Iptables examples

project introduction

This project looks at a few basic use cases for Iptables in securing a Linux machine.
The iptables commands are organised into scripts that perform specific tasks.
These scripts can then be either ran at boot or ran once and saved with iptables-persistent (Recommended)
which will load the iptables rules into memory at boot.

Scripts:

1. auto-block-ip.sh
   

   This server isn't running a webserver. Thus no HTTP or HTTPS traffic is expected.
   As a result the script appends the source IP address to an ipset that is used in a rule that
   blocks IP addresses if HTTP or HTTPS packets received.

   iptables -I INPUT -p tcp -m multiport --dports 80,443 -j SET --add-set auto_blocked src
   iptables -I INPUT -m set --match-set auto_blocked src -j DROP
   



2. filter-by-mac.sh
   

   This script allows communication within the local area network only if it is coming
   from desired MAC addresses.
   A default policy is used to ensure all other communication is dropped.

   iptables -A FORWARD -m mac --mac-source $MAC -j ACCEPT
   



3. ipset-block-country.sh
   

   This script downloads a file that contains a list of country network IP ranges.
   Creates an ipset and then creates an iptables rule to block members of that set.
   In this instance we're blocking Israel.

   iptables -I INPUT -m set --match-set israel src -j DROP
   



4. ipset-block-from-file.sh
   

   This script reads IP addresses from a file and creates an ipset.
   It then creates a iptables rule to block that set.

   iptables -I INPUT -m set --match-set bad_hosts src -j DROP
   



5. limit-packets-per-second.sh
   

   This script limits the number of ICMP (Ping requests) packets per second to just one.
   It also limits the number of HTTPS connections per second to 5; note this is for
   demonstration only, it is not a sensible approach for production.

   iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/sec --limit-burst 3 -j ACCEPT
   



6. load-balance-nat-ports.sh
   

   This script uses one interfaces to redirect traffic destined for certain ports
   and another interface for all other traffics.

   iptables -t nat -A POSTROUTING -p tcp --dport $port -o eth1 -j MASQUERADE<br>
   iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
   



7. match-by-time-interval.sh
   

   This script restricts SSH access between 08:00 to 18:00.
   This also restricts HTTP access to a website on weekdays between 08:00 to 18:00.
   All traffic outside of the time intervals are dropped.

   iptables -A INPUT -p tcp --dport 22 -m time --kerneltz --timestart 8:00 --timestop 18:00 -j ACCEPT
   iptables -A FORWARD -p tcp --dport 80 -d www.ubuntu.com -m time --kerneltz --weekdays Mon,Tue,Wed,Thu,Fri --timestart 8:00 --timestop 18:00 -j ACCEPT
   



8. max-quota.sh
   

   This script sets different max quotas for HTTP and HTTPS.

   iptables -A FORWARD -o $INT -p $PROTOCOL --sport $PORT -m quota --quota $QUOTA1 -j ACCEPT
   



9. nat-masquerade.sh
   

   This script redirects traffic from a given network to a known public IP of an interface, Nating.
   Alternatives are presented with the MASQUERADE and SNAT.

   iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o enp0s3 -j NAT --to-source 80.0.0.1
   iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o enp0s3 -j MASQUERADE
   iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -p tcp -o enp0s3 -j SNAT --to-source 80.0.0.1
   



10. port-forward-DNAT-loadbalance.sh
    

    This script forwards all packets headed to the public IP address of a router on a given port,
    to a destination IP address.
    An alternative is presented where clients connect via one port and then redirected to another port
    on the destination IP address.
    Lastly, the script demonstrate simple loadbalancing within an IP range, 5 IP addresses.

    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.20
    iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.0.20:80
    iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.0.20-192.168.0.24
    



11. stateful.sh
    

    This script allows initiating new connections out of the system while accepting the respective
    return communication using the state information.

    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    



12. user-defined-chain-with-macs.sh
    

    This script restricts incoming traffic to specified MAC addresses while allowing outgoing
    traffic to any destination.
    The script then has a default policy to drop all else.

    iptables -A ACCEPTED_MAC -m mac --mac-source $MAC -j ACCEPT