61

I'm sure Linux sysadmins are quite familiar with iptables, the userland interface to the netfilter packet-filtering framework.

Now, this "Question" is meant to be a Community Wiki for collecting together various bits-n-pieces of iptables wisdom. Nothing is too common or too obscure. Post anything you know that would help others make the most of iptables.

pepoluan
  • 4,918
  • 3
  • 43
  • 71

18 Answers18

27

Using whitelist and blacklist with iptables

#!/bin/bash

WHITELIST=/whitelist.txt
BLACKLIST=/blacklist.txt

#THIS WILL CLEAR ALL EXISTING RULES!
echo 'Clearing all rules'
iptables -F

#
## Whitelist
#

for x in `grep -v ^# $WHITELIST | awk '{print $1}'`; do
        echo "Permitting $x..."
        $IPTABLES -A INPUT -t filter -s $x -j ACCEPT
done

#
## Blacklist
#

for x in `grep -v ^# $BLACKLIST | awk '{print $1}'`; do
        echo "Denying $x..."
        $IPTABLES -A INPUT -t filter -s $x -j DROP
done

Script to open ports

#!/bin/bash
ALLOWEDTCP="80 3128 3784"
ALLOWEDUDP="3128 3784"

#
## Permitted Ports
#

for port in $ALLOWEDTCP; do
       echo "Accepting port TCP $port..."
       $IPTABLES -A INPUT -t filter -p tcp --dport $port -j ACCEPT
done

for port in $ALLOWEDUDP; do
        echo "Accepting port UDP $port..."
        $IPTABLES -A INPUT -t filter -p udp --dport $port -j ACCEPT
done

Blocking portscan

# Attempt to block portscans
# Anyone who tried to portscan us is locked out for an entire day.
iptables -A INPUT   -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Once the day has passed, remove them from the portscan list
iptables -A INPUT   -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.
iptables -A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

Spoofed/Invalid packets

# Reject spoofed packets
# These adresses are mostly used for LAN's, so if these would come to a WAN-only server, drop them.
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP

#Multicast-adresses.
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP

# Drop all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

Block Smurf attacks

# Stop smurf attacks
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp -m icmp -j DROP

# Drop excessive RST packets to avoid smurf attacks
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

Block ICMP (aka ping)

# Don't allow pings through
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
Bart De Vos
  • 17,761
  • 6
  • 62
  • 81
  • 4
    Consider adding a comment to the "spoofed" comments, so that less experienced users know why the source addresses are considered spoofed (...when arriving on a wan interface). – 3molo Mar 10 '11 at 15:07
  • 1
    Good call :-). Done. – Bart De Vos Mar 10 '11 at 16:11
  • wait. Isn't Block ICMP (aka ping) line redundant to Block smurf attack line: iptables -A INPUT -p icmp -m icmp -j DROP ? – Stann Mar 31 '11 at 03:14
  • also - here is the explanation for many items described here: http://www.newartisans.com/2007/09/neat-tricks-with-iptables.html – Stann Mar 31 '11 at 07:01
  • @Andre: Sure, it's redundant. Some people might only want to block ICMP, that's why I mentioned it ;-) – Bart De Vos Mar 31 '11 at 07:30
  • 2
    Re the whitelist script: Theres `iptables` on line 8, and then `$IPTABLES` later on. Is it enough just to use `iptables` everywhere? Otherwise I suppose you'd need to assign something like `IPTABLES=/sbin/iptables` right? – UpTheCreek Apr 25 '13 at 09:34
  • Correct, @UpTheCreek. – Bart De Vos Apr 25 '13 at 11:31
  • 1
    I would not block portscans that way. Instead have something that will accept tcp/udp connections and looks for multiple related packets. tcp is easy, just look for established to those ports. Anything else, others can test for this with spoofed packets and block anything you didn't whitelist, such as your gateway. – Aaron May 15 '17 at 00:52
  • On blocking portscan: "--dport 139"... copy & paste from the man page, huh? Or, still [netbios paranoia](https://serverfault.com/questions/29065/is-port-139-still-vulnerable)... wait, then one should not have man pages at all ;-) – sphakka Nov 05 '18 at 14:16
  • @Aaron, would you please expand on your comment with some real examples on blocking portscans? – sphakka Nov 05 '18 at 14:19
  • I really wish people would stop advising blocking ICMP full stop. Fine filter fragmented ICMP but not ICMP in full. It's meant for network error reporting. And as for Smurf I'm at loss here. It's been a very long time since I've seen the source code but I don't recall it ever using TCP and certainly not RST. Its counterpart Fraggle uses UDP that much I do remember for certain. And yes if private addresses come on the WAN side that's not good but you don't specify this specifically in the rules so it would block all. – Pryftan Nov 24 '19 at 15:50
26

Optimize netfilter's Performance Using ipset

If you write a lot of similar rules based on mere IP, port, or both, consider using ipset to optimize netfilter's performance.

For example:

iptables -s 192.168.1.11 -j ACCEPT
iptables -s 192.168.1.27 -j ACCEPT
iptables -s 192.168.1.44 -j ACCEPT
... hundreds of similar rules ...
iptables -s 192.168.251.177 -j ACCEPT

This means that a packet with the source address of 192.168.251.177 must first traverse hundreds of rules before it can get its verdict of ACCEPT.

Of course, experienced sysadmins will split the rules by subnet. But that still means hundreds of rules.

ipset to the rescue!

