iptables

Simple Firewall for a single interface box running SSH on 50022, HTTP and FTP

# Generated by iptables-save v1.4.2 on Mon May 28 14:48:55 2012

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [113711:279050685]

:LOGGING - [0:0]

-A INPUT -i lo -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -p tcp -m tcp --dport 50022 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT

-A INPUT -p tcp -m tcp --sport 20:21 -j ACCEPT

-A INPUT -p udp -m udp --dport 20:21 -j ACCEPT

-A INPUT -p udp -m udp --sport 20:21 -j ACCEPT

-A INPUT -p udp -m udp --sport 53 -j ACCEPT

-A INPUT -p tcp -m tcp --sport 25 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

-A INPUT -j LOGGING

-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name DEFAULT --rsource

-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --name DEFAULT --rsource -j DROP

-A LOGGING -j DROP

-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7

COMMIT

# Completed on Mon May 28 14:48:55 2012

http://www.cyberciti.biz/faq/iptables-connection-limits-howto/

Drop IP for PPP interface (must specify)

tcpdump -tnli ppp2 not port 50022

iptables -A INPUT -p tcp -i ppp2 -s 88.208.0.0/16 -j DROP

Rate limiting HTTP

iptables -A INPUT -p tcp --dport 80 -i ppp2 -m state --state NEW -m recent --set

iptables -A INPUT -p tcp --dport 80 -i ppp2 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

Rate Limiting SSH

-A RH-Firewall-1-INPUT -m state --state NEW -m recent -p tcp --dport 22 --set

-A RH-Firewall-1-INPUT -m state --state NEW -m recent -p tcp --dport 22 --update --seconds 60 --hitcount 4 -j DROP

Drop a single internal IP

iptables -A INPUT -s 192.168.20.163 -j DROP

Drop a range

iptables -A INPUT -p tcp --destination-port 22 -m iprange --src-range 192.168.1.100-192.168.1.200 -j DROP

Stop a range from accessing the internet

iptables -A FORWARD -p tcp --destination-port 80 -m iprange --src-range 192.168.0.100-192.168.0.223 -j DROP

A nice firewall to allow ssh from SA only

http://www.ipdeny.com/ipblocks/data/countries/za.zone (use whatsmyip.org from adsl lines)

It is running with fail2ban and rate limting where you need to use port 22 for some reason.

# Generated by iptables-save v1.4.7 on Mon Mar 19 15:01:10 2012

*filter

:INPUT DROP [1:44]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [43:7196]

:fail2ban-SSH - [0:0]

-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH

-A INPUT -i lo -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp --dport 50022 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -s 196.14.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -s 41.185.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m recent --set --name DEFAULT --rsource -m tcp --dport 22

-A INPUT -p tcp -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -m tcp --dport 22 -j DROP

-A fail2ban-SSH -j RETURN

COMMIT

# Completed on Mon Mar 19 15:01:10 2012

Set up a simple firewall

# iptables -P INPUT ACCEPT # iptables -F

# iptables -A INPUT -i lo -j ACCEPT # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A INPUT -p icmp -j ACCEPT

# iptables -A INPUT -p tcp --dport 50022 -j ACCEPT

# iptables -A INPUT -p udp --sport 53 -j ACCEPT (otherwise you will not be able to perform lookups)

# iptables -P INPUT DROP # iptables -P FORWARD DROP # iptables -P OUTPUT ACCEPT # iptables -L -v

# iptables-save > /etc/sysconfig/iptables

# Generated by iptables-save v1.4.7 on Tue Mar 13 11:36:16 2012

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [3:348]

-A INPUT -i lo -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp --dport 50022 -j ACCEPT

-A INPUT -p udp -m udp --sport 53 -j ACCEPT

COMMIT

# Completed on Tue Mar 13 11:36:16 2012

Simple NAT

Enable forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

vi /etc/sysctl.conf

grep forwa /etc/sysctl.conf

sysctl -p /etc/sysctl.conf

cat /proc/sys/net/ipv4/ip_forward

/etc/init.d/network restart

cat /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp -s 0/0 -d 32.64.128.200 --dport 8080 -j DNAT --to 216.239.59.105:80

iptables -t nat -A POSTROUTING -o eth0 -d 216.239.59.105 -j SNAT --to-source 32.64.128.200

iptabeles-save > /etc/sysconfig/iptables

The nat section should look something like this:

*nat

:PREROUTING ACCEPT [4987:342361]

:POSTROUTING ACCEPT [9154:582298]

:OUTPUT ACCEPT [15450:961745]

-A PREROUTING -d 77.67.63.213 -p tcp -m tcp --dport 5678 -j DNAT --to-destination 192.168.1.101:80

-A PREROUTING -d 77.67.63.213 -p tcp -m tcp --dport 3306 -j DNAT --to-destination 192.168.1.101:3306

-A POSTROUTING -d 192.168.1.101 -o eth0 -j SNAT --to-source 77.67.63.213

-A POSTROUTING -d 192.168.1.101 -o eth0 -j SNAT --to-source 77.67.63.213

-A POSTROUTING -o eth1 -j MASQUERADE

COMMIT

Simple Gateway

cat /proc/sys/net/ipv4/ip_forward

1

To make permanent see above (Simple NAT)

Iptables:

-A FORWARD -i eth0 -j ACCEPT

where eth0 is internal nic

*nat

:PREROUTING ACCEPT [209:15828]

:POSTROUTING ACCEPT [47:3576]

:OUTPUT ACCEPT [53:4036]

-A POSTROUTING -o eth1 -j MASQUERADE

COMMIT

Or from cmd line

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -i eth1 -j ACCEPT