Doku review done: Mon 20 Feb 2023 11:05:57 CET
Table of content
- Commands General
- Commands Add/Remove Incomeming/Outgoing traffic allow/reject/drop
- Commands for VPNs
- Commands Forwarding
- forward with ip rewrite
- Drop ssh connects if 3 connects in timeframe
- Reackt on percentage of package
Commands General
| Commands | Description |
|---|---|
iptables -vxnL | detaild view |
iptables -t nat -L -n | shows nat table |
iptables --flush | flushes iptables config |
iptables -t [table] --flush | flushes only [table] e.g. nat table (INPUT/OUTPUT is a chain and no table) |
iptables -A [chain] ... | Appends rule to chain [chain] |
iptables -I [chain] ... | Prepends rule to chain [chain] |
Commands Add/Remove Incomeming/Outgoing traffic allow/reject/drop
| Commands | Description |
|---|---|
iptables -A INPUT -s [sourceip] -p [tcp/udp] -m [tcp/udp] --dport [destport] -j [ACCEPT/REJECT/DROP] | Appends a rule to allow/reject/drop incoming trafic from [sourceip] on destination port [destport] with protocoll [tcp/udp] in chain INPUT |
iptables -D INPUT -s [sourceip] -p [tcp/udp] -m [tcp/udp] --dport [destport] -j [ACCEPT/REJECT/DROP] | Removes a rule to allow/reject/drop incoming trafic from [sourceip] on destination port [destport] with protocoll [tcp/udp] in chain INPUT |
iptables -I OUTPUT -d [destip] -p [tcp/udp] -m [tcp/udp] --dport [destport] -j [ACCEPT/REJECT/DROP] | Prepands a rule to allow/reject/drop outgoing trafic to [destip] on destination port [destport] with protocoll [tcp/udp] in chain OUTPUT |
iptables -D OUTPUT -d [destip] -p [tcp/udp] -m [tcp/udp] --dport [destport] -j [ACCEPT/REJECT/DROP] | Removes a rule to allow/reject/drop outgoing trafic to [destip] on destination port [destport] with protocoll [tcp/udp] in chain OUTPUT |
The rules does not need to have a port defined, you ca just run it without --dport and it will allow/reject/drop for all ports
Commands for VPNs
| Commands | Description |
|---|---|
iptables -I FORWARD -i tun0 -o eth0 -s vpn.ip.0/24 -d local.ip.0/24 -m conntrack --ctstate NEW -j ACCEPT | allows vpn to enter local networks |
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | uesed for way back into vpn |
Commands Forwarding
| Commands | Description |
|---|---|
iptables -t nat -A PREROUTING -s SOURCEIP -p tcp --dport PORT -j DNAT --to-destination DESTIP:PORT | forwards sourceIP:SourcePort to destIP:Port |
forward with ip rewrite
Allos external sources connecting to 37.120.185.132:23 which forwards trafick to internal 10.13.37.33:22 and back
$ sysctl net.ipv4.conf.all.forwarding=1 #enable ipv4 forwarding
$ sysctl -p #load all sysctlsettings
$ iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 23 -j DNAT --to-destination 10.13.37.33:22 #forward external port 23 to internal destination 10.13.37.33:22
$ iptables -A FORWARD -p tcp -d 10.13.37.33 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #allow connections got get forwarded to internal 10.13.37.33 with port 22
$ iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 22 -d 10.13.37.33 -j SNAT --to-source 37.120.185.132 #rewrite source ip for internal communication
Drop ssh connects if 3 connects in timeframe
This two iptables command should drop IPs which are connecting more than 3 times in a timeframe (– seconds 10)
$ iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 10 --hitcount 3 --name SSH --rsource -j DROP
$ iptables -A INPUT -p tcp --dport 22 -m recent --set --name SSH --rsource -j ACCEPT
Reackt on percentage of package
With the match statistic you can add the mode random + --probability to specify a the amount of packagesa to deal with in percent.
To specify the amount in percent, add the value as parameter to
--probabilityassuming that1.0 is 100%.This means, that e.g.
50%would be--probability 0.5as parameter.
In the samples below, we are dropping 25% of udp packages and 35% of tcp packages for one specific host.
$ iptables -A INPUT -p udp -m statistic -s 10.10.10.11 --mode random --probability 0.25 -j DROP
$ iptables -A OUTPUT -p udp -m statistic -d 10.10.10.11 --mode random --probability 0.25 -j DROP
$ iptables -A INPUT -p tcp -m statistic -s 10.10.10.11 --mode random --probability 0.35 -j DROP
$ iptables -A OUTPUT -p tcp -m statistic -d 10.10.10.11 --mode random --probability 0.35 -j DROP