diff --git a/README.md b/README.md index 1eae2ee..87ba2fd 100644 --- a/README.md +++ b/README.md @@ -39,8 +39,11 @@ Found on the Internet - All in One List. - [Tools to help you configure Iptables](#tools-to-help-you-configure-iptables) - [Manuals/Howtos/Tutorials](#manuals-howtos-tutorials) +- [How it works?](#how-it-works) - [Iptables Rules](#iptables-rules) * [Saving Rules](#saving-rules) + - [Debian Based](#debian-based) + - [RedHat Based](#redhat-based) * [List out all of the active iptables rules with verbose](#list-out-all-of-the-active-iptables-rules-with-verbose) * [List out all of the active iptables rules with numeric lines and verbose](#list-out-all-of-the-active-iptables-rules-with-numeric-lines-and-verbose) * [Print out all of the active iptables rules](#print-out-all-of-the-active-iptables-rules) @@ -87,6 +90,13 @@ Found on the Internet - All in One List. * [Log and Drop Packets with Limited Number of Log Entries](#log-and-drop-packets-with-limited-number-of-log-entries) * [Drop or Accept Traffic From Mac Address](#drop-or-accept-traffic-from-mac-address) * [Block or Allow ICMP Ping Request](#block-or-allow-icmp-ping-request) + * [Specifying Multiple Ports with `multiport`](#specifying-multiple-ports-with--multiport-) + * [Load Balancing with `random*` or `nth*`](#load-balancing-with--random---or--nth--) + * [Restricting the Number of Connections with `limit` and `iplimit*`](#restricting-the-number-of-connections-with--limit--and--iplimit--) + * [Maintaining a List of recent Connections to Match Against](#maintaining-a-list-of-recent-connections-to-match-against) + * [Matching Against a `string*` in a Packet's Data Payload](#matching-against-a--string---in-a-packet-s-data-payload) + * [Time-based Rules with `time*`](#time-based-rules-with--time--) + * [Packet Matching Based on TTL Values](#packet-matching-based-on-ttl-values) **** @@ -105,6 +115,14 @@ Found on the Internet - All in One List.   :small_orange_diamond: Best practices: iptables - by Major Hayden
  :small_orange_diamond: An In-Depth Guide to Iptables, the Linux Firewall
  :small_orange_diamond: Advanced Features of netfilter/iptables
+  :small_orange_diamond: Linux Firewalls Using iptables
+

+ +### How it works? + +

+ Master

### Iptables Rules @@ -450,3 +468,71 @@ iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:0 iptables -A INPUT -p icmp --icmp-type echo-request -j DROP iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP ``` + +#### Specifying Multiple Ports with `multiport` + +```bash +iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports ssh,smtp,http,https -j ACCEPT +``` + +#### Load Balancing with `random*` or `nth*` + +```bash +_ips=("172.31.250.10" "172.31.250.11" "172.31.250.12" "172.31.250.13") + +for ip in "${_ips[@]}" ; do +iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4 --packet 0 \ + -j DNAT --to-destination ${ip}:80 +done +``` + +or + +```bash +_ips=("172.31.250.10" "172.31.250.11" "172.31.250.12" "172.31.250.13") + +for ip in "${_ips[@]}" ; do +iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m random --average 25 \ + -j DNAT --to-destination ${ip}:80 +done +``` + +#### Restricting the Number of Connections with `limit` and `iplimit*` + +```bash +iptables -A FORWARD -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -i eth1 \ + -m limit --limit 20/hour --limit-burst 5 -j ACCEPT +``` + +or + +```bash +iptables -A INPUT -p tcp -m state --state NEW --dport http -m iplimit --iplimit-above 5 -j DROP +``` + +#### Maintaining a List of recent Connections to Match Against + +```bash +iptables -A FORWARD -m recent --name portscan --rcheck --seconds 100 -j DROP +iptables -A FORWARD -p tcp -i eth0 --dport 443 -m recent --name portscan --set -j DROP +``` + +#### Matching Against a `string*` in a Packet's Data Payload + +```bash +iptables -A FORWARD -m string --string '.com' -j DROP +iptables -A FORWARD -m string --string '.exe' -j DROP +``` + +#### Time-based Rules with `time*` + +```bash +iptables -A FORWARD -p tcp -m multiport --dport http,https -o eth0 -i eth1 \ + -m time --timestart 21:30 --timestop 22:30 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT +``` + +#### Packet Matching Based on TTL Values + +```bash +iptables -A INPUT -s 1.2.3.4 -m ttl --ttl-lt 40 -j REJECT +```