Using iptables

On this page, I list basic iptables and ipset commands.

Why setup a firewall? Security issues are detected in a few seconds.

My server is getting scanned all the time

I have been using iptables for many years and recently netfilter has replaced iptables in the linux kernel. I use the iptables command for netfilter, I only use ipv4 so for me, it is the same as before.

iptables -V
iptables v1.8.9 (nf_tables)

Iptables

List the current rules:

iptables -L --line-numbers

Clear/flush out all the existing rules

iptables -F

Append a rule at the end of the chain:

iptables -A

Append a rule at the start of the chain:

iptables -I

Delete a rule:

iptables -D chain_name rule_number
iptables -D INPUT 1

Log tcp connections to a port:

iptables -A INPUT -p tcp --dport 80 -j LOG --log-prefix "PORT80: "

The logs are in:

less +G /var/log/messages
or
less +G /var/log/syslog

Ipset

List sets:

ipset -L

Delete a set named “myset”:

ipset destroy myset
or
ipset -X myset

Delete all sets:

ipset destroy

Delete a member in an ipset

ipset del myset 64.225.75.109

Rate limiter: Ban ip after N connections per minute

Rate limit connections on port 22 (-dport 22) after 3 attempts (--hitcount 3) during a period of 1 minute (--seconds 60). The ips are blocked for 10 minutes (timeout 600).

iptables -N LOG_DROP_TOO_MANY
iptables -A LOG_DROP_TOO_MANY -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "INPUT:DROP TOO MANY: " --log-level 6
iptables -A LOG_DROP_TOO_MANY -j DROP
ipset create too_many hash:ip family inet hashsize 32768 maxelem 65536 timeout 600
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j SET --add-set too_many src
iptables -A INPUT -p tcp --dport 22 -m set --match-set too_many src -j LOG_DROP_TOO_MANY

How to block or only allow a list of networks

Create a file nets.txt with the list of networks:

vi nets.txt
1.0.0.0/8
2.0.0.0/8
128.0.0.0/16

Create a script to the networks to a set:

vi add.sh
ipset create nets hash:net
while read network ; do
    ipset add nets $network;
done < nets.txt

Run the script:

chmod 755 add.sh
./add.sh

Block or allow the ip in the set:

# Allow ips in the set:
iptables -A INPUT -m set ! --match-set nets src -j DROP
# or
# block ips in the set:
iptables -A INPUT -m set --match-set nets src -j DROP

How to log outbound tcp connection outside a subnet

I want to log outbound connections to have a list of ips my computer connects to. My local network is 192.168.1.0/24 and I don't want to log the connections inside my LAN.

iptables -I OUTPUT -p tcp -m state --state NEW ! -d 192.168.1.0/24 -m limit --limit 1/m --limit-burst 1 -j LOG --log-uid --log-prefix "Outbound Connection: "

The log messages are written to /var/log/messages.

How to make ipset and iptables persistent in debian

sudo apt-get install ipset-persistent iptables-persistent

When installing the ipset-persistent and iptables-persistent packages, the configuration are saved.

To update the configurations run:

sudo dpkg-reconfigure ipset-persistent
sudo dpkg-reconfigure iptables-persistent

Related article from Cheapskate's Guide: Building My Own Firewall/Router, Part 2

Related to persistent ipset iptables configurations: Make ipset and iptables configurations persistent in Debian/Ubuntu

Hashtags: #networking