IPTABLES Rules

Limiting Spam and Attacks
Security – Training

You can use a bridge to effectively limit spam and attacks by managing the IP Ranges per Country.The basis behind the thought here is that these IP Address Ranges probably do not need access to your network in any way, unless you are an International business. By blocking these country ranges you may be reducing SPAM and Malware by up to 25%. In addition, in the event of a catastrophic virus outbreak you may create a window of time to secure your server by blocking these IP Ranges. The following websites keep track of network subnets that are related to each country.

Lesson 9 / Lesson 11

These websites provide the subnets for each country.

http://www.countryipblocks.net/country-blocks/cidr/

http://ip.ludost.net

Why limit IP subnets?
Some may say, “if you want a global business you need to allow access to your server from anywhere.” If you have ever run a mail server and see that 70-85% of all email is Spam you may reconsider that. If you have ever run a web server and see scripting attacks from locations you cannot pronounce let allow speak their language, you may reconsider. The fact is, there are a lot of attacks on your infrastructure and if you do not take steps to protect it you will lose it. Blocking country subnets may not stop those who use proxies and it will certainly not stop the guy down the street on your subnet….but it will make as difference and you will notice it within the hour.

Implementing these restrictions will require you to add statements to your iptables in order to specifically drop subnets. The good thing about doing this from a bridge firewall is that you will do this once for the whole network. From the command line you will need to add a line to indicate the subnet source that you want to drop on the INPUT table. Here is an example that drops the subnet at 201.0.0.0/8. Remember that the bridge is only using the FORWARD so this must be reflecting in your rules.

iptables -A FORWARD -s 201.0.0.0/8 -j DROP

As an alternative you may want to only limit access to countries via port 80. This line will drop all attempts from the subnet at 201.0.0.0/8 in reaching any port except port 80.
iptables -A FORWARD -s 201.0.0.0/8 -p tcp –dport ! 80 -j DROP

Add A Script

When you view the number of subnets to work with you will realize that writing rules will get to be a lot of work. What you can do is create a file called banned and place it in your /etc/ directory and then add this script to your firewall to access the “banned” file.

##########################################
# BLOCK COUNTRY ATTACKS
BADIP=/etc/banned
BANNED=$( grep -v -E “^#” $BADIP )
for ip in $BANNED
do
iptables -A INPUT -p tcp -s $ip -j DROP
iptables -A FORWARD -p tcp -s $ip -j DROP
done

The /etc/banned file will look like this:

24.190.78.101
58.0.0.0/8
59.32.0.0/13
59.40.0.0/15
59.42.0.0/16
59.43.0.0/16
59.44.0.0/14
59.48.0.0/16
59.49.0.0/17

Prevent synchronization packet flooding (Sync Flood)
# Iptables-A FORWARD-p tcp – syn-m limit – limit 1 / s-j ACCEPT
Also was writing
# The iptables-A INPUT-p tcp – syn-m limit – limit 1 / s-j ACCEPT
– Limit 1 / s limit syn complicated by the number of times per second can be modified according to their needs
Prevent all forms of port scans
# Iptables-A FORWARD-p tcp – tcp-flags SYN, ACK, FIN, RST RST-m limit – limit 1 / s -j ACCEPT
Ping flood attacks (Ping of Death)
# Iptables-A FORWARD-p icmp – icmp-type echo-request-m limit – limit 1 / s -j ACCEPT

Linux IPTables: Incoming and Outgoing Rule Examples (SSH and HTTP)

# 2. Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# 3. Allow incoming SSH
iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

# 4. Allow incoming HTTP
iptables -A INPUT -i eth0 -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 80 -m state –state ESTABLISHED -j ACCEPT

# 5. Allow outgoing SSH
iptables -A OUTPUT -o eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 443 -m state –state ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp -m multiport –dports 22,80,443 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport –sports 22,80,443 -m state –state ESTABLISHED -j ACCEPT

Load Balance Incoming Web Traffic iptables

You can also load balance your incoming web traffic using iptables firewall rules.
This uses the iptables nth extension. The following example load balances the HTTPS traffic to three different ip-address. For every 3th packet, it is load balanced to the appropriate server (using the counter 0).

iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 0 -j DNAT –to-destination 192.168.1.101:443
iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 1 -j DNAT –to-destination 192.168.1.102:443
iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 2 -j DNAT –to-destination 192.168.1.103:443

12. Allow Ping from Outside to Inside
The following rules allow outside users to be able to ping your servers.

iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type echo-reply -j ACCEPT

13. Allow Ping from Inside to Outside
The following rules allow you to ping from inside to any of the outside servers.

iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT

14. Allow Loopback Access
You should allow full loopback access on your servers. i.e access using 127.0.0.1

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

16. Allow outbound DNS
The following rules allow outgoing DNS connections.

iptables -A OUTPUT -p udp -o eth0 –dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 –sport 53 -j ACCEPT

Allow Rsync From a Specific Network
The following rules allows rsync only from a specific network.

iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 –dport 873 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 873 -m state –state ESTABLISHED -j ACCEPT

19. Allow MySQL connection only from a specific network
If you are running MySQL, typically you don’t want to allow direct connection from outside. In most cases, you might have web server running on the same server where the MySQL database runs.
However DBA and developers might need to login directly to the MySQL from their laptop and desktop using MySQL client. In those case, you might want to allow your internal network to talk to the MySQL directly as shown below.

iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 –dport 3306 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 3306 -m state –state ESTABLISHED -j ACCEPT

Prevent DoS Attack

The following iptables rule will help you prevent the Denial of Service (DoS) attack on your webserver.

iptables -A INPUT -p tcp –dport 80 -m limit –limit 25/minute –limit-burst 100 -j ACCEPT

Force SYN packets check

Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:

iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP

Force Fragments packets check

Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.

iptables -A INPUT -f -j DROP

XMAS packets

Incoming malformed XMAS packets drop them:

iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP

Drop all NULL packets

Incoming malformed NULL packets:

iptables -A INPIT -p tcp –tcp-flags ALL NONE -j DROP