{"id":1846,"date":"2013-01-30T12:55:12","date_gmt":"2013-01-30T04:55:12","guid":{"rendered":"http:\/\/rmohan.com\/?p=1846"},"modified":"2013-01-31T12:11:37","modified_gmt":"2013-01-31T04:11:37","slug":"iptables-rules-2","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=1846","title":{"rendered":"iptables Rules"},"content":{"rendered":"

Block IP traffic from an specific IP or Network.<\/strong><\/p>\n

Block from an IP<\/p>\n

iptables -A INPUT -s 11.22.33.44 -j DROP<\/code><\/pre>\n
If you want to block only on an specific NIC<\/p>\n
iptables -A INPUT -s 11.22.33.44 -i eth0 -j DROP<\/code><\/pre>\n
Or an specific port<\/p>\n
iptables -A INPUT -s 11.22.33.44 -p tcp -dport 22 -j DROP<\/code><\/pre>\n
Using a Network and not only one IP<\/p>\n
iptables -A INPUT -s 11.22.33.0\/24 -j DROP<\/code><\/pre>\n
Block traffic from a specific MAC address<\/strong><\/p>\n
Suppose you want to bloc traffic some a MAC address instead of an IP address. This is handy if a DHCP server is changing the IP of the maching you want to protect from.<\/p>\n
iptables -A INPUT -m mac --mac-source 00:11:2f:8f:f8:f8 -j DROP<\/code><\/pre>\n
Block a specific port<\/strong><\/p>\n
If all you want is to block a port, iptables<\/code> can still do it.<\/p>\n
And you can block incoming or outgoing traffic.<\/p>\n
Block incoming traffic to a port<\/em><\/p>\n
Suppose we need to block port 21 for incoming traffic:<\/p>\n
iptables -A INPUT -p tcp --destination-port 21 -j DROP<\/code><\/pre>\n
But if you have two-NIC server, with one NIC facing the Internet and the other facing your local private Network, and you only one to block FTP access from outside world.<\/p>\n
iptables -A INPUT -p tcp -i eth1 -p tcp --destination-port 21 -j DROP<\/code><\/pre>\n
In this case I\u2019m assuming eth1 is the one facing the Internet.<\/p>\n
You can also block a port from a specific IP address:<\/p>\n
iptables -A INPUT -p tcp -s 22.33.44.55 --destination-port 21 -j DROP<\/code><\/pre>\n
Or even block access to a port from everywhere but a specific IP range.<\/p>\n
iptables -A INPUT p tcp -s ! 22.33.44.0\/24 --destination-port 21 -j DROP<\/code><\/pre>\n
Block outgoing traffic to a port<\/em><\/p>\n
If you want to forbid outgoing traffic to port 25, this is useful, in the case you are running a Linux firewall for your office, and you want to stop virus from sending emails.<\/p>\n
iptables -A FORWARD -p tcp --dport 25 -j DROP<\/code><\/pre>\n
I\u2019m using FORWARD, as in this example the server is a firewall, but you can use OUTPUT too, to block also server self traffic.<\/p>\n
Log traffic, before taking action<\/strong><\/p>\n
If you want to log the traffic before blocking it, for example, there is a rule in an office, where all employees have been said not to log into a given server, and you want to be sure everybody obeys the rule by blocking access to ssh port. But, at the same time you want to find the one who tried it.<\/p>\n
iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix \"dropped access to port 22\" iptables -A INPUT -p tcp --dport 22 -j DROP<\/code><\/pre>\n
You will be able to see which IP tried to access the server, but of course he couldn\u2019t.<\/p>\n
Tips and Tricks<\/h3>\n
Because iptables<\/code> executes the rules in order, if you want to change something you need to insert the rule in the specific position, or the desired effect is not going to be achieved.<\/p>\n
List rules with numbers<\/strong><\/p>\n
iptables -nL --line-numbers<\/code><\/pre>\n
This is going to list all your rules with numbers preceding the rules. Determine where you want the inserted rule and write:<\/p>\n
List specific chains<\/strong><\/p>\n
iptables -nL INPUT<\/code><\/pre>\n
Will list all INPUT rules.<\/p>\n
iptables -nL FORWARD<\/code><\/pre>\n
Will list all OUTPUT rules<\/p>\n
Insert rules<\/strong><\/p>\n
iptables -I INPUT 3 -s 10.0.0.0\/8 -j ACCEPT<\/code><\/pre>\n
That is going to add a rule in position 3 of the \u201carray\u201d<\/p>\n
Delete rules<\/strong><\/p>\n
iptables -D INPUT 3<\/code><\/pre>\n
That is going to remove the rule inserted above. You can also remove it, by matching it.<\/p>\n
iptables -D INPUT -s 10.0.0.0\/8 -j ACCEPT<\/code><\/pre>\n
Delete flush all rules and chains<\/strong><\/p>\n
This steps are very handy if you want to start with a completely empty and default tables:<\/p>\n
iptables --flush iptables --table nat --flush iptables --table mangle --flush iptables --delete-chain iptables --table nat --delete-chain iptables --table mangle --delete-chain<\/code><\/pre>\n
NOTE: do not execute this rules if you are connected via ssh or something similar, you may get locked out<\/em><\/p>\n
Simple scripts for specific needs<\/h3>\n
How to stop brute force attacks<\/strong><\/p>\n
You can also use iptables<\/code> to stop brute force attacks to your server, for example: Allow only three attempts to log through ssh before banning the IP for 15 minutes, this should let legitimate users to log to the servers, but bots will not be able. Remember to always use strong passwords<\/strong><\/p>\n
iptables -F iptables -A INPUT -i lo -p all -j ACCEPT iptables -A OUTPUT -o lo -p all -j ACCEPT iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport www -j ACCEPT iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 900 --hitcount 3 -j DROP iptables -P INPUT DROP<\/code><\/pre>\n
How to NAT with iptables<\/code><\/strong><\/p>\n
iptables<\/code> is also very useful to configure NAT routers, a Linux mashing can act as a router, and share its public IP with a private networks behind it. It is also useful to configure the DHCP in the same server.<\/p>\n
To configure a NAT router, you will be better with a server with two NICs, let\u2019s suppose you have:<\/p>\n
    \n
  • eth0: 12.13.14.15<\/li>\n
  • eth1: 10.1.1.1<\/li>\n<\/ul>\n
    Now configure NAT to forward all traffic from 10.1.1.0 network through eth0 IP. You may want to empty all tables and start with a fresh chains and tables (see how above).<\/p>\n
    iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --append FORWARD --in-interface eth1 -j ACCEPT<\/code><\/pre>\n
    That is it, you only have to enable kernel forwarding now:<\/p>\n
    echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
    Block IP traffic from an specific IP or Network.<\/p>\n
    Block from an IP<\/p>\n
     iptables -A INPUT -s 11.22.33.44 -j DROP <\/p>\n
    If you want to block only on an specific NIC<\/p>\n
     iptables -A INPUT -s 11.22.33.44 -i eth0 -j DROP <\/p>\n
    Or an specific port<\/p>\n
     iptables -A INPUT -s 11.22.33.44 -p tcp -dport 22 -j DROP <\/p>\n
    Using […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1846"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1846"}],"version-history":[{"count":9,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1846\/revisions"}],"predecessor-version":[{"id":1849,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1846\/revisions\/1849"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1846"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1846"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1846"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}