Articles taggués ‘netfilter’

Advanced Features of netfilter/iptables

27/07/2021 Aucun commentaire



It is commonly known that netfilter/iptables is the firewall of the Linux operating system. What is not commonly known is that iptables has many hidden gems that can allow you do things with your firewall that you might never have even imagined. In this article I am going to introduce many of these features with some practical uses. If you are not au fait with the basics of iptables then you should read my previous article in the Gazette, “Firewalling with netfilter/iptables“.

The following features are discussed:

  1. Specifying multiple ports in one rule
  2. Load balancing
  3. Restricting the number of connections
  4. Maintaining a list of recent connections to match against
  5. Matching against a string in a packet’s data payload
  6. Time-based rules
  7. Setting transfer quotas
  8. Packet matching based on TTL values

All of the features discussed in this article are extensions to the packet matching modules of iptables. I used only two of these extensions in the previous article: the --state module which allowed us to filter packets based on whether they were NEW, ESTABLISHED, RELATED or INVALID connections; and the multiport extension, of which I will go into more detail on in this article.

Some of the modules introduced in this article (marked with an asterisk) have not made their way into the default Linux kernel yet but a netfilter utility called “patch-o-matic” can be used to add them to your own kernel and this will be discussed at the end of the article.

1. Specifying Multiple Ports with multiport

The multiport module allows one to specify a number of different ports in one rule. This allows for fewer rules and easier maintenance of iptables configuration files. For example, if we wanted to allow global access to the SMTP, HTTP, HTTPS and SSH ports on our server we would normally use something like the following:

-A INPUT -i eth0 -p tcp -m state --state NEW --dport ssh   -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport smtp  -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport http  -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport https -j ACCEPT

Using the multiport matching module, we can now write:

-A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports ssh,smtp,http,https -j ACCEPT

It must be used in conjunction with either -p tcp or -p udp and only up to 15 ports may be specified. The supported options are:

--sports port[,port,port...]
matches source port(s)
--dports port[,port,port...]
matches destination port(s)
--ports port[,port,port...]
matches both source and destination port(s)

mport* is another similar extension that also allows you to specify port ranges, e.g. --dport 22,80,6000:6100.

Lire la suite…

iptables recent matching rule

26/07/2021 Aucun commentaire


Linux iptables now offers extended packet matching modules. The recent module tracks IP addresses and allows to match against them using other criteria.

We are going to use a combination of lists created by the recent module and a new chain to track attackers. The two problems we are trying to minimise are:

  • centralised port scans.
  • ssh attacks: somebody tries to log in through ssh from a unique ip address using different user IDs and passwords.

port scan

A port scan will try to talk to our machine on different ports. The idea here is to ban the offending ip address as soon as it touches a non-authorised port.

We accomplish this by creating two rules. The first one has to be the last rule in the INPUT chain, it replaces your rule that says that if a packet has not matched any rule it should be DROPped. Additionally to DROPping the packet, we add the source ip address to the “badguys” list:

iptables ...
iptables -A INPUT  -t filter -i $OUTS -j DROP -m recent --set --name badguys

The next rule will be the first rule of the INPUT chain and will block any packet from ip addresses that are present in the badguys list and for which we have received packet within the last hour. Note that we use the “–update” option rather than “–rcheck”, so that any new packet resets the clock ; offenders have to be completely silent for one hour in order to be able to communicate with us again:

iptables -A INPUT -i $OUTS -m recent --name badguys --update --seconds 3600 -j DROP
iptables ...
iptables -A INPUT  -t filter -i $OUTS -j DROP -m recent --set --name badguys

Lire la suite…

Use iptables to monitor network usage

26/07/2021 Aucun commentaire

Iptables is a powerful firewall/packet filtering framework inside Linux, and obviously used for firewalls on desktop, servers, and even embedded Linux devices such as most home internet routers. I was asked to write a script that could monitor and report network usage on one of our machines at work.

I took on the challenge and after searching package repositories and Google for cool Linux console apps that will report network usage, I came came across the idea of using iptables.. seeing as I love iptables, and it is installed by default on most machines it was the perfect solution for us.

The Idea
Iptables can be thought of a bunch of tables each containing some lists of rules called “chains”. There are some default chains which packets must progress through depending on the packets origin and destination. The main and default table that most people use is the ‘filter’ table, the default chains are:

  • INPUT – Packets coming to the machine from the network.
  • OUTPUT – Packets leaving your machine,
  • FORWARD – Packets passing through your machine, if your machine routes packets.

