Simple iptables
Problem: Forwarding external web requests through a corporate gateway to an internal web server.
Scenario: You have three computers. A) Web server on the internal corporate network; B) Gateway; C) User on an external network.
Solution: Two iptables rules that forward all Gateway port 80 TCP traffic to the internal web server, port 80.
echo -n 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 100.10.10.2 --dport 80 -j DNAT --to 172.30.30.1:80
iptables -t nat -A POSTROUTING -d 172.30.30.1:80 -j MASQUERADE
Problem: Allow only computers from a certain network to ping the machine.
Scenario: Allow only computers located on the 192.168.0.X network to ping the machine and receive a response.
Solution:
iptables -A INPUT -s 192.168.0.0/24 -p icmp --icmp-type echo-request -j ACCEPT
Problem: Deny access to a computer or a network
Solution:
# Deny access to a single IP address
iptables -A OUTPUT -d 172.16.23.23/32 -j DROP
# Deny access to a network
iptables -A OUTPUT -d 172.16.23.0/24 -j DROP
Problem: Block an IP address that tries to connect "too fast, too many times"
Solution: The first two rules check to see if an IP address connecting through port 22 is on the 'sshdrop' list and has tried to connect three times in the last 30 seconds. If the IP address matches, then the first rule lots the attempt and the second rule drops the connection. The third rule places the IP address onto the 'sshdrop' list.
iptables -A INPUT -m tcp -p tcp -m recent --dport 22 --rcheck --seconds 30 --hitcount 3 \
--name sshdrop --rsource -j LOG --log-prefix "SSH ATTACK: "
iptables -A INPUT -m tcp -p tcp -m recent --dport 22 --rcheck --seconds 30 --hitcount 3 \
--name sshdrop --rsource -j DROP
iptables -A INPUT -m state --state NEW -m tcp -p tcp -m recent --dport 22 \
--set --name sshdrop --rsource -j ACCEPT
In addition, sshd can be configured (/etc/sshd_config) with parameters that will prune unauthenticated connections to the SSH daemon. The following example setting restricts the number of authentication attempts on the same connection to 8 (MaxAuthTries). In addition (MaxStartups), sshd will start denying connections with a probability of 50% once the number of unauthenticated connections reaches 4. The probability of a connection being denied increases linearly from 50% at 4 connections to 100% refusal when the number of unauthenticated connections reaches 8. See the man page for sshd_config for additional information.
MaxAuthTries 8
MaxStartups 4:50:8
Problem: Need to balance web requests between two mirrored web servers
Scenario: IP addresses of the web servers are 172.30.30.1 and 172.30.30.2. Connections can come in through any interface (eth+)
Solution:
echo -n 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth+ -p tcp --dport 80 -m state --state NEW \
-m statistic --mode nth --set-counter 0 0 --every 2 --packet 0 -j DNAT --to 172.30.30.1:80
iptables -t nat -A PREROUTING -i eth+ -p tcp --dport 80 -m state --state NEW \
-m statistic --mode nth --set-counter 0 0 --every 2 --packet 1 -j DNAT --to 172.30.30.2:80
iptables -t nat -A POSTROUTING -d 172.30.30.1 -j MASQUERADE
iptables -t nat -A POSTROUTING -d 172.30.30.2 -j MASQUERADE
Problem: Probabilistically rotate between three mirrored web servers
Scenario: Three webservers (172.30.30.1, 172.30.30.2, 172.30.30.3) are mirrored. When a request on port 80 comes in through any ethernet port (eth+), randomly select which server will service the request (0.33 probably for each).
Solution:
echo -n 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth+ -p tcp --dport 80 -m state --state NEW \
-m statistic --mode random --set-counter 0 0 --probability 0.33 -j DNAT --to 172.30.30.1:80
iptables -t nat -A PREROUTING -i eth+ -p tcp --dport 80 -m state --state NEW \
-m statistic --mode random --set-counter 0 0 --probability 0.33 -j DNAT --to 172.30.30.2:80
iptables -t nat -A PREROUTING -i eth+ -p tcp --dport 80 -m state --state NEW \
-m statistic --mode random --set-counter 0 0 -j DNAT --to 172.30.30.3:80
iptables -t nat -A POSTROUTING -d 172.30.30.1 -j MASQUERADE
iptables -t nat -A POSTROUTING -d 172.30.30.2 -j MASQUERADE
iptables -t nat -A POSTROUTING -d 172.30.30.3 -j MASQUERADE
Problem: Prevent access to an IP address during a certain time range
Scenario: Prevent access to a computer during "work hours". The IP address of the computer is 208.94.116.39.
Solution:
TSTART=07:00:00
TSTOP=17:00:00
iptables -A OUTPUT -d 208.94.116.39/32 -m time --timestart $TSTART --timestop $TSTOP -j DROP
Scenario: You have three computers. A) Web server on the internal corporate network; B) Gateway; C) User on an external network.
