💾 Archived View for gmi.noulin.net › 2023-11-22-using-iptables.gmi captured on 2024-09-29 at 00:10:38. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2024-08-24)
-=-=-=-=-=-=-
date: 2024-04-02 07:57:28
categories: linux
firstPublishDate: 2023-11-22 20:37:47
On this page, I list basic iptables and ipset commands.
Why setup a firewall? Security issues are detected in a few seconds.
My server is getting scanned all the time
I have been using `iptables` for many years and recently netfilter has replaced iptables in the linux kernel. I use the iptables command for netfilter, I only use ipv4 so for me, it is the same as before.
iptables -V iptables v1.8.9 (nf_tables)
List the current rules:
iptables -L --line-numbers
Clear/flush out all the existing rules
iptables -F
Append a rule at the end of the chain:
iptables -A
Append a rule at the start of the chain:
iptables -I
Delete a rule:
iptables -D chain_name rule_number iptables -D INPUT 1
Log tcp connections to a port:
iptables -A INPUT -p tcp --dport 80 -j LOG --log-prefix "PORT80: "
The logs are in:
less +G /var/log/messages or less +G /var/log/syslog
List sets:
ipset -L
Delete a set named “myset”:
ipset destroy myset or ipset -X myset
Delete all sets:
ipset destroy
Delete a member in an ipset
ipset del myset 64.225.75.109
Rate limit connections on port 22 (`-dport 22`) after 3 attempts (`--hitcount 3`) during a period of 1 minute (`--seconds 60`). The ips are blocked for 10 minutes (`timeout 600`).
iptables -N LOG_DROP_TOO_MANY iptables -A LOG_DROP_TOO_MANY -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "INPUT:DROP TOO MANY: " --log-level 6 iptables -A LOG_DROP_TOO_MANY -j DROP ipset create too_many hash:ip family inet hashsize 32768 maxelem 65536 timeout 600 iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j SET --add-set too_many src iptables -A INPUT -p tcp --dport 22 -m set --match-set too_many src -j LOG_DROP_TOO_MANY
Create a file `nets.txt` with the list of networks:
vi nets.txt 1.0.0.0/8 2.0.0.0/8 128.0.0.0/16
Create a script to the networks to a set:
vi add.sh ipset create nets hash:net while read network ; do ipset add nets $network; done < nets.txt
Run the script:
chmod 755 add.sh ./add.sh
Block or allow the ip in the set:
# Allow ips in the set: iptables -A INPUT -m set ! --match-set nets src -j DROP # or # block ips in the set: iptables -A INPUT -m set --match-set nets src -j DROP
I want to log outbound connections to have a list of ips my computer connects to. My local network is 192.168.1.0/24 and I don't want to log the connections inside my LAN.
iptables -I OUTPUT -p tcp -m state --state NEW ! -d 192.168.1.0/24 -m limit --limit 1/m --limit-burst 1 -j LOG --log-uid --log-prefix "Outbound Connection: "
The log messages are written to `/var/log/messages`.
sudo apt-get install ipset-persistent iptables-persistent
When installing the ipset-persistent and iptables-persistent packages, the configuration are saved.
To update the configurations run:
sudo dpkg-reconfigure ipset-persistent sudo dpkg-reconfigure iptables-persistent
Related article from Cheapskate's Guide:
Building My Own Firewall/Router, Part 2
Related to persistent ipset iptables configurations:
Make ipset and iptables configurations persistent in Debian/Ubuntu
Hashtags: #networking