Iptables

From LinuxReviews
Jump to navigationJump to search

Iptables is the standard go-to firewall tool on Linux servers and desktops alike. Other systems use it too. It allows you to define all kinds of interesting rules based on IP, port, source, destination, traffic type and a very broad range of other criteria. All the commonly used graphical and daemon based firewall software use iptables.

Fedora has the firewalld service and a graphical tool called firewall-config. They do nothing beyond providing a nice interface for iptables.

The iptables manual page is very long. Whole books have been written about it's configuration possibilities.

Tips and Tricks[edit | edit source]

Limiting the number of connections[edit | edit source]

You will get attacked all day every day if you run a SSHd service facing the Internet.

You can use the iptables module recent to limit a minimum time between new connections from the same IP.

To make this work, you should have this commonly used rule (this allows previously established connections and is a normal rule in most firewalls):

iptables -A INPUT -j ACCEPT -p tcp ! --syn -s 0/0 -d (outer ip/net)

Now, to set the limit:

iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT

These two rules makes iptables require 15 seconds between new connections from the same IP on port 22 (the SSH port). Use ACCEPT instead if you are using a firewall that has it's own rule for accepting ssh.

Another way of limiting dictionary attacks is to limit using -m limit --limit <rate> like this:

iptables -A INPUT -p tcp --dport ssh -m limit --limit 3/minute --limit-burst 2 -j ACCEPT

This rule does the trick of setting a limit of 3 connectoins pr minute, but the first two connections will exhaust the limit-burst, so the rule effectively limits the connection attempt rate to 1/minute.

Sad side-note: Changing the SSH port from 22 to lucky 8888 used to enough keep dictionary-attacks at a minimum. This is no longer true, it will be discovered and constantly attacked regardless of what port it's on.