-- Leo's gemini proxy

-- Connecting to gmi.noulin.net:1965...

-- Connected

-- Sending request

-- Meta line: 20 text/gemini

Using iptables


Feed


date: 2024-04-02 07:57:28


categories: linux


firstPublishDate: 2023-11-22 20:37:47


On this page, I list basic iptables and ipset commands.


Why setup a firewall? Security issues are detected in a few seconds.


My server is getting scanned all the time


I have been using `iptables` for many years and recently netfilter has replaced iptables in the linux kernel. I use the iptables command for netfilter, I only use ipv4 so for me, it is the same as before.


iptables -V
iptables v1.8.9 (nf_tables)

Iptables


List the current rules:


iptables -L --line-numbers

Clear/flush out all the existing rules


iptables -F

Append a rule at the end of the chain:


iptables -A

Append a rule at the start of the chain:


iptables -I

Delete a rule:


iptables -D chain_name rule_number
iptables -D INPUT 1

Ipset


List sets:


ipset -L

Delete a set named “myset”:


ipset destroy myset
or
ipset -X myset

Delete all sets:


ipset destroy

Delete a member in an ipset


ipset del myset 64.225.75.109

Rate limiter: Ban ip after N connections per minute


Rate limit connections on port 22 (`-dport 22`) after 3 attempts (`--hitcount 3`) during a period of 1 minute (`--seconds 60`). The ips are blocked for 10 minutes (`timeout 600`).


iptables -N LOG_DROP_TOO_MANY
iptables -A LOG_DROP_TOO_MANY -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "INPUT:DROP TOO MANY: " --log-level 6
iptables -A LOG_DROP_TOO_MANY -j DROP
ipset create too_many hash:ip family inet hashsize 32768 maxelem 65536 timeout 600
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j SET --add-set too_many src
iptables -A INPUT -p tcp --dport 22 -m set --match-set too_many src -j LOG_DROP_TOO_MANY

How to block or only allow a list of networks


Create a file `nets.txt` with the list of networks:


vi nets.txt
1.0.0.0/8
2.0.0.0/8
128.0.0.0/16

Create a script to the networks to a set:


vi add.sh
ipset create nets hash:net
while read network ; do
    ipset add nets $network;
done < nets.txt

Run the script:


chmod 755 add.sh
./add.sh

Block or allow the ip in the set:


# Allow ips in the set:
iptables -A INPUT -m set ! --match-set nets src -j DROP
# or
# block ips in the set:
iptables -A INPUT -m set --match-set nets src -j DROP

How to log outbound tcp connection outside a subnet


I want to log outbound connections to have a list of ips my computer connects to. My local network is 192.168.1.0/24 and I don't want to log the connections inside my LAN.


iptables -I OUTPUT -p tcp -m state --state NEW ! -d 192.168.1.0/24 -m limit --limit 1/m --limit-burst 1 -j LOG --log-uid --log-prefix "Outbound Connection: "

The log messages are written to `/var/log/messages`.


How to make ipset and iptables persistent in debian


sudo apt-get install ipset-persistent iptables-persistent

When installing the ipset-persistent and iptables-persistent packages, the configuration are saved.


To update the configurations run:


sudo dpkg-reconfigure ipset-persistent
sudo dpkg-reconfigure iptables-persistent

Related article from Cheapskate's Guide:

Building My Own Firewall/Router, Part 2


Related to persistent ipset iptables configurations:

Make ipset and iptables configurations persistent in Debian/Ubuntu


Hashtags: #networking


Feed

-- Response ended

-- Page fetched on Mon May 6 20:40:21 2024