Firewall functions: IPTABLES
iptables -A FORWARD -p tcp –d 10.10.1.1 -j DROP
In order to prevent a possible ICMP flooding attack the command is:
iptables -A INPUT -p icmp -m limit --limit 10/s -j ACCEPT
iptables -A INPUT -p icmp -j DROP
In order to cancel ICMP packets bigger than 500 byte and addressed to 10.10.1.1 the command is:
iptables –A FORWARD –p icmp –d 10.10.1.1 –m length --length 500:1500
In order to limit to 2 the number of simultaneous telnet connections to host 192.168.1.2 the
command is:
iptables –A FORWARD –p tcp --dport 23 –d 192.168.1.2 –m connlimit --connlimit-above 2 –j REJECT
In order to simulate a link with 2% error rate to host 10.10.1.1 the command is:
iptables –A FORWARD –d 10.10.1.1 –m random –-average 2 –j DROP
Using the examples previously shown (access-list, dest-nat and source-nat), here follow
their respective iptables commands.
In order to accept only packets sent to a specific network, denying access to any other service:
iptables -A FORWARD -d 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -j DROP
Traffic addressed to port 7 (echo service), from any IP address and addressed to Imola, redirected
to IP address 192.168.0.2.
iptables -t nat -A PREROUTING -p tcp --dport 7 -j DNAT --to 192.168.0.2
Traffic addressed to port 7 (echo service) coming from any IP address and addressed to Imola,
redirected to port 13 (daytime service).
iptables -t nat -A PREROUTING -p tcp --dport 7 -j REDIRECT --to-ports 13
Traffic destined to port 7 (echo service), from any IP address and addressed to Imola, redirected to
IP address 192.168.0.2 port 34.
iptables -t nat -A PREROUTING -p tcp --dport 7 -j DNAT --to-destination 192.168.0.2:34
Traffic addressed to port 23 (Telnet service), coming from any IP address and addressed to IP
address 10.10.2.9, redirected to IP address 10.10.10.22 port 7 (echo service); in addition these
packets will be logged with prefix REDIR.
iptables -t nat -A PREROUTING -p tcp -d 10.10.2.9 --dport 23 -j LOG --log-prefix REDIR --log-level notice
iptables -t nat -A PREROUTING -p tcp -d 10.10.2.9 --dport 23 -j DNAT --to-destination 10.10.10.22:7
In order to replace source IP address of all packets addressed to network 10.10.0.0/255.255.0.0
with address 10.10.0.1. Using source-nat:
set source-nat protocol any from any to 10.10.0.0/16 source-ip 10.10.0.1
By masking all outgoing packets from eth1 interface.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
To Next Page
Loading...
Need help?
General
