Setup Iptables
iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores.
There's is not really one iptables configuration you can use. IPTables can be set based on your preferences and your needs.
Here some examples you can look and update based on your needs. Please note, you will need sudo
in order to use IPTables.
Limit Incoming SSH Connections
The following example will drop incoming connections which make more than 5 connection attempts upon port 22 within 60 seconds:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP
Rate-limit Incoming SSH Port Connections
Both netfilter and pf provides rate-limit option to perform simple throttling on incoming connections on port the ssh port, by default 22 unless you changed it.
The following example will drop any incoming connections which make more than 3 connection attempts on the ssh port within 15 seconds:
iptables -I INPUT -p tcp --dport ssh -i eth0 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport ssh -i eth0 -m state --state NEW -m recent --update --seconds 15 --hitcount 3 -j DROP
Use Port Knocking
Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s).
iptables -N stage1 iptables -A stage1 -m recent --remove --name knock iptables -A stage1 -p tcp --dport 3456 -m recent --set --name knock2 iptables iptables -N stage2 iptables -A stage2 -m recent --remove --name knock2 iptables -A stage2 -p tcp --dport 2345 -m recent --set --name heaven iptables iptables -N door iptables -A door -m recent --rcheck --seconds 5 --name knock2 -j stage2 iptables -A door -m recent --rcheck --seconds 5 --name knock -j stage1 iptables -A door -p tcp --dport 1234 -m recent --set --name knock iptables iptables -A INPUT -m --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 5 --name heaven -j ACCEPT iptables -A INPUT -p tcp --syn -j doo
Attempt to block portscans
Anyone who tried to portscan us is locked out for an entire day.
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
Once the day has passed, remove them from the portscan list.
iptables -A INPUT -m recent --name portscan --remove iptables -A FORWARD -m recent --name portscan --remove
These rules add scanners to the portscan list, and log the attempt.
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:" iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:" iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
Force SYN packets check
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Drop all NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
Drop ping
iptables -A OUTPUT -p icmp -o eth0 -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -s 0/0 -i eth0 -j ACCEPT iptables -A INPUT -p icmp --icmp-type destination-unreachable -s 0/0 -i eth0 -j ACCEPT iptables -A INPUT -p icmp --icmp-type time-exceeded -s 0/0 -i eth0 -j ACCEPT iptables -A INPUT -p icmp -i eth0 -j DROP
To block an attackers ip address called 1.2.3.4, enter:
iptables -A INPUT -s 1.2.3.4 -j DROP iptables -A INPUT -s 192.168.0.0/24 -j DROP
Sample Configuration
# Accept traffic from internal interfaces iptables -A INPUT ! -i eth0 -j ACCEPT # Accept traffic with the ACK flag set iptables -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT # Allow incoming data that is part of a connection we established iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT # Allow data that is related to existing connections iptables -A INPUT -m state --state RELATED -j ACCEPT # Accept responses to DNS queries iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT # Accept responses to our pings iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT # Accept notifications of unreachable hosts iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT # Accept notifications to reduce sending speed iptables -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT # Accept notifications of lost packets iptables -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT # Accept notifications of protocol problems iptables -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT # Allow connections to our SSH server iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # Respond to pings iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT # Allow connections to webserver iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # Allow SSL connections to webserver iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT #Allow connections to SMTP server for mail delivery iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
Saving Rules
To save the IPTables rules, you need to use the iptables-save
command:
iptables-save > /root/my.active.firewall.rules
Restore Rules
To restore rules, simply use the iptables-restore
command:
iptables-restore < /root/my.active.firewall.rules
For more information about IPTables, please read : https://help.ubuntu.com/community/IptablesHowTo