First, define an IP Set of ipmap type:

ipset -N Allowed_Hosts ipmap --network 192.168.0.0/16

Then, populate it with the addresses:

for ip in $LIST_OF_ALLOWED_IP; do ipset -A Allowed_Hosts $ip; done

Finally, replace the hundreds of iptables rules above with one rule:

iptables -m set --match-set Allowed_Hosts src -j ACCEPT

When a packet arrives, netfilter will perform a very quick bitmap search for the packet's source (src) IP against the Allowed_Hosts IP Set. All packets coming from 192.168.0.0/16 will experience one rule. And do believe me that searching a bitmap is at least two order of magnitudes faster than performing hundreds of iptables rule-checking.

ipset is not limited to IP addresses. It can also match based on ports, IP-port tuple, network/subnet addresses, IP-MAC tuple, and so on and so forth. And it can match those criteria as source or destination or a mix of both (in the case of tuples).

And finally, with ipset you can automatically put IP addresses in blacklists/whitelists. These blacklists/whitelists can also 'age', thus automatically deleting the IP address after a configurable amount of time has passed.

Please refer to ipset's man page for more details.

VERY IMPORTANT NOTE:

Some Linux distros may not have 'out-of-the-box' support for ipset (e.g. Ubuntu 10.04 had this issue). On these systems one method is to install ipset from source code.

Instead, download ipset's source from its website: http://ipset.netfilter.org/install.html

Alternatively, if you use xtables-addons, ipset is included in its source: http://xtables-addons.sourceforge.net/

0xC0000022L
  • 1,456
  • 2
  • 20
  • 41
pepoluan
  • 4,918
  • 3
  • 43
  • 71
  • 3
    That's a real pity it's not supported by default on Debian and Ubuntu. I thought you were going to list some obsure distros :/ – UpTheCreek Apr 25 '13 at 07:44
  • @UpTheCreek I've edited my answer... the 'special note' was applicable during time of posting the answer, but no longer applicable now. – pepoluan Mar 10 '14 at 12:40
22

Add comments to your rules:

-m comment --comment "Comments help to read output of iptables -nvL"
alexm
  • 458
  • 3
  • 11
18

Block Well-Known TCP Attacks

Add the following rules, preferably in -t raw -A PREROUTING

-p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP

The attacks being blocked are, respectively:

  • SYN-FIN attack
  • SYN-RST attack
  • X-Mas attack
  • nmap FIN scan
  • NULLflags attack
  • ALLflags attack

(feel free to edit the names of the attacks above)

pepoluan
  • 4,918
  • 3
  • 43
  • 71
  • 4
    The `-p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP` could be removed, as the `-p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP` will catch every packet it could block. –  Nov 19 '12 at 14:26
  • 4
    According to http://security.stackexchange.com/questions/4603/tips-for-a-secure-iptables-config-to-defend-from-attacks-client-side. "There is no need to drop invalid or malformed packets, all of these attacks are a decade old. The Linux kernel devs are much more up to date than you concerning which kind of packets are valid and which not. "What about future flaws", some might argue. Well, how do you know the future flaw will be in the TCP handler and not in the iptables TCP parser?" – hookenz Apr 23 '15 at 20:30
  • 2
    @VlastimilBurian _theoretically_ they are no longer needed. But adding these set of rules neither slows down the network nor increase CPU Load, so I see no reasons not to add them and forget about them – pepoluan Dec 05 '16 at 10:59
  • 1
    For `FIN,SYN,RST,PSH,ACK,URG` you should be able to replace it with just `ALL`. – Pryftan Dec 19 '19 at 14:00
7

Enabling NAT

  1. echo 1 > /proc/sys/net/ipv4/ip_forward
  2. /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Step 1 sets the kernel parameter to allow for ip forwarding, step 2 sets up an iptables rule that enables NAT on interface eth0.

Kenny Rasschaert
  • 8,925
  • 3
  • 41
  • 58
  • 5
    That won't be persistent through a reboot, will it? You need to edit `/etc/sysctl.conf` `net.ipv4.ip_forward = 1`. (Assuming Red Hat or derivative.) – Aaron Copley Apr 03 '11 at 14:48
6

Block ICMP attacks

Add the following rules, preferably in -t raw -A PREROUTING

-p icmp -m u32 ! --u32 "4&0x3FFF=0"   -j DROP
-p icmp -m length --length 1492:65535 -j DROP

The first rule blocks all ICMP packets whose "fragmentation flag" is not 0. (ICMP should never be fragmented; they should be carrying small payloads)

The second rule blocks oversized unfragmented ICMP packets.

pepoluan
  • 4,918
  • 3
  • 43
  • 71
5

(from my iptables_tricks.txt file, recompiled from a lot of places :P)

Makes iptables wait 15 seconds between new connections from the same IP on port 22 (SSH):

 iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP
 iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT
0xC0000022L
  • 1,456
  • 2
  • 20
  • 41
boris quiroz
  • 1,140
  • 1
  • 7
  • 18
  • 1
    Same, but with counting of attempts: `-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH` `-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH -j DROP` – alexm Apr 25 '11 at 06:15
4

IPTABLES video tutorials

Episode 1 http://www.youtube.com/watch?v=ldB8kDEtTZA&feature=player_embedded

Episode 2 http://www.youtube.com/watch?v=aDaEXxRHeXY&feature=related

Final episode

http://www.youtube.com/watch?v=JojqHKcSxpo&feature=player_embedded

Will be a good start for any newbie.