Each of these chains have a default policy, that is what should happen if there is no rules or no rules matching the packet, this is either:

  • ACCEPT – Allow the packet into the machine.
  • DROP – Drop the packet,

Now the default chains cannot be changed, the packets will work through one of those chains, we can add any rules we want to filter these packets. Netfilter/iptables tracks the amount of data running through chains. So if you want to track all your incoming network usage you can just use the INPUT chain, but if we want to track more specific traffic, we can create a custom chain, add a rule to pass the specific packets to this new chain, and thus monitor the specific traffic! Easy huh!

Before I go into the script and specific iptables configuration I’ll show you readers some useful itptables commands:

  • To see the manual page on iptables: man iptables
  • To list the rules on the default (filter) table: iptables -L
  • To list rules on other tables: iptables -t <tablename> -L

NOTE: If you add a -v you can see packet and byte counts.

Now we move onto what I did.

Lire la suite…

Troubleshooting iptables

25/07/2021 Aucun commentaire




To ensure that iptables has been correctly configured.


iptables is a component of the Linux kernel that allows IPv4 traffic to be manipulated as it traverses the network stack. Its two main uses are:

  • packet filtering (firewalling) and
  • network address translation (NAT).

The behaviour of iptables is controlled by rules, each of which specifies the action to be taken if a packet meets a particular set of conditions. The rules are organised into chains, and the chains into tables. Chains may be either built-in or user-defined.

For more information about the architecture and configuration of iptables see:


The most likely symptoms of an iptables configuration error are:

  • traffic being dropped or rejected,
  • traffic not being NATted when it should have been,
  • traffic being NATted when it shouldn’t have been, or
  • traffic being NATted to the wrong address.

A wide variety of other effects are possible, but unlikely unless the configuration is an unusual one.


Suppose that a machine has been configured to act as a boundary router between a local area network (connected to interface eth0 with the address and the public Internet (connected to interface ppp0 with the address The default gateway is Because the local area network uses a private address range, iptables on the boundary router has been configured to SNAT them to its public IP address.

In order to test this configuration you have attempted to ping a machine on the public Internet ( from a machine on the local area network (, but this has failed.

Lire la suite…

How to use netfilter and iptables to stop a DDoS Attack?

21/07/2021 Aucun commentaire

Source: Phil Chen

This how to article will go over stopping a DDoS attack when all you have access to is the targeted Linux host using netfilter and iptables. The two methods are either to simply drop packets from the offending IP/range or to only allow the offending IP/range X number of requests per second, if the range exceeds the requests per second rate traffic is dropped from the range.

*NOTE This method is for small attacks on services you are running on your Linux host. For large attacks using your gateway’s (firewall, load balancer, switch, or router) anti DDoS features maybe necessary or even having your ISP mitigating maybe the only option. I do often see attacks on HTTP from a hundred hosts or so and this article works on that scale.

Here is a example of a script for dropping packets from a offending IP/range lets say for our purposes the range is

/sbin/iptables -I INPUT 1 -s -j DROP
/sbin/iptables -I OUTPUT 1 -d -j DROP
/sbin/iptables -I FORWARD 1 -s -j DROP
/sbin/iptables -I FORWARD 1 -d -j DROP

Here is a example of a script for dropping packets from a offending IP/range if it exceeds 30 requests per second lets say for our purposes the range is

/sbin/iptables -I INPUT 1 -m limit --limit 30/sec -s -j ACCEPT
/sbin/iptables -I INPUT 2 -s -j DROP
/sbin/iptables -I OUTPUT 1 -m limit --limit 30/sec -d -j ACCEPT
/sbin/iptables -I OUTPUT 2 -d -j DROP
/sbin/iptables -I FORWARD 1 -m limit --limit 30/sec -s -j ACCEPT
/sbin/iptables -I FORWARD 2 -s -j DROP
/sbin/iptables -I FORWARD 1 -m limit --limit 30/sec -d -j ACCEPT
/sbin/iptables -I FORWARD 2 -d -j DROP

You can see your changes applied by running iptables -L command as seen below:

-bash-4.1# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --     anywhere            limit: avg 30/sec burst 5 
DROP       all  --     anywhere            
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere       limit: avg 30/sec burst 5 
DROP       all  --  anywhere       
ACCEPT     all  --     anywhere            limit: avg 30/sec burst 5 
DROP       all  --     anywhere            
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere       limit: avg 30/sec burst 5 
DROP       all  --  anywhere