IPTables

From Bashlinux
Jump to: navigation, search

Distro tools

  • firewalld - CentOS 7/Fedora 18 and newer
  • lokkit - CentOS 6/Fedora 17 and older
  • ufw - Ubuntu/Debian

Customizing the firewall

How to setup a gateway with 2 Virtual NICs on GNU/Debian

For any given host with 2 virtual NICs (IP aliases)

  • WAN = eth0 -> 10.11.12.10
  • LAN = eth0:1 -> 192.168.10.10

The steps to setup the host as gateway are

  • Add to iptables the proper nat rules in order to ensure SNAT traffic pass through the "Out to the world" NIC.
*nat
:PREROUTING ACCEPT [891:110412]
:POSTROUTING ACCEPT [92:11129]
:OUTPUT ACCEPT [241:27547]
-A POSTROUTING -o eth0 -j MASQUERADE 
-A POSTROUTING -o eth0 -j SNAT --to-source 10.11.12.10
COMMIT
  • Because both network IPs are in the same NIC, then add to the filter section a forward in both directions:
-A FORWARD -i eth0 -j ACCEPT 
-A FORWARD -o eth0 -j ACCEPT
  • Ensure ip4 traffic is being forwarded on kernel enabling it on /etc/sysctl
net.ipv4.ip_forward = 1
  • Load the previous modification:
# sysctl -p

How to block an IP after 4 failed ssh login attempts

Setup a post-firewall script with

iptables -N SSH_CHECK
iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

How to forwart a port to another host

# iptables -t nat -A POSTROUTING -d RE.MO.TE.IP -p tcp --dport 80 -j SNAT --to LO.CA.L.IP
# iptables -t nat -A PREROUTING -d LO.CA.L.IP -p tcp --dport 80 -j DNAT --to RE.MO.TE.IP

Where RE.MO.TE.IP is the IP of the host that will get the traffic