IPTABLES

IPv6

Type 0 Routing Header

IPv6 type 0 routing header processing should be disabled by default.

1
2
3
iptables --insert INPUT 0 --match rt --rt-type 0 --jump DROP
iptables --insert OUTPUT 0 --match rt --rt-type 0 --jump DROP
iptables --insert FORWARD 0 --match rt --rt-type 0 --jump DROP

Hop Limit

This field sets the lifetime of the packet. Every time a router forwards a packet, it decrements the value of this field by 1. If the value reaches zero, the packet is discarded. The size of this field is 8 bits.

1
2
ip6tables --append icmpv6-in --protocol icmpv6 --icmpv6-type "router-advertisement" \
--match hl --hl-eq 255 --match limit --limit 10/m --jump ACCEPT

Echo-Reply

Multicast ping replies are part of the ok icmp codes for INPUT, but don’t have an associated connection and are otherwise be marked INVALID, so allow above INVALID rules.

1
2
linenum=$(ip6tables -v --line -L INPUT | grep INVALID | awk '{print $1}')
ip6tables --insert INPUT $linenum --protocol icmpv6 --icmp-type echo-reply --jump ACCEPT

command

eth+ means all of interfaces which the name start with eth , example:eth0,eth1,eth2,eth3….eth10

1
2
iptables --append INPUT --in-interface eth+ --proto icmp --icmp-type echo-request --jump ACCEPT
#iptables -A INPUT -i eth+ -p icmp --icmp-type echo-request -j ACCEPT

allow all ip protocol except tcp

1
2
iptables --append INPUT ! --protocol tcp --jump ACCEPT
#iptables -A INPUT ! -p tcp -j ACCEPT

all ip except 192.168.3.0/24 will be droped

1
2
iptables --append INPUT ! --source 192.168.3.0/24 --jump DROP
#:~$ iptables -A INPUT ! -s 192.168.3.0/24 -j DROP

only allow eth0 interface through, others will be droped

1
2
iptables --append INPUT ! --in-interface eth0 --jump DROP
#iptables -A INPUT ! -i eth0 -j DROP

每个网络接口都有一个MTU(最大传输单元),这个参数定义了可以通过的数据包的最大尺寸。如果一个数据包大于这个参数值时,系统会将其划分成更小的数据包(称为ip碎片)来传输
而接受方则对这些ip碎片再进行重组以还原整个包。这样会导致一个问题:当系统将大数据包划分成ip碎片传输时,第一个碎片含有完整的包头信息IP+TCP、UDP和ICMP)
但是后续的碎片只有包头的部分信息(如源地址、目的地址)。因此,检查后面的ip碎片的头部(象有TCP、UDP和ICMP一样)是不可能的。
这时的FORWARD的policy为DROP时,系统只会让第一个ip碎片通过,而余下的碎片因为包头信息不完整而无法通过。

1
iptables --append FORWARD --protocol tcp --source 192.168.1.0/24 --destination 192.168.2.100 --dport 80 --jump ACCEPT

可以通过—fragment/-f 选项来指定第二个及以后的ip碎片解决上述问题。

1
2
iptables --append FORWARD --fragment --source 192.168.1.0/24 --destination 192.168.2.100 --jump ACCEPT
#iptables -A FORWARD -f -s 192.168.1.0/24 -d 192.168.2.100 -j ACCEPT

匹配多端口

1
iptables --append INPUT --protocol tcp --match multiport --sports 22,53,80:1024 --jump DROP

state

检查 SYN、ACK、FIN 标志,只允许SYN为1。

1
:~$ iptables --append INPUT --protocol tcp --tcp-flags SYN,FIN,ACK SYN --jump ACCEPT

