Difference between revisions of "IPTables"

Latest revision as of 03:59, 25 June 2015

Distro tools

• firewalld - CentOS 7/Fedora 18 and newer
• lokkit - CentOS 6/Fedora 17 and older
• ufw - Ubuntu/Debian

Customizing the firewall

How to setup a gateway with 2 Virtual NICs on GNU/Debian

For any given host with 2 virtual NICs (IP aliases)

• WAN = eth0 -> 10.11.12.10
• LAN = eth0:1 -> 192.168.10.10

The steps to setup the host as gateway are

• Add to iptables the proper nat rules in order to ensure SNAT traffic pass through the "Out to the world" NIC.

*nat
:PREROUTING ACCEPT [891:110412]
:POSTROUTING ACCEPT [92:11129]
:OUTPUT ACCEPT [241:27547]
-A POSTROUTING -o eth0 -j MASQUERADE 
-A POSTROUTING -o eth0 -j SNAT --to-source 10.11.12.10
COMMIT

• Because both network IPs are in the same NIC, then add to the filter section a forward in both directions:

-A FORWARD -i eth0 -j ACCEPT 
-A FORWARD -o eth0 -j ACCEPT

• Ensure ip4 traffic is being forwarded on kernel enabling it on /etc/sysctl

net.ipv4.ip_forward = 1

• Load the previous modification:

# sysctl -p

How to block an IP after 4 failed ssh login attempts

Setup a post-firewall script with

iptables -N SSH_CHECK
iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

How to forwart a port to another host

# iptables -t nat -A POSTROUTING -d RE.MO.TE.IP -p tcp --dport 80 -j SNAT --to LO.CA.L.IP
# iptables -t nat -A PREROUTING -d LO.CA.L.IP -p tcp --dport 80 -j DNAT --to RE.MO.TE.IP

Where RE.MO.TE.IP is the IP of the host that will get the traffic