Registered User
  • 1,453
  • 5
  • 18
  • 37
4

using FireHOL - convenient iptables wrapper

I found it much more intuitive than direct iptables commands. Especially for people with past experience with other firewalls:

FireHOL is an iptables firewall generator producing stateful iptables packet filtering firewalls, on Linux hosts and routers with any number of network interfaces, any number of routes, any number of services served, any number of complexity between variations of the services (including positive and negative expressions).

UpTheCreek
  • 1,598
  • 10
  • 31
  • 45
Ophir Yoktan
  • 175
  • 1
  • 8
  • 2
    I prefer Shorewall which is actively developed, supports IPv4 and IPv6, and can generate firewalls for other iptables systems. – BillThor Mar 10 '11 at 16:52
4

IP sets revisited

There is already an answer mentioning IP sets. However, it's rather one-dimensional in that it focuses on the performance gains over classic rules and the fact that IP sets mitigate the problem one has with lots of individual IP address that cannot easily be expressed as a subnet in CIDR notation.

Notation used below

For ipset I will use the notation read by ipset restore and written by ipset save.

Correspondingly for iptables (and ip6tables) rules I will use the notation as read by iptables-restore and written by iptables-save. This makes for a shorter notation and it allows me to highlight potential IPv4-only (prefixed -4) or IPv6-only (prefixed -6) rules.

In some examples we'll divert the packet flow into another chain. The chain is assumed to exist at that point, so the lines to create the chains are not produced (nor is the table name mentioned or the commands COMMIT-ted at the end).

Advanced IP sets

IP sets can do a lot more than was mentioned in the other answer and you should definitely read the IP set documentation (ipset(8)) along with iptables-extensions(8) in addition to this brief entry here.

For example I'll mainly focus on three set types: hash:ip, hash:net and list:set, but there are more than those and they all have valid use cases.

You can for example also match port numbers, not just IP addresses.

Saving and restoring IP sets as with iptables-save and iptables-restore

You can create IP set declarations in bulk and import them by piping them into ipset restore. If you want to make your command more resilient against already existing entries, use ipset -exist restore.

If your rules are in a file called default.set you'd use:

ipset -exist restore < default.set

A file like that can contain entries to create sets and to add entries into them. But generally most of the commands from the command line seem to have a corresponding version in the files. Example (creating a set of DNS servers):

create dns4 hash:ip family inet
create dns6 hash:ip family inet6
# Google DNS servers
add dns4 8.8.8.8
add dns4 8.8.4.4
add dns6 2001:4860:4860::8888
add dns6 2001:4860:4860::8844

Here one set is created for IPv4 (dns4) and one for IPv6 (dns6).

Timeouts on IP sets

Timeouts in IP sets can be set as a default per set and also per entry. This is very useful for scenarios where you want to block someone temporarily (e.g. for port-scanning or attempting to brute-force your SSH server).

The way this works is as follows (default during creation of IP sets):

create ssh_loggedon4 hash:ip  family inet  timeout 5400
create ssh_loggedon6 hash:ip  family inet6 timeout 5400
create ssh_dynblock4 hash:ip  family inet  timeout 1800
create ssh_dynblock6 hash:ip  family inet6 timeout 1800

We'll get back to these particular sets below and the rationale as to why they're set the way they are.

If you wanted to set your timeout for a particular IP address, you could simply say:

add ssh_dynblock4 1.2.3.4 timeout 7200

To block IP 1.2.3.4 for two hours instead of the (set) default half hour.

If you were to look at that with ipset save ssh_dynblock4 after a short while, you'd see something along the lines of:

create ssh_dynblock4 hash:ip family inet hashsize 1024 maxelem 65536 timeout 1800
add ssh_dynblock4 1.2.3.4 timeout 6954

Timeout caveats

  • timeouts are a feature on any given set. If the set was not created with timeout support you'll receive an error (e.g. Kernel error received: Unknown error -1).
  • timeouts are given in seconds. Use Bash arithmetic expressions to get from minutes to seconds, for example. E.g.: sudo ipset add ssh_dynblock4 1.2.3.4 timeout $((120*60))

Checking whether an entry exists in a given IP set

Inside of your scripts it can be useful to see whether an entry already exists. This can be achieved with ipset test which returns zero if the entry exists and non-zero otherwise. So the usual checks can be applied in a script:

if ipset test dns4 8.8.8.8; then
  echo "Google DNS is in the set"
fi

However, in many cases you'll rather want to use the -exist switch to ipset in order to direct it not to complain about existing entries.

Populating IP sets from iptables rules

This, in my opinion, is one of the killer features of IP sets. Not only can you match against the entries of an IP set, you can also add new entries to an existing IP set.

For example in this answer to this question you have:

-A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP
-A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT

... with the intention to rate-limit connection attempts to SSH (TCP port 22). The used module recent keeps track of recent connection attempts. Instead of the state module, I prefer the conntrack module, however.

# Say on your input chain of the filter table you have
   -A INPUT -i eth+ -p tcp --dport ssh -j SSH
# Then inside the SSH chain you can
# 1. create an entry in the recent list on new connections
   -A SSH -m conntrack --ctstate NEW -m recent --set --name tarpit
# 2. check whether 3 connection attempts were made within 2 minutes
#    and if so add or update an entry in the ssh_dynblock4 IP set
-4 -A SSH -m conntrack --ctstate NEW -m recent --rcheck --seconds 120 --hitcount 3 --name tarpit -j SET --add-set ssh_dynblock4 src --exist
-6 -A SSH -m conntrack --ctstate NEW -m recent --rcheck --seconds 120 --hitcount 3 --name tarpit -j SET --add-set ssh_dynblock6 src --exist
# 3. last but not least reject the packets if the source IP is in our
#    IP set
-4 -A SSH -m set --match-set ssh_dynblock4 src -j REJECT
-6 -A SSH -m set --match-set ssh_dynblock6 src -j REJECT

In this case I am redirecting the flow to the SSH chain such that I don't have to repeat myself with -p tcp --dport ssh for every single rule.

