This is part two in my IPtables series. The first of which you can read here, which is pretty much a basic introduction into the what a policy, a chain, and a rule is, and an overview of how to build your rules using system-config-firewall-tui. Today I intend to dive a bit deeper.
Creating a Custom Chain:
You may want to create your own chain and append that chain to and existing chain. For example lets say that at CompanyX you have a default INPUT chain configuration that is deployed to all your production and non-production servers. You might also need a few more rules for production and instead of adding those to the default INPUT chain you create a custom chain and append that chain to the INPUT chain.
In this instance you might create your custom chain like so
# iptables -N my_chain
And then append to the built in INPUT chain. Note that -t filter is the default option and does not have to be specified.
# iptables -t filter -A INPUT -j my_chain
If you want to delete a custom chain you need to first detach it from the input chain
# iptables -t filter -D INPUT -j my_chain
And then delete it
# iptables -X my_chain
Logging Dropped Packets
So lets say you have been getting repeated hacking attempts from an ip address and you want to log this activity. Lets pretend the source ip is 192.168.0.99. The line below will log this activity to the messages file and tag it with "Hack Attempt" as a line prefix
# iptables -A INPUT -s 192.168.0.99 -j DROP
So in this example we are telling IPtables to use "limit" extension with the -m, where once a source has hit our burst limit of 100 connections per minute, it will be limited to 25 connections per minute.
# iptables -A INPUT -p tcp –dport 80 -m limit –limit 25/minute –limit-burst 100 -j ACCEPT
Block A Port Scan
So this one is kinda cool it allows you to block a someone attempting to scan your server for open ports. In this instance lets block them for an entire day, or 86400 seconds.
# iptables -A INPUT -m recent –name portscan –rcheck –seconds 86400 -j DROP
# iptables -A FORWARD -m recent –name portscan –rcheck –seconds 86400 -j DROP
# iptables -A INPUT -m recent –name portscan –remove
Redirect Traffic to a Higher Ports
Man this is one that I wish was used more often, especially when a useful tool is running thats running on a funny port and you cannot remember the port. Think HP Sim for example which runs on port 500000 or something crazy like that.
# iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-port 9001