Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
linux:iptables [2013/08/10 00:23]
5.39.219.26 divgnybc
linux:iptables [2013/10/25 15:14]
a
Line 1: Line 1:
-vnvksuou, http://mianmo1.comVigrx plus store, GagVjZS, http://kajin.org/ Subaction showcomments propecia optional older, taWnszh, http://semenaxcomparison.com/ Semenax liesWNwjNrq, http://volumepillscompared.com/ Herbal semen volume pillsovfJhmBhttp://fleetcareinternational.comXanax and suboxonekIJRtGD, http://financialplaninc.comFioricetEJZEWBC.+====== Linux filtering / firewalling (netfilter/iptables stuff) ====== 
 + 
 + 
 + 
 +==== P2P blocking/limiting ==== 
 +== Links == 
 +  * [[http://ipp2p.org/]] 
 +  * [[http://l7-filter.sourceforge.net/]] 
 +  * [[http://iptables-tutorial.frozentux.net/iptables-tutorial.html]] 
 +  * [[linux:iptables:l7patch|Debian ipp2p+l7 patch cookbook]] 
 +  * [[http://brownian.org.ua/?page_id=17|py-htbstat]] -  //is a tool for collecting HTB kernel statisticsit allows to view graphs and perform basic analysis.// 
 +  * [[http://dev.inversepath.com/trac/ftester|FTester -- Firewall and IDS Testing tool]] 
 + 
 +==== Netfilter concept / network flow ==== 
 +Click on picture below to see more .. 
 +{{ linux:24net.png?100 }} 
 + 
 +==== Logging and limiting SSH bruteforce attacks ==== 
 + 
 +Logging is easyjust add the same rule but with a ''-j LOG –log-prefix SSHBRUTE'' or whatever you want. eg;  
 + 
 +   iptables -A INPUT -m hashlimit -m tcp -p tcp –dport 22 –hashlimit \  
 +             1/min –hashlimit-mode srcip –hashlimit-name ssh -m state \  
 +             –state NEW -j LOG –log-prefix SSHBRUTE 
 + 
 + 
 +As for permantely adding hostswhy? Poluting a firewall ruleset with a rule that isn’t going to be hit frequently is a waste. Which is why the hashlimit rule is perfect for this situation. 
 + 
 +See also [[http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/|this]]. 
 + 
 +==== A solution for blocking ssh probers/scanners. ==== 
 + 
 +  ### Catch SSH probes 
 +  iptables -A FORWARD -p tcp --dport 22 -d <local net> -o eth0 -s 0/0 -i ppp0 
 +         -m state --state NEW 
 +         -m recent --rcheck --hitcount 3 --seconds 60 --name SSH_PROBERS 
 +         -j LOG --log-prefix "Adaptive-FW SSH Prober: " 
 + 
 +  iptables -A FORWARD -p tcp --dport 22 -d <local net> -o eth0 -s 0/0 -i ppp0 
 +         -m state --state NEW 
 +         -m recent --update --hitcount 3 --seconds 60 --name SSH_PROBERS 
 +         -j DROP 
 + 
 +  iptables -A FORWARD -p tcp --dport 22 -d <local net> -o eth0 -s 0/0 -i ppp0 
 +         -m state --state NEW 
 +         -m recent --set --name SSH_PROBERS 
 +         -j ACCEPT 
 + 
 +Soin the INPUT chainyou wouldn't use -o, and -d would be the IP on your external link.. in this example, ppp0. 
 + 
 +What it does, is uses the ''ipt_recent'' module, tracking connections from a given IP. 3 incoming connections in 60 seconds will cause the remote host to be blocked. Of course, this affects normal logins too, so for known hosts, it pays to insert a rule beforehand that does a ''-j ACCEPT''
 + 
 + 
 +=====Strategy for penalising IPs with too many  simultaneous sessions  ===== 
 + 
 +Something like this (eth0 is the user's network): 
 + 
 +   iptables -t mangle -A PREROUTING -p tcp -i eth0 --dport 1024: -m \ 
 +     connlimit --connlimit-above 5 -j SET --add-set p2p src 
 +    
 +   iptables -t mangle -A FORWARD -o eth0 -p tcp -m multiport --sport \ 
 +     1024:65535 -m set --set p2p dst -j MARK --set-mark 60 
 +    
 +   iptables -t mangle -A FORWARD -i eth0 -p tcp -m multiport --dport \ 
 +      1024:65535 -m set --set p2p src -j MARK --set-mark 60 
 + 
 +//You'll have to compile your kernel with **''ipset''** and **''connlimit''** support./
 + 
 + 
 +===== Conntrack table full  ===== 
 +   > Feb 23 14:26:19 gestor1 kernel: printk: 38 messages suppressed. 
 +   > Feb 23 14:26:19 gestor1 kernel: ip_conntrack: table fulldropping packet. 
 + 
 +Not necessarily the answer you were looking forbut this is what connlimit was written for. Connlimit will limit the number of parallel 
 +TCP connections per host. Do something like: 
 + 
 +  iptables -t mangle -A PREROUTING -p tcp -i eth0 --dport 1024: \ 
 +           -m connlimit --connlimit-above 30 -j DROP 
 + 
 +connlimit is not in the vanilla kernel at the minute; you need to patch with pom. You can download pom from 
 +http://ipset.netfilter.org/install.htmlbut you may need to patch pom first! See http://lists.netfilter.org/pipermail/netfilter-devel/2006-July/025090.html 
 + 
 +===== Preventing webserver hackers from connecting to IRC servers ===== 
 + 
 +Sometimes when a user runs some picture-gallery or forum software, your server gets more or less hacked: a hacker will start under the user with which your webserver runs ('www-run' for example) an ircbot. You can prevent this with this: 
 + 
 +   iptables -I OUTPUT -m owner -p tcp --destination-port 6660:6669 --uid-owner nobody -j REJECT 
 + 
 +//This will not work if the hacker runs his/her irc-server on a different portnumber then the ones blocked.// 
 + 
 +==== Firewall example (the good old TNT firewall) ==== 
 +Download {{linux:firewall.sh|here}}
linux/iptables.txt · Last modified: 2013/10/25 15:16 by a
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready