:
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 10 -j REJECT --reject-with tcp-reset

Another example, let's limit the number of connections from Class C network:
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j REJECT --reject-with tcp-reset

Redirecting ports
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

Enable FTP
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
Remember, kernel module nf_conntrack_ftp must be enabled.
-
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Ping does not work

Today I would like to discuss a banal situation: host A is directly connected to host B, ping from host A to host B does not work. What are...