To reiterate:

  • -m set makes iptables aware that we're using switches from the set module (which handles IP sets)
  • --match-set ssh_dynblock4 src tells iptables to match the source (src) address against the named set (ssh_dynblock4)
    • this corresponds to sudo ipset test ssh_dynblock4 $IP (where $IP contains the source IP address for the packet)
  • -j SET --add-set ssh_dynblock4 src --exist adds or updates the source (src) address from the packet into the IP set ssh_dynblock4. If an entry exists (--exist) it will simply be updated.
    • this corresponds to sudo ipset -exist add ssh_dynblock4 $IP (where $IP contains the source IP address for the packet)

If you wanted to match the target/destination address instead, you'd use dst instead of src. Consult the manual for more options.

Sets of sets

IP sets can contain other sets. Now if you followed the article up to here you'll have wondered whether it's possible to combine sets. And of course it is. For the IP sets from above we can create two joint sets ssh_dynblock and ssh_loggedon respectively to contain the IPv4-only and IPv6-only sets:

create ssh_loggedon4 hash:ip  family inet  timeout 5400
create ssh_loggedon6 hash:ip  family inet6 timeout 5400
create ssh_dynblock4 hash:ip  family inet  timeout 1800
create ssh_dynblock6 hash:ip  family inet6 timeout 1800
# Sets of sets
create ssh_loggedon  list:set
create ssh_dynblock  list:set
# Populate the sets of sets
add ssh_loggedon ssh_loggedon4
add ssh_loggedon ssh_loggedon6
add ssh_dynblock ssh_dynblock4
add ssh_dynblock ssh_dynblock6

And the next question that should pop up in your mind is whether this allows us to match and and manipulate IP sets in an IP version-agnostic fashion.

And the answer to that is a resounding: YES! (alas, this wasn't documented explicitly last time I checked)

Consequently the rules from the previous section can be rewritten to read:

-A INPUT -i eth+ -p tcp --dport ssh -j SSH
-A SSH -m conntrack --ctstate NEW -m recent --set --name tarpit
-A SSH -m conntrack --ctstate NEW -m recent --rcheck --seconds 120 --hitcount 3 --name tarpit -j SET --add-set ssh_dynblock src --exist
-A SSH -m set --match-set ssh_dynblock src -j REJECT

which is a lot more concise. And yes, this is tried and tested and works like a charm.

Putting it all together: SSH brute-force defense

On my servers I have a script run as a cron job which takes a bunch of host names and resolves those to IP addresses, then feeding it into the IP set for "trusted hosts". The idea is that trusted hosts get more attempts to log into the server and aren't necessarily blocked out for as long as anybody else.

Conversely I have whole countries blocked out from connecting to my SSH server, with the (potential) exception of trusted hosts (i.e. order of rules matters).

However, that is left as an exercise for the reader. Here I'd like to add a neat solution that will use the sets contained in the ssh_loggedon set to allow subsequent connection attempts to be handed through and not be subject to the same scrutiny as the other packets.

It is important to remember the default timeouts of 90 minutes for ssh_loggedon and 30 minutes for ssh_dynblock when looking at the following iptables rules:

-A INPUT -i eth+ -p tcp --dport ssh -j SSH
-A SSH -m set --match-set ssh_loggedon src -j ACCEPT
-A SSH -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A SSH -m conntrack --ctstate NEW -m recent --set --name tarpit
-A SSH -m conntrack --ctstate NEW -m recent --rcheck --seconds 120 --hitcount 3 --name tarpit -j SET --add-set ssh_dynblock src --exist
-A SSH -m set --match-set ssh_dynblock src -j REJECT

By now you should ask yourself how the connecting IP address ends up in the ssh_loggedon sub-sets. So read on ...

Bonus: adding the IP you log in with during SSH logon

If you have experimented with sshrc and friends, you'll have learned of its shortcomings. But PAM comes to the rescue. A module named pam_exec.so allows us to invoke a script during SSH logon at a point where we know that the user is admitted in.

In /etc/pam.d/sshd below the pam_env and pam_selinux entries add the following line:

session    optional     pam_exec.so stdout /path/to/your/script

and make sure that your version of the script (/path/to/your/script above) exists and is executable.

PAM uses environment variables to communicate what's going on, so you can use a simple script like this one:

#!/bin/bash
# When called via pam_exec.so ...
SETNAME=ssh_loggedon
if [[ "$PAM_TYPE" == "open_session" ]] && [[ -n "$PAM_RHOST" ]]; then
    [[ "x$PAM_RHOST" != "x${PAM_RHOST//:/}" ]] && SETNAME="${SETNAME}6" || SETNAME="${SETNAME}4"
    ipset -exist add $SETNAME "$PAM_RHOST"
fi

Unfortunately the ipset utility doesn't seem to have the built-in smarts of netfilter. So we need to distinguish between IPv4 and IPv6 IP set when adding our entry. Otherwise ipset will assume we want to add another set to the set of sets, instead of the IP. And of course it's unlikely that there would be a set named after an IP :)

So we check for : in the IP address and append 6 to the set name in such case and 4 otherwise.

