Archive for the tag 'iptables'

SBDavid

Using hashlimit in iptables

Using hashlimit in iptables

iptables -I INPUT -m hashlimit -m tcp -p tcp –dport 23032 –hashlimit 1/min –hashlimit-mode srcip –hashlimit-name ssh -m state –state NEW -j ACCEPT

This rule limits one connection to the SSH port from one IP address per minute.

hashlimit match options

  --hashlimit-upto            max average match rate
                                   [Packets per second unless followed by
                                   /sec /minute /hour /day postfixes]
  –hashlimit-above           min average match rate
  –hashlimit-mode           mode is a comma-separated list of
                                   dstip,srcip,dstport,srcport (or none)
  –hashlimit-srcmask      source address grouping prefix length
  –hashlimit-dstmask      destination address grouping prefix length
  –hashlimit-name           name for /proc/net/ipt_hashlimit
  –hashlimit-burst 	    number to match in a burst, default 5
  –hashlimit-htable-size     number of hashtable buckets
  –hashlimit-htable-max      number of hashtable entries
  –hashlimit-htable-gcinterval    interval between garbage collection runs
  –hashlimit-htable-expire        after which time are idle entries expired?
SBDavid

iptables/netfilter’s geoip match

iptables/netfilter’s geoip match

Netfilter and iptables are building blocks of a framework inside the Linux 2.4.x and 2.6.x kernel. This framework enables packet filtering, network addresss [and port] translation (NA[P]T) and other packet mangling. It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems. To learn more about iptables/netfilter you should visit www.netfilter.org.

This framework is modular and easily let you extend the features. This is exactly what geoip is : an extension to iptables/netfilter that allows you to filter, nat or mangle packets based on the country’s destination or provenance.

SBDavid

Block IP Addresses With IPtables

Block IP Addresses With IPtables:

This command will simply drop any packet coming from the address 25.55.55.55. To list the chains:

iptables -I INPUT -s 25.55.55.55 -j DROP

The -n sticks with just IP addresses, rather than resolving the name. This is useful if you have a lot of IP addresses. It can take a lot of time to resolve all of the addresses.

iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all — 25.55.55.55 0.0.0.0/0

If you later decide that you don’t want to drop packets from a particular host, use the -D option instead of -I:

iptables -D INPUT -s 25.55.55.55 -j DROP
SBDavid

iptables and Connection Tracking

iptables includes a module that allows administrators to inspect and restrict connections to services available on an internal network using a method called connection tracking.

NEW - A packet requesting a new connection, such as an HTTP request.

ESTABLISHED - A packet that is part of an existing connection.

RELATED - A packet that is requesting a new connection but is part of an existing connection, such as passive FTP connections where the connection port is 20, but the transfer port can be any unused port 1024 or higher.

INVALID - A packet that is not part of any connections in the connection tracking table.

iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

The following above example shows a rule that uses connection tracking to forward only the packets that are associated with an established connection.

There are some trojans that scan networks for services on ports from 31337 to 31340.

Since there are no legitimate services that communicate via these non-standard ports, blocking it can effectively diminish the chances that potentially infected nodes on your network independently communicate with their remote master servers.

iptables -A OUTPUT -o eth0 -p tcp –dport 31337 –sport 31337 -j DROP
iptables -A FORWARD -o eth0 -p tcp –dport 31337 –sport 31337 -j DROP

You can also block outside connections that attempt to spoof private IP address ranges to infiltrate your LAN. For example, if your LAN uses the 192.168.1.0/24 range, a rule can set the Internet facing network device (for example, eth0) to drop any packets to that device with an address in your LAN IP range. Because it is recommended to reject forwarded packets as a default policy, any other spoofed IP address to the external-facing device (eth0) is rejected automatically.

iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROP

The REJECT target denies access and returns a connection refused error to users who attempt to connect to the service. The DROP target, as the name implies, drops the packet without any warning.

Next »