- Web Server: 172.30.30.1
- Gateway: 100.10.10.2 (eth1, facing external)
Solution: Two iptables rules that forward all Gateway port 80 TCP traffic to the internal web server, port 80.
echo -n 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth1 -p tcp -d 100.10.10.2 --dport 80 -j DNAT --to 172.30.30.1:80
iptables -t nat -A POSTROUTING -d 172.30.30.1:80 -j MASQUERADE
Problem: Allow only computers from a certain network to ping the machine.
Scenario: Allow only computers located on the 192.168.0.X network to ping the machine and receive a response.
Solution:
iptables -A INPUT -s 192.168.0.0/24 -p icmp --icmp-type echo-request -j ACCEPT
Problem: Deny access to a computer or a network
Solution:
# Deny access to a single IP address
iptables -A OUTPUT -d 172.16.23.23/32 -j DROP
# Deny access to a network
iptables -A OUTPUT -d 172.16.23.0/24 -j DROP
Problem: Block an IP address that tries to connect "too fast, too many times"
Solution: The first two rules check to see if an IP address connecting through port 22 is on the 'sshdrop' list and has tried to connect three times in the last 30 seconds. If the IP address matches, then the first rule lots the attempt and the second rule drops the connection. The third rule places the IP address onto the 'sshdrop' list.
iptables -A INPUT -m tcp -p tcp -m recent --dport 22 --rcheck --seconds 30 --hitcount 3 \
--name sshdrop --rsource -j LOG --log-prefix "SSH ATTACK: "
iptables -A INPUT -m tcp -p tcp -m recent --dport 22 --rcheck --seconds 30 --hitcount 3 \
--name sshdrop --rsource -j DROP
iptables -A INPUT -m state --state NEW -m tcp -p tcp -m recent --dport 22 \
--set --name sshdrop --rsource -j ACCEPT
In addition, sshd can be configured (/etc/sshd_config) with parameters that will prune unauthenticated connections to the SSH daemon. The following example setting restricts the number of authentication attempts on the same connection to 8 (MaxAuthTries). In addition (MaxStartups), sshd will start denying connections with a probability of 50% once the number of unauthenticated connections reaches 4. The probability of a connection being denied increases linearly from 50% at 4 connections to 100% refusal when the number of unauthenticated connections reaches 8. See the man page for sshd_config for additional information.
MaxAuthTries 8
MaxStartups 4:50:8
Problem: Need to balance web requests between two mirrored web servers
Scenario: IP addresses of the web servers are 172.30.30.1 and 172.30.30.2. Connections can come in through any interface (eth+)
Solution:
echo -n 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth+ -p tcp --dport 80 -m state --state NEW \
-m statistic --mode nth --set-counter 0 0 --every 2 --packet 0 -j DNAT --to 172.30.30.1:80
iptables -t nat -A PREROUTING -i eth+ -p tcp --dport 80 -m state --state NEW \
-m statistic --mode nth --set-counter 0 0 --every 2 --packet 1 -j DNAT --to 172.30.30.2:80
iptables -t nat -A POSTROUTING -d 172.30.30.1 -j MASQUERADE
iptables -t nat -A POSTROUTING -d 172.30.30.2 -j MASQUERADE
Problem: Probabilistically rotate between three mirrored web servers
Scenario: Three webservers (172.30.30.1, 172.30.30.2, 172.30.30.3) are mirrored. When a request on port 80 comes in through any ethernet port (eth+), randomly select which server will service the request (0.33 probably for each).
Solution:
echo -n 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth+ -p tcp --dport 80 -m state --state NEW \
-m statistic --mode random --set-counter 0 0 --probability 0.33 -j DNAT --to 172.30.30.1:80
iptables -t nat -A PREROUTING -i eth+ -p tcp --dport 80 -m state --state NEW \
-m statistic --mode random --set-counter 0 0 --probability 0.33 -j DNAT --to 172.30.30.2:80
iptables -t nat -A PREROUTING -i eth+ -p tcp --dport 80 -m state --state NEW \
-m statistic --mode random --set-counter 0 0 -j DNAT --to 172.30.30.3:80
iptables -t nat -A POSTROUTING -d 172.30.30.1 -j MASQUERADE
iptables -t nat -A POSTROUTING -d 172.30.30.2 -j MASQUERADE
iptables -t nat -A POSTROUTING -d 172.30.30.3 -j MASQUERADE
Problem: Prevent access to an IP address during a certain time range
Scenario: Prevent access to a computer during "work hours". The IP address of the computer is 208.94.116.39.
Solution:
TSTART=07:00:00
TSTOP=17:00:00
iptables -A OUTPUT -d 208.94.116.39/32 -m time --timestart $TSTART --timestop $TSTOP -j DROP
posted by Sparsile at
1:06 PM
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home