Recent Changes - Search:

Reference:

gcc development
C
Cplusplus
Perl
Python
versioncontrol
gdb
flex
bison
GNU autotools
Glib
GTK
Gnome
Qt
OpenMP and MPI
Threads
GnuMP
Sockets
Vim
Kernel
Matlab
LinuxTag
LPIC101
LPIC102
LPIC201
LPIC202
LPIC303
gpg
iptables
dm-crypt
Graphviz
SicheresLoeschen
problems
linuxsoftware
postgresql

edit SideBar

Linux /

Iptables

ip forwarding

Disable the forwarding: 

 echo 0 > /proc/sys/net/ipv4/ip_forward

delete all existing rules

 /sbin/iptables -F INPUT
 /sbin/iptables -F OUTPUT
 /sbin/iptables -F FORWARD

start with a full drop of all packages

 /sbin/iptables -P INPUT DROP
 /sbin/iptables -P OUTPUT DROP
 /sbin/iptables -P FORWARD DROP

input rules

 /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/iptables -A INPUT -m state --state NEW -j ACCEPT
 /sbin/iptables -A INPUT -p tcp ! --syn -j ACCEPT
 /sbin/iptables -A INPUT -i lo -j ACCEPT

 /sbin/iptables -A INPUT -i eth0 -j ACCEPT
 # or more stronger
 /sbin/iptables -A INPUT -i eth0 -s 127.0.0.1 -j ACCEPT
 /sbin/iptables -A INPUT -i eth0 -s 192.168.0.1 -j ACCEPT
 /sbin/iptables -A INPUT -i eth0 -s 192.168.0.2 -j ACCEPT
 # else drop package
 /sbin/iptables -A INPUT -j DROP

output rules

 /sbin/iptables -A OUTPUT -j ACCEPT

forward rules

 /sbin/iptables -A FORWARD -j DROP

The Recent Module

 iptables -A FORWARD  -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -m recent --update -j DROP
 iptables -A FORWARD -i externinterface -p tcp --dport 135 -m recent --set -j DROP
fills recent list with ip addresses which try to get connected via port 135 (most likely worms searching for sacrifices with DCOM-RPC vulnerability from windows) 
 iptables -A FORWARD -j DROP

If the same host tries again a connect within an interval of 60 seconds the firewall will block this host. Additionally the timestamp will be set up again because of the option "--update".

To use different lists use option "--name identifier". User tools can reach the lists at "/proc/net/ipt_recent/list". A new entry will be made by: 

 echo address > /proc/net/ipt_recent/DEFAULT

delete address: 

 echo -address > /proc/net/ipt_recent/DEFAULT

Generally the list consist of 100 entries. You can change that with 

 modprobe ipt_recent ip_list_tot=1000

To prevent portscan you can setup two hosts with addresses at the beginning and the end of your address space. Every communication with this two hosts are illegal. So you can set rules for these two hosts and block each host that try to connect to these hosts.

A useful sample to use this module with snort, syslog-ng and a pearl block script can be found at "Linux Magazin - 04/07 page 68 Hausverbot".

Edit - History - Print - Recent Changes - Search
Page last modified on May 27, 2007, at 04:19 PM