选项—syn相当于”–tcp-flags SYN,RST,ACK SYN”的简写

1
:~$ iptables --append INPUT --protocol tcp --syn --jump ACCEPT

检查 ALL(SYN,ACK,FIN,RST,URG,PSH)的标志,只允许SYN和ACK为1

1
:~$ iptables --append INPUT --protocol tcp --tcp-flags ALL SYN,ACK --jump ACCEPT

limit速率匹配扩展

每秒只允许30个data通过,多余的丢弃

1
:~$ iptables --append INPUT --match limit --limit 30/s --jump ACCEPT

当数据包个数为30/second时,将最高阙值调整为40/second,如果再次超过则将包丢弃

1
:~$ iptables --append INPUT --match limit --limit 30/s --limit-burst 40 --jump ACCEPT

limit

某IP同时发起TCP的SYN链接超过15个则丢弃

1
iptables --append INPUT --in-interface eth0 --protocol tcp --syn --match connlimit --connlimit-above 15 --jump DROP

某IP同时发起的SYN链接低于15个则接受否则丢弃

1
:~$ iptables --append INPUT --in-interface eth0 --protocol tcp --syn --match connlimit --connlimit-upto 15 --jump ACCEPT

time

单个IP最多连接3个会话,在保持3个会话的同时发起3次新的连接请求,则禁止SSH列表中的此IP 5分钟

1
2
:~$ iptables --append INPUT --protocol tcp --dport 22 --match state --state NEW --match recent --set --name SSH --jump ACCEPT
:~$ iptables --append INPUT --protocol tcp --dport 22 --match state --state NEW --match recent --update --seconds 300 --hitcount 3 --name SSH --jump DROP

add comment to the rule

1
:~$ iptables -A INPUT -i eth1 -m comment --comment "my local LAN" --jump ACCEPT

notrack, 使iptables不作跟踪链接,即kernel不对此数据做记录,加快数据处理速率,缓解ip_conntrack表的压力
/proc/net/ip_conntrack查看链接表

1
2
3
iptables --table raw --append PREROUTING --protocol tcp --dport 80 --jump NOTRACK
iptables --insert INPUT 1 --match state --state UNTRACKED --jump ACCEPT
iptables --insert OUTPUT 1 --protocol tcp --sport 80 --jump UNTRACKED

extension addrtype

Matches if the destination address is of given type
man iptables-extensions

  • LOCAL—127.0.0.1/8(only This Machine)
  • MULTICAST 224.0.0.1/8
  • BROADCAST 255.255.255.255
1
2
iptables --append INPUT --protocol igmp --match addrtype --dst-type MULTICAST --jump ACCEPT
iptables --append INPUT --in-interface eth0 --match addrtype --dst-type BROADCAST --jump ACCEPT

qos

QoS, There are five valid TOS values, which can be used with either numeric or descriptive values

  • Minimize-Delay 16 (0x10)
  • Maximize-Throughput 8 (0x08)
  • Maximize-Reliability 4 (0x04)
  • Minimize-Cost 2 (0x02)
  • Normal-Service 0 (0x00)
    Notice that we’re using the names of the service instead of a simple port number. This can be done with most common ports. Check /etc/services for a full list.
1
2
iptables --table mangle --append PREROUTING  --protocol TCP  --sport telnet  --jump TOS  --set-tos Minimize-Delay
iptables --table mangle --append OUTPUT --protocol TCP --sport domain --jump TOS --set-tos Minimize-delay

owner

This module attempts to match various characteristics of the packet creator, for locally generated packets.
This match is only valid in the OUTPUT and POSTROUTING chains. Forwarded packets do not have any socket associ‐ated with them. Packets from kernel threads do have a socket, but usually no owner.

  • Matches if the packet socket’s file structure (if it has one) is owned by the given user. You may also specify a numerical UID, or an UID range.
  • --uid-owner username
  • --uid-owner userid[-userid]
  • Matches if the packet socket’s file structure is owned by the given group. You may also specify a nu‐merical GID, or a GID range.
  • --gid-owner groupname
  • --gid-owner groupid[-groupid]
1
2
iptables --append OUTPUT --protocol tcp --match owner --uid-owner debian-transmission --jump ACCEPT
iptables --append OUTPUT --protocol udp --match owner --gid-owner www-data --jump ACCEPT

iprange

  • --dst-range
  • --src-range
1
iptables --append OUTPUT --match iprange --dst-range 192.168.1.2-192.168.1.4 --jump ACCEPT