Netfilter (iptables) Tips & Tricks

What is Netfilter | IPTables: while other programs can augment your server’s security, Netfilter (aka iptables) is how you stop any intrusions. As an example, PSAD can recognize attack patterns, but it is Netfilter that is then used to stop any inbound communication attempts from getting a response. In otherwords, Netfilter can be told to ignore incoming requests; essentially making the server unreachable to an IP address.
 

Permanently Ban IPs using IPTables

Block IPs using DROP
sudo iptables -A INPUT -s XXX.XXX.XXX.XXX -j DROP
sudo iptables -A OUTPUT -d XXX.XXX.XXX.XXX -j DROP
Save and Restore iptables

When rebooting your server, Netfilter (iptables) list of IPs and the blocking criteria disappear unless you save and restore them.

Save your iptable settings
sudo iptables-save -c > ~/iptables-save.txt
Restore iptable settings
sudo iptables-restore -cn < ~/iptables-save.txt
Prevent w00t.w00t attacks
sudo iptables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP
Monitor iptables
sudo watch -d 'iptables -vnL --line-numbers'
sudo iptables -L -n
sudo watch 'iptables -vL'
sudo watch --interval 0 'iptables -nvL | grep -v "0     0"'
Extract IP from logs
awk '$13 = /spinn/ {print $2}' /var/log/apache2/other_vhosts_access.log | sort | uniq
Creates a list of hacker IPs from log file
awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n
Compile a list of IPs and sorts-unique
cat hackers.txt|cut -d\  -f 1 -|sort|uniq > iptables-blocklist.txt
Deletes log file line(s) which contain IP Address
find *.log -type f -exec sed -i -e '/000\.000\.000\.000/d' {} \;
Clear IPTABLES CHAINS

Put this in a BASH script and run. DO NOT enter these lines on the command line individually.

#!/bin/bash
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

Find a blocked IP listing line numbers
sudo iptables -L -n -v --line-numbers | grep 000.000.000.000
Delete blocked IP from list using line numbers
sudo iptables -D INPUT [line number]


BASH Script Example for Securing Server

#!/bin/bash
IPTABLES=/sbin/iptables
# backup iptables
/sbin/iptables-save -c > /home/username/iptables.bak
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -X
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
## Accept incoming TCP connections from eth0 only per ports
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# HTTP
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
# HTTPS
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
## loopback
/sbin/iptables -A INPUT -i lo -p all -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A INPUT -d 127.0.0.0/8 -j REJECT
/sbin/iptables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t' -j DROP
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 10/second -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# restore backup without loosing timing
/sbin/iptables-restore -cn < /home/username/iptables.bak
psad -H
echo "Im DONE refreshing iptables firewall"

You may also like...