Saturday, January 7, 2017

IPTables basic security



To list rules in iptables
#ipables -L

Allow multiple ports to a netowrk.
# iptables -A INPUT -s 123.176.0.0/255.255.0.0 -p tcp -m multiport --dport 22,1521,80 -j ACCEPT

To restrict ping
# iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT
#ping -c 3 -i .005 ipaddress

#iptables -A INPUT -s 192.168.1.80 -p icmp --icmp-type echo-request -j REJECT/DROP/ACCEPT (only one ip restriction for ping)

#iptables -A INPUT -s 0.0.0.0/0.0.0.0 -p icmp --icmp-type echo-request -j REJECT/DROP/ACCEPT (restrict entire network)

#iptables -A INPUT -s 192.168.0.0/255.255.0.0 -p icmp --icmp-type echo-request -j DROP (only to specific network segment)

To flush rules:
#iptables -F :flush chain...

Allow or reject ports to specific ipaddresses
#iptables -A input -s 192.168.1.80 -j reject/drop/accept

#iptables -A input -s 192.168.1.80 -p tcp --dport 80 -j REJECT

#iptables -A input -s 192.168.1.0/24 -p tcp --dport 22 -j REJECT

#iptables -A INPUT -s 123.176.47.0/255.255.255.0 -p tcp --dport 22 -j ACCEPT



To delete the rule in iptables chain
#iptables -D input 5


To block specific IP address
#iptables -A OUTPUT -D 67.215.241.234 -j DROP

#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

#iptables -A INPUT -f -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP


Rule to route ip address:
#iptables –t nat –A POSTROUTING –s 192.168.1.0/24 –j SNAT –-to 1.2.3.1

#iptables –t nat –A POSTROUTING –s 10.10.0.0/24 –j SNAT --to 123.176.40.60
#iptables –t nat –A POSTROUTING –s 192.168.1.0/24 –j SNAT –-to 1.2.3.1:1-1024


#iptables –t nat –A PREROUTING –d 1.2.4.1 –j DNAT –-to 192.168.1.50
#iptables –t nat –A PREROUTING –s 1.2.5.17 –d 1.2.4.2 –p tcp –-dport 80 –j DNAT -–to 192.168.1.100

#iptables –t nat –A PREROUTING –d 1.2.4.2 –p tcp –-dport 65521 –j DNAT –-to 192.168.1.100:22

#iptables –t nat –A PREROUTING –d 1.2.4.5 –p tcp –-dport 80 –j DNAT –-to 192.168.1.200


Transparent proxy is a way to force users to use a proxy server, even if their browsers are configured not to. You probably know about the benefits of using a proxy server bandwidth saving for cached pages and access control implementation (e.g. deny downloads of files that have dangerous extensions).
We can perform transparent proxy for all or some users to prevent them from bypassing the proxy whenever they want. This is especially good for children's computers to deny them access to sexually explicit sites, for example.
On our Linux router, we installed a Squid proxy server to cache some content from the Web. Also, we want to deny access to sex sites or malicious downloads for users. The users are not very pleased about using our proxy server, and they usually remove it from their browser configuration. We can force them to use the proxy server anyway. If the proxy server listens on port 3128 we will do the following:

# iptables –t nat –A PREROUTING –s 192.168.1.0/24 –p tcp –-dport 80 –j REDIRECT –-to-port 3128

If we want to allow the manager (who has the IP address 192.168.1.50) to bypass the proxy server, we do so like this:

# iptables –t nat –I PREROUTING –s 192.168.1.50 –p tcp –-dport 80 –j ACCEPT

So this rule will be matched in the PREROUTING chain, and she will be SNATed in the POSTROUTING chain

1 comment:

  1. Gr5 Titanium - All the parts needed for a proper design
    Gr5 Titanium. Features: A lightweight and stilletto titanium hammer flexible micro titanium trim alloy with babyliss titanium flat iron a high-performance graphite. It is the oakley titanium sunglasses type of alloy with an unisexated structure. Rating: 3.9 · ‎8 2020 ford edge titanium for sale reviews

    ReplyDelete