Smokes your problems, coughs fresh air.

Tag: iptables

Iptables: limiting amount of connections per IP

Short and improved version of this.

To allow SSH TCP connections, but after more than 20 NEWs in 20s, drop:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -m recent --rcheck --seconds 20 --hitcount 20 --name sshbadguys --rsource -j DROP
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name sshbadguys --rsource

To check current list (from the man page):

cat /proc/net/xt_recent/sshbadguys

Test with:

#!/bin/bash
ip="1.2.3.4"
port="22"
for i in {1..100}
do
  echo "attempt $i"
  # do nothing just connect and exit
  echo "exit" | nc ${ip} ${port};
done

Making a port forwarded machine available from within the LAN

When you forward a port to an internal machine on the network, you still can’t access that host using your WAN-IP from within the LAN. This article explains it well. In short, it’s because the reply the machine your connecting to makes, goes to the LAN IP directly, and not back through the router.

To fix it, we need to add a SNAT rule for that port forward as well. In the example that we want to forward port 80 to 10.50.0.4 on our 10.50.0.0/16 LAN and 10.50.0.1 is our router, these two rules are necessary:

iptables -t nat -A PREROUTING -d WANIP -p tcp --dport 80 -m comment --comment "Forward www to 10.50.0.4." -j DNAT --to-destination LANIP
iptables -t nat -A POSTROUTING -p tcp --source 10.50.0.0/16 --dest 10.50.0.4 --dport 80 -j SNAT --to-source 10.50.0.1 --match comment --comment "Allow our LAN to access port 80 from the WAN side as well."

Normally when forwarding, I would not use -d WANIP, but –in-interface eth0, but that won’t work here, because the LAN requests are not on eth0.

Also, the –source in the second rule is not strictly necessery, but if you don’t specify this rule, it will also match incoming requests for the internet, which is ugly, especially if you have logging rules.

Saving and loading iptables rules on Debian

For some reason, Debian can’t do “/etc/init.d/iptables save”. So, we have to fix something ourselves. I used this article as source, which also has some useful comments. Apparently, the iptables initscript used to exist…

To save, type:

iptables-save > /etc/iptables.rules

Make /etc/network/if-pre-up.d/iptables:

#!/bin/sh
iptables-restore < /etc/iptables.rules

Don’t forget to make it executable:

chmod +x /etc/network/if-pre-up.d/iptables

Convenient iptables rules

Here are some convenient iptables rules.

This first list is for not allowing anything in, accept packets that come back from outgoing connections, complicated related traffic like FTP, everything from the localhost, ICMP (ping and stuff) and SSH. It also sets the default policy to DROP. This you would use on a machine connected directly to the internet.

iptables -A INPUT --match state --state RELATED,ESTABLISHED -j ACCEPT --match comment --comment "Accept traffic from outgoing connections and stuff like FTP."
iptables -A INPUT -p icmp -j ACCEPT --match comment --comment "Allow ICMP"
iptables -A INPUT -p tcp --dport 22 -j ACCEPT --match comment --comment "Allow SSH"
iptables -A INPUT --in-interface lo -j ACCEPT --match comment --comment "Allow everything on the localhost"
iptables -P INPUT DROP
Here are some rules to allow certain MAC addresses to access everything. Simplifies things on a LAN (even though it’s not attacker-proof, it keeps unwanted people out of my SMB and stuff):
iptables -A INPUT --match mac --mac-source xx:xx:xx:xx:xx:xx --match comment --comment "Allow everything from [computer]" -j ACCEPT

Besides computers you want to grant full access to a machine, don’t forget to include the MACs of the router and the machine’s own ethernet interface.

When the machine acts as a masquerading SNAT server, use this to forward ports to LAN hosts (be sure to have the –to after the -j):

iptables -t nat -A PREROUTING --in-interface eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.1:22 --match comment --comment "forwards incoming port 80 to port 22 on 10.0.0.1"

To allow everything for a samba server:

iptables -A INPUT -p tcp --dport 139 -m comment --comment "Allow Netbios-ssn" -j ACCEPT 
iptables -A INPUT -p tcp --dport 445 -m comment --comment "Allow microsoft-ds" -j ACCEPT 
iptables -A INPUT -p udp --dport 137 -m comment --comment "Allow netbios-ns" -j ACCEPT 
iptables -A INPUT -p udp --dport 138 -m comment --comment "Allow netbios-dgm" -j ACCEPT

© 2022 BigSmoke

Theme by Anders NorenUp ↑