Need help with iptables script

[Brzina]

Hi All

I need help with iptables script
I have found this script but i need to tweak a little bit.
The adjustment I need restriction to only certain IP to be able to connect
so lets say Source IP is 87.87.87.7 and port 8000
Internal Destination will be 10.10.10.10 8005


#!/bin/sh

logger "firewall" "Applying nat-start rules"
iptables -N SSHVSBFP -t nat
iptables -A SSHVSBFP -t nat -m recent --set --name SSHVS --rsource
iptables -A SSHVSBFP -t nat -m recent --update --seconds 60 --hitcount 5 --name SSHVS --rsource -j RETURN
iptables -A SSHVSBFP -t nat -p tcp --dport 8005 -m state --state NEW -j DNAT --to-destination 10.10.10.10:8005
iptables -I VSERVER -t nat -i eth0 -p tcp --dport 8005 -m state --state NEW -j SSHVSBFP

 

[RMerlin]

Add a rule at the top of your SSHVSBFP chain that will -j DROP if the source IP is not 87.87.87.7.

 

[Brzina]

Like this ?

#!/bin/sh

logger "firewall" "Applying nat-start rules"
iptables -N SSHVSBFP -t nat -j DROP 87.87.87.7
iptables -A SSHVSBFP -t nat -m recent --set --name SSHVS --rsource
iptables -A SSHVSBFP -t nat -m recent --update --seconds 60 --hitcount 5 --name SSHVS --rsource -j RETURN
iptables -A SSHVSBFP -t nat -p tcp --dport 8005 -m state --state NEW -j DNAT --to-destination 10.10.10.10:8005
iptables -I VSERVER -t nat -i eth0 -p tcp --dport 8005 -m state --state NEW -j SSHVSBFP

 

[RMerlin]

Like this ?

No. Do not change the -N entry, as this is just for creating the chain. Underneath it, insert this new command:

iptables -A SSHVSBFP -t nat ! -s 87.87.87.87 -j DROP

The syntax might vary a bit however based on your iptables version (I've seen a few differences in older iptables when dealing with the "!" modifier).

You could also modify the DNAT entry to look for the source IP, but I like my method since it allows you to drop the traffic earlier, making it more efficient. Otherwise, it would then be something like this:

iptables -A SSHVSBFP -t nat -s 87.87.87.87 -p tcp --dport 8005 -m state --state NEW -j DNAT --to-destination 10.10.10.10:8005

 

[Claudiu]

Hi All,

I have a AC68U with Merlin FW and for the last 3 days i tried all i could think of to make this work.

Linux lower then novice user so please don't jump on me

I am trying to set a simple rule to forward the wan port 2010 to the 192.168.1.100:80 destination inside the lan and allow only 1 connection in 5 minutes.

Should be easy with the above script but unfortunately it doesn't work. Changed the ports and destination but nothing.

Do i need to add anything else to the nat-start file besides this ?

Thank you very much

 

[Claudiu]

AND @Merlin : Thank you very much for all the work on the FW You do a great thing for the community

 

[Brzina]

Hi

I'm new to Iptables as well and I just tried to implement this script and it didn't block nor do anything.
We are definitely missing something here

 

[Claudiu]

What i managed to do is the following:


#!/bin/sh
logger "firewall" "Applying nat-start rules"
iptables -I INPUT -p tcp --dport 2010-i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 2010-i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 1 -j DROP
iptables -t nat -I VSERVER -p tcp -m tcp --dport 2010 -j DNAT --to 192.168.1.100:80

This will forward the WAN port 2010 on the LAN to 192.168.1.100:80 and it works.
But the limit set with hitcount doesn't seem to work or I don't really understand what it should do. What I think it should do is the following: I connect from another external IP to my lan and reach the server on 192.168.1.100:80. Hitcount 1 should mean that if I try within 60 seconds to establish another connection from another external IP it should not work. That's how I understood it.

In my case it lets me connect from at least 3 different external IPs - tried with 3 mobile phones within 60 seconds.

An iptables -nL -t nat gives me :
Chain VSERVER (2 references)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2010 to:192.168.1.100:80

Can someone shed some light please?

 

[RMerlin]

This should help you:

recent match options:
[!] --set                       Add source address to list, always matches.
[!] --rcheck                    Match if source address in list.
[!] --update                    Match if source address in list, also update last-seen time.
[!] --remove                    Match if source address in list, also removes that address from list.
    --seconds seconds           For check and update commands above.
                                Specifies that the match will only occur if source address last seen within
                                the last 'seconds' seconds.
    --reap                      Purge entries older then 'seconds'.
                                Can only be used in conjunction with the seconds option.
    --hitcount hits             For check and update commands above.
                                Specifies that the match will only occur if source address seen hits times.
                                May be used in conjunction with the seconds option.
    --rttl                      For check and update commands above.
                                Specifies that the match will only occur if the source address and the TTL
                                match between this packet and the one which was set.
                                Useful if you have problems with people spoofing their source address in order
                                to DoS you via this module.
    --name name                 Name of the recent list to be used.  DEFAULT used if none given.
    --rsource                   Match/Save the source address of each packet in the recent list table (default).
    --rdest                     Match/Save the destination address of each packet in the recent list table.
xt_recent by: Stephen Frost <sfrost@snowman.net>.  http://snowman.net/projects/ipt_recent/

My guess is, if you want multiple source IPs to be matched, you have to use --rdest.

 

[Claudiu]

Ty Merlin. I don't understand any of that I don't want multiple IP to be matched, I just want a port forwarding rule with the check to have only 1 connection in 60 seconds.

 

[RMerlin]

Ty Merlin. I don't understand any of that I don't want multiple IP to be matched, I just want a port forwarding rule with the check to have only 1 connection in 60 seconds.

The match module works by keeping a list of IPs. By default, it will only count the number of connection attempts per individual IP. Since you want to throttle everyone globally and not on a per IP basis, you want to match against multiple source IPs. That's what the --rdest switch will do.

 

[Claudiu]

I managed to get something going that actually works:

iptables -I FORWARD 1 -p tcp --dport 80 -m state --state NEW -m connlimit --connlimit-above 1 -j REJECT --reject-with tcp-reset
iptables -I FORWARD 2 -p tcp --dport 80 -m state --state NEW -m limit --limit 100/minute --limit-burst 150 -j ACCEPT
iptables -I FORWARD 3 -p tcp --dport 80 -m state --state NEW -j REJECT --reject-with tcp-reset

first line limits the number of parallel connections from the same IP to 1
second and third limit the number of connections to 100 with a burst to 150
the port must be the port of the device inside the LAN as this rule will be executed after the VSERVER dnat

These rules are in the nat-start file in the jffs scripts folder. Same nat-start contains also port forwarding rules in the VSERVER dnat chain.

There is only one issue: after reboot only the port forward rules from the nat-start are loaded, the above rules are not. If i ssh in and add them manually it works again.

Would you have any ideea why they are not persistent ?

 

[RMerlin]

filter table rules go in firewall-start, nat/mangle rules go in nat-start.

 

[Claudiu]

Ha You nailed it that's why it didn't work. All good now. I have installed Ngnix also and it is running very well. Thinking about pairing it with fail2ban. Would the router handle that ?

Thank you

 

[RMerlin]

Ha You nailed it that's why it didn't work. All good now. I have installed Ngnix also and it is running very well. Thinking about pairing it with fail2ban. Would the router handle that ?

Thank you

If I remember correctly, fail2ban requires either Perl or Python, both of these are quite large.