Iptables

After a long time, I finally had some time to write again, and this time I intend to keep a periodicity. The reason for my absence? Well now I have Dom

Without further ADO, let’s get to the point, what is Iptables, to that server, and where do I use it?

What is Iptables?

According to the simple description of the creator of this package ( NetFilter ), Iptables is a tool to create and administer rules and filter network packets.

The iptables can work based on address, source port, destination of the package, priority. It works by comparing rules to determine whether a packet is allowed to pass or not. In more restrictive firewalls, the packet is blocked and logged so that the system administrator has knowledge about what’s going on in your system.

To that server?

With Iptables, you can redirect ports , change a Protocol (such as ssl3 for tls1), Redirect servers, and services. You can create rules to block users on the network, blocking access, services for certain ips, among many other services.

Directions for use

The most common way of using the command is:

iptables [-t table] chain rule-specification

among the options you can use:

  • -P = Defines a default rule;
  • -A = Add a new rule existing ones. This takes precedence over the-P;
  • -D = Delete a rule;
  • -L = List the existing rules;
  • -S = List the existing rules, the way was saved by iptables;
  • -E = Renames a chain (chain)
  • -F = clears all the rules;
  • -I = insert a new rule;
  • -h = Displays the help;
  • -R = replace a rule;
  • -C = Makes the checking of existing rules;
  • -Z = Resets a specific rule;
  • -N = Creates a new rule with a name;
  • -X = Deletes a specific rule by name.

Each has its specific use, and a way to use. To see all just use:

man iptables

Common commands of Iptables

Delete rule

iptables-F

Block an IP

iptables-A INPUT-s "192.168.254.10"-j DROP

If you want to block for a specific interface, simply pass the parameter-i , staking so:

iptables-A INPUT-i eth0-s "192.168.254.10"-j DROP

Open door to specific ips

In this example I used the door of ssh as an example, but it could be used any

iptables-A INPUT-i eth0-p tcp-s 192.168.100.0/24--dport 22-m state--state NEW, ESTABLISHED-j ACCEPT-

Balancing

Balancing the 443 port between 3 different ips


iptables-A PREROUTING-i eth0-p tcp--dport 443-m state-state NEW-m-nth--counter-0-every 3-0-packet-j DNAT--to-destination 192.168.1.101: 443
iptables-A PREROUTING-i eth0-p tcp--dport 443-m state-state NEW-m-nth--counter-0-every 3-1-packet-j DNAT--to-destination 192.168.1.102: 443
iptables-A PREROUTING-i eth0-p tcp--dport 443-m state-state NEW-m-nth--counter-0-every 3--2-j DNAT-packet-to-destination 192.168.1.103: 443

Enable Access to mysql by local network

iptables-A INPUT-i eth0-p tcp-s 192.168.100.0/24--dport 3306-m state-state NEW-, ESTABLISHED-j ACCEPT
iptables-A OUTPUT-o eth0-p tcp--sport-3306-m state-state ESTABLISHED-j ACCEPT

Blocking DDOS attacks

iptables-A INPUT-p tcp--dport 80-m limit-limit 25/minute-100 no limit-burst-j ACCEPT

Redirecting port

iptables-t nat-A PREROUTING-p tcp-d 192.168.254.136-j DNAT--dport-422--to 192.168.254.136: 22

References

The Geek Stuff
Server Fault

Written by vinicius