{"id":201,"date":"2012-06-11T08:10:06","date_gmt":"2012-06-11T08:10:06","guid":{"rendered":"http:\/\/rmohan.com\/?p=201"},"modified":"2012-06-11T08:10:06","modified_gmt":"2012-06-11T08:10:06","slug":"iptables-rules","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=201","title":{"rendered":"IPTABLES Rules"},"content":{"rendered":"<p><strong>Limiting Spam and Attacks<br \/>\nSecurity &#8211; Training<br \/>\n<\/strong><br \/>\nYou can use a bridge to effectively limit spam and attacks by managing the IP Ranges per Country.The basis behind the thought here is that these IP Address Ranges probably do not need access to your network in any way, unless you are an International business. By blocking these country ranges you may be reducing SPAM and Malware by up to 25%.  In addition, in the event of a catastrophic virus outbreak you may create a window of time to secure your server by blocking these IP Ranges.  The following websites keep track of network subnets that are related to each country.<\/p>\n<p>Lesson 9 \/ Lesson 11<\/p>\n<p>These websites provide the subnets for each country.<\/p>\n<p>http:\/\/www.countryipblocks.net\/country-blocks\/cidr\/<\/p>\n<p>http:\/\/ip.ludost.net<\/p>\n<p>Why limit IP subnets?<br \/>\nSome may say, &#8220;if you want  a global business you need to allow access to your server from anywhere.&#8221;  If you have ever run a mail server and see that 70-85% of all email is Spam you may reconsider that.  If you have ever run a web server and see scripting attacks from locations you cannot pronounce let allow speak their language, you may reconsider.  The fact is, there are a lot of attacks on your infrastructure and if you do not take steps to protect it you will lose it. Blocking country subnets may not stop those who use proxies and it will certainly not stop the guy down the street on your subnet&#8230;.but it will make as difference and you will notice it within the hour.<\/p>\n<p>Implementing these restrictions will require you to add statements to your iptables in order to specifically drop subnets.  The good thing about doing this from a bridge firewall is that you will do this once for the whole network.   From the command line you will need to add a line to indicate the subnet source that you want to drop on the INPUT table.  Here is an example that drops the subnet at 201.0.0.0\/8.  Remember that the bridge is only using the FORWARD so this must be reflecting in your rules.<\/p>\n<p>iptables -A FORWARD -s 201.0.0.0\/8 -j DROP<\/p>\n<p>As an alternative you may want to only limit access to countries via port 80.   This line will drop all attempts from the subnet at 201.0.0.0\/8 in reaching any port except port 80.<br \/>\niptables -A FORWARD -s 201.0.0.0\/8 -p tcp &#8211;dport ! 80 -j DROP<\/p>\n<p>Add A Script<\/p>\n<p>When you view the number of subnets to work with you will realize that writing rules will get  to be a lot of work.  What you can do is create a file called banned and place it in your \/etc\/ directory and then add this script to your firewall to access the &#8220;banned&#8221; file.