The end.

0xC0000022L
  • 1,456
  • 2
  • 20
  • 41
3

Another GUI that can be used to configure iptables is Firewall Builder. It lets users create rule elements as objects in a database and then drag-and-drop these objects into a rules editor to create the desired firewall policy. The application then generates a script file with all the iptables commands required to implement the rules.

Unlike some other iptables GUI solutions where you can only manage one iptables configuration at a time, with Firewall Builder you can manage a large number of iptables configurations all from a single application. Firewall Builder runs on Linux, Windows and Mac OS X, has been around for over 10 years and has thousands of active users around the world.

Full Disclosure - I'm the co-founder of NetCitadel which is the company that develops Firewall Builder.

Mike H.
  • 106
  • 1
2

log outgoing connection with uid

iptables -A OUTPUT -m state --state NEW -m tcp -p tcp -m limit --limit 5/m -j LOG --log-uid --log-prefix="outgoing connection: "

port/connection forwarding:

iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 10.0.1.7:80
iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j ACCEPT
kofemann
  • 4,308
  • 1
  • 21
  • 27
  • 2
    I prefer the `NFLOG` target. It allows a longer line prefix and the user mode daemon can log to databases as well. – 0xC0000022L Mar 20 '15 at 11:18
2

Match several interface names with a wildcard

Example: you have eth0 and eth1 and would like to allow any traffic between them?

iptables -A FORWARD -i eth+ -o eth+ -j ACCEPT

I've used this in the past in order to match the veth<something> interfaces dynamically created and named by LXC. So I can match all at once with veth+.

I also intentionally named some interfaces _<something> in order to match against _+.

0xC0000022L
  • 1,456
  • 2
  • 20
  • 41
  • Is this a regexp or is it something else? Ah, in your final sentence it seems that maybe you do though that also sounds like a glob. It doesn't concern any of my boxes but maybe clarifying if it's a regexp would be of use to some? – Pryftan Dec 19 '19 at 13:46
2

Limiting all individual IP addresses to an outbound bandwidth quota with IP Sets

You may please to configure your server to only allow each individual IP 15GiByte of bandwidth usage per month, in hopes to reflect or dodge a bandwidth usage attack, perhaps for your metered bandwidth quota at your ISP. It can be accomplished as the following:

First create the IP sets for IPv4 and IPv6:

ipset create IP_QUOTA_SET_OUT hash:ip timeout 345600 counters
ipset create IP_QUOTA_SET_OUT_INET6 hash:ip timeout 345600 counters family inet6

Now add your iptables rules. The first line will add the IP to the set if it is not already there. The second line will not match if the bytes transferred for the IP in the set is greater than the amount specified. Then the same is done alike for IPv6.

iptables -I OUTPUT -m set ! --match-set IP_QUOTA_SET_OUT dst -j SET --add-set IP_QUOTA_SET_OUT dst --timeout 345600
iptables -I OUTPUT -m set --match-set IP_QUOTA_SET_OUT dst --bytes-gt 16106127360 -j DROP

ip6tables -I OUTPUT -m set ! --match-set IP_QUOTA_SET_OUT_INET6 src -j SET --add-set IP_QUOTA_SET_OUT_INET6 src --timeout 345600
ip6tables -I OUTPUT -m set --match-set IP_QUOTA_SET_OUT_INET6 src --bytes-gt 16106127360 -j DROP

This will prevent attacks such as a user requesting a large file from your webserver for a long period of time, or from any service for that matter. The same can be done for the INPUT chain.

infinmed
  • 17
  • 4
1

Block uncommon MSS values

iptables -t mangle -A PREROUTING -p tcp \
-m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP

SYNPROXY target for DDos protection

The purpose of this target is to check does host that sent SYN packet establishes the connection or does nothing after initiating SYN connection. If it does nothing, it discards the packet with minimal effort.

Set syn packets to connection tracking table in the raw table

iptables -t raw -A PREROUTING -p tcp -m tcp --dport 80 --syn -j CT --notrack

Enable synproxy for http server:

iptables -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate INVALID,UNTRACKED \
-j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460

Resource : SYNPROXY target from RHEL blog

fugitive
  • 125
  • 6
0

Something I do, mainly because of my ignorance of a more elegant solution, is to manually check my Nginx logs every 4 hours and the mail server logs every 2 minutes for excessive access by individual IP's. I run a few scripts together that:

  1. Check the access.log and list off the top 10 IP's organized by how many hits they have to the server
  2. Dump the results into a log file
  3. Have another script look at that log file and ban any IP that has hit the server more than X amount of times over the past X hours
  4. Save my iptables.save

Here's what it looks like:

autoBanIPs_mail.sh
#!/bin/bash

# This script checks the last 2 minutes of log entries to see if any 
# IP has made over 99 connections

now=$(date +"%m_%d_%Y")

/root/bin/checkBadIPs_mail.sh > /home/ipChecker/ipcheckMAIL_$now.txt
cat /home/ipChecker/ipcheckMAIL_$now.txt | \
    grep " \\(\\([9][9]\\)\\|\\([0-9][0-9][0-9]\\+\\)\\) " | \
    awk '{print $2}' > /home/ipChecker/badMailIPs_$now.sh
sed -i "s/^/\/usr\/local\/sbin\/blockIP /g" /home/ipChecker/badMailIPs_$now.sh
/bin/bash /home/ipChecker/badMailIPs_$now.sh
cat /home/ipChecker/ipcheckMAIL_$now.txt >> /home/ipChecker/ipcheckMAIL_$now.log
rm /home/ipChecker/ipcheckMAIL_$now.txt
rm /home/ipChecker/badMailIPs_$now.sh
checkBadIPs_mail.sh

