Iptables is a Linux kernel based packet filter firewall. The iptables modules are present in the kernel itself, there is no separate daemon for it. This makes it very fast and effective firewall. The iptables rules control the incoming and outgoing traffic on a network device. In this article, we will discuss about some common network attacks, and how we can block them using iptables. Some of the common network attacks are SYN flood attack, smurf attack, land attack, attacks by malfunctioning ICMP packet, and some other forms of DOS attack. Before going into the details of these attacks, let’s have an overview of iptables, and how to use this command.
iptables has 3 filtering points for the default table: INPUT, OUTPUT and FORWARD. These are called chains in iptables. As their names suggest, they specify whether a packets is destined for the system (
INPUT), originating from it (
OUTPUT) or is routed to another node in the network (
The rules in iptables are stored in the form of records in a table. To list the rules, run “
root@local:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Here, no rules are present for any chain.These rules are read from top to bottom, and if a match occurs, no further rules are checked. So if one rule overwrites any previous rule, then it must be below that rule. So we will append the rules below existing rules. But if your requirement is to insert explicitly, then you can insert them as well.
To insert a rule (above all other rules or at a specified number),
-i, and to append,
-A option is used. We need to specify the chain, for which we wish to write the rule. The
-j option specifies the target, i.e. what we want to do with the packet if a rule is matched. Some of the values are
RETURN etc. This target can be some other existing or user defined chain. But for the purpose of this article, we will confine ourselves to existing chains only, and will not go in further details.
The general syntax of iptables is:
iptables CHAIN RULE_SPECIFICATION
Now let’s create a simple rule using options explained above.
root@local:~# iptables -A INPUT -j ACCEPT
This will accept all the incoming packets. This rule can be checked now, using «
iptables -L« :
root@local:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Iptables provides many options as modules, i.e. we can use those options when we include the corresponding module. One such module that we will use in our discussion is limit module. The details of this module will be given later, but for now, I just want you to know that in order to include a module,
-m option is used. So to include limit module, we will use ‘
-m limit‘ in the rule. That is enough discussion about iptables, now let’s talk about the common attacks and how we can block them using IPtables.
Types of attacks and their protection
LAND stands for Local Area Network Denial. In this attack, a packet is spoofed with source address as the address of the target itself, i.e., the source and destination address are the same. The target machine ends up replying to itself continuously. Although Linux and some other modern systems are not vulnerable to this attack, still you might want to be sure.
Block all packets from your own IP (assuming 184.108.40.206 as IP of the machine).
root@local:~# iptables -A INPUT -s 220.127.116.11/32 -j DROP
With the -s option in the above command, source IP address is specified. Further, block any packet from local network (self IP).
root@local:~# iptables -A INPUT -s 127.0.0.0/8 -j DROP
A christmas tree packet is a packet in which all the flags in any protocol are set. The FIN, URG and PSH bits in the TCP header of this kind of packet are set. This packet is called Christmas Tree packet, because all the fields of header are « lightened up » like a Christmas tree. This type of packet requires much processing than the usual packets, so the server allocates a large number of resources for this packet. So This can be used to perform a DOS attack on the server. These type of packets can be blocked with:
root@local:~# iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
Here, -p option specifies the protocol for which the rule is applicable. The
--tcp-flags is used to specify the flags of TCP header. IT requires two options. 1st option is ‘
mask‘, in which we specify what flags should be examined (ALL). And the 2nd option is ‘
comp‘, the flags that must be set. So here we want to examine ALL flags of which FIN, PSH and URG must be set.
The attacker in this attack sends a large number of ICMP echo broadcast packet, with source IP address spoofed to that of target’s IP address. All the machines in the network recieve this broadcast message and reply to the target with echo reply packet. One way to block this attack is to block all the ICMP packets, but if that can’t be done, a limit may be applied to the icmp packets allowed.
For limiting the number of icmp packets:
root@local:~# iptables -A INPUT -p icmp -m limit --limit 2/second --limit-burst 2 -j ACCEPT
To block all the ICMP packets:
root@local:~# iptables -A INPUT -p icmp -j DROP
Before proceeding any further, let’s talk about the limit module. The limit module can be used to put a limit on the incoming connections. It uses a token bucket filter. This module can be included with ‘-m limit’. The options available with this module are
According to the manual page of iptables:
Maximum average matching rate: specified as a number, with an optional `
/hour‘, or `
/day‘ suffix; the default is
Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5.
Don’t worry if it sounds confusing. Let me provide an analogy to understand these two options. Suppose there is a token bucket that has some tokens in it. The –limit gives the rate at which tokens arrive at the bucket. The default value is 3/hour, so in every 20 minutes, a token arrives in the bucket. But the bucket has a maximum capacity. That capacity is given with
--limit-burst option. The default value is 5. A packet can only pass through this bucket if it has a token. So, initially the bucket is full. So, if we take the default values, at first, 5 packets will pass through this rule. No further packets will pass, because no tokens are available. Now according to the burst rate, next token will arrive after 20 minutes. So, 6th packet will be passed only after 20 minutes have passed. If no packets arrive in 20 minute interval, then tokens will start accumulating. And after 100 minutes (20*5), bucket will be full. No further tokens will accumulate in the coming 20 minutes.
(Note that the limit in the above command is for example purpose only. Actual limit will depend upon the resources available on the server.)
Blocking the icmp packets will prevent the system from ping of death attack as well (although current systems are not vulnerable to it)
SYN flood is a type of DOS (Denial Of Service) attack. To understand SYN flooding, let’s have a look at three way TCP handshake:
TCP is a reliable connection oriented protocol. Before any information is exchanged between a client and server using TCP protocol, a connection is formed by the TCP handshake. This handshake is a three step process:
- The client requests the server that it wants to establish a connection, by sending a SYN request.
- The server receives client’s request, and replies with SYN/ACK, acknowledging that it has received the request from the client. The server allocates the resources and waits for client to acknowledge.
- The client acknowledges by sending ACK back to server.
The attacker creates a large number of forged SYN requests that have their source IP addresses spoofed, and sends it to the target. The target replies with SYN/ACK, and allocates its resources for the connection, but never gets back ACK reply. The target machine’s resources are exhausted and it stops serving any further requests from any legitimate machine.
This attack and some other form of DoS/DDoS attacks can be blocked by limiting the incoming TCP connection request packets. And note that we should not put a limit to requests from established connections. For avoiding this type of attack, only new connection requests need to be controlled. Moreover it will depend on the server that how many requests can it handle, depending upon its available resources. So in the example below, the limit on the TCP connection must be changed according to the capability of server:
root@local:~# iptables -A INPUT -p tcp -m state --state NEW -m limit --limit 2/second --limit-burst 2 -j ACCEPT
In this command, a new module, state is included for specifying the state of the packet. Don’t forget to drop all other packets that do not match above rule, otherwise they will be allowed by default. So, after you have given the above command, issue following command as well:
root@local:~# iptables -A INPUT –p tcp –m state --state NEW –j DROP