<\/p>\n<p>##########################################<br \/>\n# BLOCK COUNTRY ATTACKS<br \/>\nBADIP=\/etc\/banned<br \/>\nBANNED=$( grep -v -E &#8220;^#&#8221; $BADIP )<br \/>\nfor ip in $BANNED<br \/>\ndo<br \/>\niptables -A INPUT -p tcp -s $ip -j DROP<br \/>\niptables -A FORWARD -p tcp -s $ip -j DROP<br \/>\ndone<\/p>\n<p>The \/etc\/banned file will look like this:<\/p>\n<p>24.190.78.101<br \/>\n58.0.0.0\/8<br \/>\n59.32.0.0\/13<br \/>\n59.40.0.0\/15<br \/>\n59.42.0.0\/16<br \/>\n59.43.0.0\/16<br \/>\n59.44.0.0\/14<br \/>\n59.48.0.0\/16<br \/>\n59.49.0.0\/17<\/p>\n<p>Prevent synchronization packet flooding (Sync Flood)<br \/>\n# Iptables-A FORWARD-p tcp &#8211; syn-m limit &#8211; limit 1 \/ s-j ACCEPT<br \/>\nAlso was writing<br \/>\n# The iptables-A INPUT-p tcp &#8211; syn-m limit &#8211; limit 1 \/ s-j ACCEPT<br \/>\n&#8211; Limit 1 \/ s limit syn complicated by the number of times per second can be modified according to their needs<br \/>\nPrevent all forms of port scans<br \/>\n# Iptables-A FORWARD-p tcp &#8211; tcp-flags SYN, ACK, FIN, RST RST-m limit &#8211; limit 1 \/ s -j ACCEPT<br \/>\nPing flood attacks (Ping of Death)<br \/>\n# Iptables-A FORWARD-p icmp &#8211; icmp-type echo-request-m limit &#8211; limit 1 \/ s -j ACCEPT<\/p>\n<p><strong>Linux IPTables: Incoming and Outgoing Rule Examples (SSH and HTTP)<\/strong><\/p>\n<p># 2. Set default chain policies<br \/>\niptables -P INPUT DROP<br \/>\niptables -P FORWARD DROP<br \/>\niptables -P OUTPUT DROP<\/p>\n<p># 3. Allow incoming SSH<br \/>\niptables -A INPUT -i eth0 -p tcp &#8211;dport 22 -m state &#8211;state NEW,ESTABLISHED -j ACCEPT<br \/>\niptables -A OUTPUT -o eth0 -p tcp &#8211;sport 22 -m state &#8211;state ESTABLISHED -j ACCEPT<\/p>\n<p># 4. Allow incoming HTTP<br \/>\niptables -A INPUT -i eth0 -p tcp &#8211;dport 80 -m state &#8211;state NEW,ESTABLISHED -j ACCEPT<br \/>\niptables -A OUTPUT -o eth0 -p tcp &#8211;sport 80 -m state &#8211;state ESTABLISHED -j ACCEPT<\/p>\n<p># 5. Allow outgoing SSH<br \/>\niptables -A OUTPUT -o eth0 -p tcp &#8211;dport 22 -m state &#8211;state NEW,ESTABLISHED -j ACCEPT<br \/>\niptables -A INPUT -i eth0 -p tcp &#8211;sport 22 -m state &#8211;state ESTABLISHED -j ACCEPT<\/p>\n<p>iptables -A INPUT -i eth0 -p tcp &#8211;dport 443 -m state &#8211;state NEW,ESTABLISHED -j ACCEPT<br \/>\niptables -A OUTPUT -o eth0 -p tcp &#8211;sport 443 -m state &#8211;state ESTABLISHED -j ACCEPT<\/p>\n<p>iptables -A INPUT -i eth0 -p tcp -m multiport &#8211;dports 22,80,443 -m state &#8211;state NEW,ESTABLISHED -j ACCEPT<br \/>\niptables -A OUTPUT -o eth0 -p tcp -m multiport &#8211;sports 22,80,443 -m state &#8211;state ESTABLISHED -j ACCEPT<\/p>\n<p><strong>Load Balance Incoming Web Traffic  iptables <\/strong> <\/p>\n<p>You can also load balance your incoming web traffic using iptables firewall rules.<br \/>\nThis uses the iptables nth extension. The following example load balances the HTTPS traffic to three different ip-address. For every 3th packet, it is load balanced to the appropriate server (using the counter 0).<\/p>\n<p>iptables -A PREROUTING -i eth0 -p tcp &#8211;dport 443 -m state &#8211;state NEW -m nth &#8211;counter 0 &#8211;every 3 &#8211;packet 0 -j DNAT &#8211;to-destination 192.168.1.101:443<br \/>\niptables -A PREROUTING -i eth0 -p tcp &#8211;dport 443 -m state &#8211;state NEW -m nth &#8211;counter 0 &#8211;every 3 &#8211;packet 1 -j DNAT &#8211;to-destination 192.168.1.102:443<br \/>\niptables -A PREROUTING -i eth0 -p tcp &#8211;dport 443 -m state &#8211;state NEW -m nth &#8211;counter 0 &#8211;every 3 &#8211;packet 2 -j DNAT &#8211;to-destination 192.168.1.103:443<\/p>\n<p>12. Allow Ping from Outside to Inside<br \/>\nThe following rules allow outside users to be able to ping your servers.<\/p>\n<p>iptables -A INPUT -p icmp &#8211;icmp-type echo-request -j ACCEPT<br \/>\niptables -A OUTPUT -p icmp &#8211;icmp-type echo-reply -j ACCEPT<\/p>\n<p>13. Allow Ping from Inside to Outside<br \/>\nThe following rules allow you to ping from inside to any of the outside servers.