One thing that is VERY important to note here is that you NEED to setup a whitelist or you are going to start blocking a lot of authentic IP's from servers that you just receive a lot of email from or in the case of other logs, IP's that just hit your server a lot for legitimate reasons. My whitelist is just built into this script by adding grep pipes right after | grep ']' | that look something like this "grep -v 127.0 |".
You need to take the time to teach your server which high traffic IP's are legit and which aren't. For me this meant that I had to spend the first week or so checking my logs manually every couple of hours, looking up high traffic ip's on iplocation.net and then adding the legit ones like amazon, box.com or even my home/office IP ranges to this whitelist. If you don't you will likely be blocked from your own server or you are going to start blocking legit mail/web servers and cause interruptions in email or traffic.

cat /var/log/mail.log | awk \
    -v d1="$(date --date="-2 min" "+%b %_d %H:%M")" \
    -v d2="$(date "+%b %_d %H:%M")" \
    '$0 > d1 && $0 < d2 || $0 ~ d2' | \
    grep '\[' | grep '\]' | \
    grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -v 127.0 | \
    awk '{print $1}' | sort | uniq -c | sort -n | tail -10
BlockIP
#!/bin/bash
sudo iptables -I INPUT -s $1 -j DROP
sudo bash -c "iptables-save > /etc/network/iptables.save"

Again I know this is crude as hell and there is probably a nice clean efficient protocol that does all of this but I didn't know about it and this thing has been going for a year or two now and keeping the bad guys at bay. The one thing I would very SERIOUSLY recommend is that you have a proxy or another server in the wings that you can use to access your main server.. The reason being is that if you are doing web development one day out of the blue and you ping your self 2000 times in 5 hours for some testing you could get blocked with no way back in except for a proxy.

You can see that in checkBadIPs.sh I've put grep -v 127.0 and in my actual files I have a ton of ignore rules for my own IP's and other trusted IP ranges but sometimes your IP changes, you forget to update and then you're locked out of your own server.

Anyways, hope that helps.

UPDATE

I have changed things a little bit so that now instead of checking every couple hours I have some logs checked every 2 minutes, mainly my ssh auth log and the mail log as they were getting pounded :(.

I setup specific scripts for each log file although it would be easy enough from the manual script I use myself when wanting to inspect logs. Looks like this:

#!/bin/bash

log=$1 time=$2

cat /var/log/${log} | awk \
    -v d1="$(date --date="-${time} min" "+%b %_d %H:%M")" \
    -v d2="$(date "+%b %_d %H:%M")" \
    '$0 > d1 && $0 < d2 || $0 ~ d2' | \
    grep '\[' | grep '\]' | \
    grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | \
    sort | uniq -c | sort -n | tail -10

This requires 2 inputs when run, the log file you want to scan and how far back into the past you want to scan.

So if I wanted to check mail.log for the ip counts say 75 minutes into the past I would run:

$ sudo script.sh mail.log 75
unc0nnected
  • 125
  • 5
  • A quick bit of googling found me this, which seems to do what I described above: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/ – unc0nnected Aug 22 '14 at 16:20
  • 1
    Nice! I'd use `ipset` rather than elongating the iptables chain, but the idea is great and I think I'll apply them to my production servers. Thanks for sharing! – pepoluan Aug 23 '14 at 14:48
  • 2
    I just read about ipset for the first time the other day and was gleefully delighted to learn about what it does.. I'm a little scared to implement it just because I'll probably muck it up in the beginning and shut the server down but it's on my list of things to learn here. That being said my iptable chain is probably around 30-40 items and only gets 1 new one every day or two so it's not at a point that I'm overly worried. – unc0nnected Aug 24 '14 at 19:05
  • Have you considered fail2ban? – chicks Dec 12 '14 at 07:55
0

I agree with the comments about ipsets and tcp flags, but there’s still a lot missing:

Use xtables-addons geoip match instead of ipsets for country lists. Update the geoip data regularly (at least once per month). The data is more dynamic that a fire-and-forget ipset list.

Consider connection state tracking with tcp flags. For example, a tcp RST or ACK only makes sense for an established connection. SYN makes sense only for new and related connections. A SYN for an established connection means either your SYN+ACK was lost or a hack attempt and should be reset as both sides of the connection don’t agree as to state.

Although none, SYN+RST and FIN+RST are illegal combinations, SYN+FIN is valid now under TCP fast-open (TCP option 34), especially for DNS. SYN packets, even with fast-open, should not be fragmented. I do not consider rules with the PSH and URG flags as useful. Don’t confuse connection tracking state with TCP state: An RST response to a SYN packet is established for tracking purposes.

SYNPROXY is for forwarded packets and adds nothing for locally delivered ones beyond syncookie support.

ICMP error packets will always be in the related state and of length 48:576 if they are valid. Length 84:1280 for IPv6. All others should be ignored. As their maximum size is also the minimum MTU, they should never be fragmented. ICMP requests (pings, timestamps, etc.) will always be new, and replies established. Drop ICMP packets in other states.

Like the SSH example with a recent list and accepting only subsequent SYN packets, the same should be done for SMTP, and is similar to “greylisting” on the IP address datum alone.