<\/p>\n<p>iptables -A OUTPUT -p icmp &#8211;icmp-type echo-request -j ACCEPT<br \/>\niptables -A INPUT -p icmp &#8211;icmp-type echo-reply -j ACCEPT<\/p>\n<p>14. Allow Loopback Access<br \/>\nYou should allow full loopback access on your servers. i.e access using 127.0.0.1<\/p>\n<p>iptables -A INPUT -i lo -j ACCEPT<br \/>\niptables -A OUTPUT -o lo -j ACCEPT<\/p>\n<p>16. Allow outbound DNS<br \/>\nThe following rules allow outgoing DNS connections.<\/p>\n<p>iptables -A OUTPUT -p udp -o eth0 &#8211;dport 53 -j ACCEPT<br \/>\niptables -A INPUT -p udp -i eth0 &#8211;sport 53 -j ACCEPT<\/p>\n<p>Allow Rsync From a Specific Network<br \/>\nThe following rules allows rsync only from a specific network.<\/p>\n<p>iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0\/24 &#8211;dport 873 -m state &#8211;state NEW,ESTABLISHED -j ACCEPT<br \/>\niptables -A OUTPUT -o eth0 -p tcp &#8211;sport 873 -m state &#8211;state ESTABLISHED -j ACCEPT<\/p>\n<p>19. Allow MySQL connection only from a specific network<br \/>\nIf you are running MySQL, typically you don\u2019t want to allow direct connection from outside. In most cases, you might have web server running on the same server where the MySQL database runs.<br \/>\nHowever DBA and developers might need to login directly to the MySQL from their laptop and desktop using MySQL client. In those case, you might want to allow your internal network to talk to the MySQL directly as shown below.<\/p>\n<p>iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0\/24 &#8211;dport 3306 -m state &#8211;state NEW,ESTABLISHED -j ACCEPT<br \/>\niptables -A OUTPUT -o eth0 -p tcp &#8211;sport 3306 -m state &#8211;state ESTABLISHED -j ACCEPT<\/p>\n<p><strong>Prevent DoS Attack<\/strong><\/p>\n<p>The following iptables rule will help you prevent the Denial of Service (DoS) attack on your webserver.<\/p>\n<p>iptables -A INPUT -p tcp &#8211;dport 80 -m limit &#8211;limit 25\/minute &#8211;limit-burst 100 -j ACCEPT<\/p>\n<p><strong>Force SYN packets check<\/strong><\/p>\n<p>Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:<\/p>\n<p>iptables -A INPUT -p tcp ! &#8211;syn -m state &#8211;state NEW -j DROP<\/p>\n<p>Force Fragments packets check<\/p>\n<p>Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.<\/p>\n<p>iptables -A INPUT -f -j DROP<\/p>\n<p><strong><br \/>\nXMAS packets<\/strong><\/p>\n<p>Incoming malformed XMAS packets drop them:<\/p>\n<p>iptables -A INPUT -p tcp &#8211;tcp-flags ALL ALL -j DROP<\/p>\n<p>Drop all NULL packets<\/p>\n<p><strong>Incoming malformed NULL packets:<\/strong><\/p>\n<p>iptables -A INPIT -p tcp &#8211;tcp-flags ALL NONE -j DROP<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Limiting Spam and Attacks Security &#8211; Training You can use a bridge to effectively limit spam and attacks by managing the IP Ranges per Country.The basis behind the thought here is that these IP Address Ranges probably do not need access to your network in any way, unless you are an International business. By blocking [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/201"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=201"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/201\/revisions"}],"predecessor-version":[{"id":202,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/201\/revisions\/202"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=201"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=201"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=201"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}