In the filter table, the first (or second, if accepting established state packets first) rule in the input and output chains should accept everything on the loopback interface. You should trust your own internal packets. If you can’t, you have bigger problems beyond a firewall solution.

Lastly, don’t blindly copy rules unless you really understand what they do. So many similar lists of rules do that, and most of the time, the result is laughable.

MR.X
  • 1
  • Your assumption that the definitions for IP sets aren't updated (per-country lists) is one you made up. It's perfectly possible to manage this without geoip. But in general I think the whole scheme with geo-locating the peer is doomed to failure with IPv6 anyway. So no point in using that. Rather be smart how you react to "naughty" behavior ... – 0xC0000022L Aug 23 '20 at 23:26
-2
#!/bin/bash
# The following iptables/ip6tables configurations have
# been kindly shared with us from ArckWiki. There are
# a few additions apart from what has been defined.
#
#=================Flush current definitions==============
    iptables -F
    ip6tables -F
    iptables -X
    ip6tables -X

#
#=================Chains=================================
#
#----Define chains for opened ports
    iptables -N TCP
    ip6tables -N TCP
    iptables -N UDP
    ip6tables -N UDP

#
#----Setting up the filter table for NAT
#   iptables -N fw-interfaces
#   ip6tables -N fw-interfaces
#   iptables -N fw-open
#   ip6tables -N fw-open

#
#================Default Chain reactions=================
#
#----Default FORWARD reaction
    iptables -P FORWARD DROP
    ip6tables -P FORWARD DROP

#
#----Default OUTPUT reaction
    iptables -P OUTPUT ACCEPT
    ip6tables -P OUTPUT ACCEPT

#
#----Shellshock
    iptables -A INPUT -m string --algo bm --hex-string '|28 29 20 7B|' -j DROP
    ip6tables -A INPUT -m string --algo bm --hex-string '|28 29 20 7B|' -j DROP

#
#----Default INPUT reaction
    iptables -P INPUT DROP
    ip6tables -P INPUT DROP
#
#----Drop spoofing packets
    iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
    iptables -A INPUT -i wlan0 -s 127.0.0.0/8 -j DROP
    iptables -A INPUT -i wlan1 -s 127.0.0.0/8 -j DROP
    iptables -A INPUT -s 10.0.0.0/8 -j DROP
    iptables -A INPUT -s 169.254.0.0/16 -j DROP
    iptables -A INPUT -s 172.16.0.0/12 -j DROP
    iptables -A INPUT -s 224.0.0.0/4 -j DROP
    iptables -A INPUT -d 224.0.0.0/4 -j DROP
    iptables -A INPUT -s 240.0.0.0/5 -j DROP
    iptables -A INPUT -d 240.0.0.0/5 -j DROP
    iptables -A INPUT -s 0.0.0.0/8 -j DROP
    iptables -A INPUT -d 0.0.0.0/8 -j DROP
    iptables -A INPUT -d 239.255.255.0/24 -j DROP
    iptables -A INPUT -d 255.255.255.255 -j DROP

#
#================Ping rate limiting globally=============
    iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 30/min --limit-burst 8 -j ACCEPT
    ip6tables -A INPUT -p icmpv6 --icmpv6-type 8 --match limit --limit-burst 8 -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type 8 -j DROP
    ip6tables -A INPUT -p icmpv6 --icmpv6-type 8 -j DROP

#
#----flooding RST packets, smurf attack Rejection
    iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
    ip6tables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

#
#----Bogus packet DROP
    iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

#
#================RELATED,ESTABLISHED reaction============
    iptables -A INPUT --match conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    ip6tables -A INPUT --match conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

#
#================unfetered loopback======================
    iptables -A INPUT -i lo -j ACCEPT
    ip6tables -A INPUT -i lo -j ACCEPT

#
#================INVALID catagory of packets=============
    iptables -A INPUT -p 41 -j ACCEPT
    iptables -A INPUT --match conntrack --ctstate INVALID -j DROP
    ip6tables -A INPUT --match conntrack --ctstate INVALID -j DROP

#
#================IPv6 reactions and definitions==========
    ip6tables -A INPUT -s fe80::/10 -p icmpv6 -j ACCEPT
    ip6tables -t raw -A PREROUTING -p icmpv6 -s fe80::/10 -j ACCEPT
    ip6tables -t raw -A PREROUTING --match rpfilter -j ACCEPT
    ip6tables -t raw -A PREROUTING -j DROP
#
#=======Acceptable INVALIDs and a curteous response======
    iptables -A INPUT -p udp --match conntrack --ctstate NEW -j UDP
    ip6tables -A INPUT -p udp --match conntrack --ctstate NEW -j UDP
    iptables -A INPUT -p tcp --syn --match conntrack --ctstate NEW -j TCP
    ip6tables -A INPUT -p tcp --syn --match conntrack --ctstate NEW -j TCP

#
#================Defining the TCP and UDP chains
#
#########################################################
#            Notes for port open definitions            #
# It is important to note that this should be config-   #
# ured differently if you're providing any routing      #
# activity for any purpose. it is up to you to actively #
# define what suites your needs to get the job done.    #
# In this example, I'm exempting IPv6 from being able   #
# to interact with SSH protocols for two reasons. The   #
# first is because it is generally easier and more com- #
# for internal networks to be deployed with IPv4. The   #
# second reason is, IPv6 can be deployed globally.      #
#########################################################
#
#----SSH configured for eth0
    iptables -A TCP -i eth0 -p tcp --dport ssh -j ACCEPT

#!---Blocking SSH interactions in IPv6
    ip6tables -A TCP -p tcp --dport ssh -j DROP

#!---Leave commented for end service device
#   iptables -A TCP -p tcp --dport 80 -j ACCEPT
#   ip6tables -A TCP -p tcp --dport 80 -j ACCEPT
#   iptables -A TCP -p tcp --dport 443 -j ACCEPT
#   ip6tables -A TCP -p tcp --dport 443 -j ACCEPT
#
#!---Uncomment for remote service to this device
#   iptables -A TCP -p tcp --dport 22 -j ACCEPT
#   ip6tables -A TCP -p tcp --dport 22 -j ACCEPT
#
#!---Uncomment if you're providing routing services
#   iptables -A UDP -p udp 53 -j ACCEPT
#   ip6tables -A UDP -p udp 53 -j ACCEPT
#
#=================Tricking port scanners=================
#
#----SYN scans
    iptables -I TCP -p tcp --match recent --update --seconds 60 --name TCP-PORTSCAN -j DROP
    ip6tables -I TCP -p tcp --match recent --update --seconds 60 --name TCP-PORTSCAN -j DROP
    iptables -A INPUT -p tcp --match recent --set --name TCP-PORTSCAN -j DROP
    ip6tables -A INPUT -p tcp --match recent --set --name TCP-PORTSCAN -j DROP

#
#----UDP scans
    iptables -I UDP -p udp --match recent --update --seconds 60 --name UDP-PORTSCAN -j DROP
    ip6tables -I UDP -p udp --match recent --update --seconds 60 --name UDP-PORTSCAN -j DROP
    iptables -A INPUT -p udp --match recent --set --name UDP-PORTSCAN -j DROP
    ip6tables -A INPUT -p udp --match recent --set --name UDP-PORTSCAN -j DROP

#
#----For SMURF attack protection
    iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
    iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
    iptables -A INPUT -p icmp -m limit --limit 2/second --limit-burst 2 -j ACCEPT
    ip6tables -A INPUT -p icmpv6 -m limit --limit 2/second --limit-burst 2 -j ACCEPT

#
#----Ending all other undefined connections
    iptables -A INPUT -j DROP
    ip6tables -A INPUT -j DROP

#
#=======Defining the IN_SSH chain for bruteforce of SSH==
#
#!---I've elected to keep IPv6 out of this realm for
#!---ease of use
    iptables -N IN_SSH
    iptables -A INPUT -p tcp --dport ssh --match conntrack --ctstate NEW -j IN_SSH
    iptables -A IN_SSH --match recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
    iptables -A IN_SSH --match recent --name sshbf --rttl --rcheck --hitcount 4 --seconds 1800 -j DROP
    iptables -A IN_SSH --match recent --name sshbf --set -j ACCEPT
    iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH

#
#==================Setting up a NAT gateway==============
#
#########################################################
#                                                       #
# I commented this half out because it's not something  #
# that will apply to all setups. Make note of all par-  #
# tinate interfaces and what exactly is going on.       #
#                                                       #
#########################################################
#
#----Setting up the FORWARD chain
#   iptables -A FORWARD --match conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#   ip6tables -A FORWARD --match conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#
#
#----Defining the fw-interfaces/open chains for FORWARD
#   iptables -A FORWARD -j fw-interfaces
#   ip6tables -A FORWARD -j fw-interfaces
#   iptables -A FORWARD -j fw-open
#   ip6tables -A FORWARD -j fw-open
#   iptables -A FORWARD -j DROP # Should be REJECT. But, fuck them
#   ip6tables -A FORWARD -j DROP
#   iptables -P FORWARD DROP
#   ip6tables -P FORWARD DROP
#
#
#----Setting up the nat table
#   iptables -A fw-interfaces -i ### -j ACCEPT
#   ip6tables -A fw-interfaces -i ### -j ACCEPT
#   iptables -t nat -A POSTROUTING -s w.x.y.z/S -o ppp0 -j MASQUERADE
#   ip6tables -t nat -A POSTROUTING -s fe::/10 -o ppp0 -j MASQUERADE
#----The above lines should be repeated specifically for EACH interface
#
#----Setting up the PREROUTING chain
#
#######################################################
#                             #
# The PREROUTING chain will redirect either port      #
# targets to be redirected. This can also redirect    #
# traffic inbound to your network from the gateway    #
# to this machine. This can be useful if you're using #
# a honeypot or have any service within your network  #
# that you want to be pointed to a specific device.   #
#                             #
#######################################################
#
#----SSH honeypot server
#   iptables -A fw-open -d HONEYPOT_IP -p tcp --dport 22 -j ACCEPT
#   ip6tables -A fw-open -d HONEYPOT_IP -p tcp --dport 22 -j ACCEPT
#----With intuition, you can configure the above to also direct specific
#----requests to other devices providing those services. The bellow will
#----be for a squid server
#   iptables -A fw-open -d SQUID_IP -p tcp --dport 80 -j ACCEPT
#   ip6tables -A fw-open -d SQUID_IP -p tcp --dport 80 -j ACCEPT
#   iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8000 -j DNAT --to SQUID_IP
#   ip6tables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8000 -j DNAT --to SQUID_IP
#
#===============Declare configurations=================
    iptables -nvL
    ip6tables -nvL
user9517
  • 114,104
  • 20
  • 206
  • 289
Miphix
  • 101
  • 1