Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
inbox:firewall:netfilter_iptables:netfilter_examples [2018/09/05 23:39] dturvenedocs:guide-user:firewall:netfilter_iptables:netfilter_examples [2018/09/18 20:12] (current) dturvene
Line 2: Line 2:
 This section contains a collection of netfilter configuration examples that are This section contains a collection of netfilter configuration examples that are
 difficult or impossible to provision through the difficult or impossible to provision through the
-[[inbox:firewall:firewall3:overview|fw3 application]].+[[docs:guide-user:firewall:overview|fw3 application]].
  
 These rule sets will generally be added to ''/etc/firewall.user'' and will be These rule sets will generally be added to ''/etc/firewall.user'' and will be
Line 11: Line 11:
  
 To reiterate an earlier point, the netfilter chains can get a tricky To reiterate an earlier point, the netfilter chains can get a tricky
-because the [[inbox:firewall:firewall3:overview|fw3 application]]+because the [[docs:guide-user:firewall:overview|fw3 application]]
 implicitly creates a number of them to organize rule sets. implicitly creates a number of them to organize rule sets.
-See [[inbox:firewall:netfilter_iptables|netfilter_management|netfilter +See [[docs:guide-user:firewall:netfilter_iptables:netfilter_management|netfilter management]]  
-management]] for tools to diagnose ''iptables'' commands.+for tools to diagnose ''iptables'' commands.
  
 The examples in this section explicitly use the ''iptables'' application and The examples in this section explicitly use the ''iptables'' application and
Line 42: Line 42:
 iptables -t filter -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN iptables -t filter -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
 </file> </file>
- 
-===== Use ipset to drop traffic from WAN-side networks ===== 
-[[http://ipset.netfilter.org/|ipset]] is a relative recent netfilter feature to 
-manage a group of stations/networks as a large set using a hash to match the 
-packet source or destination against the group.  It was created in response to 
-the need to combat rogue networks sending spam or vulnerability attacks. 
- 
-In order to use the [[http://ipset.netfilter.org/|ipset]] netfilter feature, 
-the kernel must be built with the netfilter kernel modules implementing 
-ipset. All the kmods start with ''ip_set''; confirm the following modules 
-are loaded. 
- 
-<file> 
-root# cat /proc/modules | grep ip_set 
-ip_set_list_set 6704 0 - Live 0x8301c000 
-ip_set_hash_netiface 23888 0 - Live 0x830f0000 
-ip_set_hash_netport 23856 0 - Live 0x830e8000 
-ip_set_hash_netnet 25584 0 - Live 0x830e0000 
-ip_set_hash_net 22480 1 - Live 0x830d8000 
-ip_set_hash_netportnet 26960 0 - Live 0x830d0000 
-ip_set_hash_mac 10000 0 - Live 0x830cc000 
-ip_set_hash_ipportnet 25520 0 - Live 0x83038000 
-ip_set_hash_ipportip 20848 0 - Live 0x830c0000 
-ip_set_hash_ipport 19792 0 - Live 0x83030000 
-ip_set_hash_ipmark 19056 0 - Live 0x83020000 
-ip_set_hash_ip 18768 0 - Live 0x83028000 
-ip_set_bitmap_port 5648 0 - Live 0x8301e000 
-ip_set_bitmap_ipmac 6544 0 - Live 0x8301a000 
-ip_set_bitmap_ip 6384 0 - Live 0x8300e000 
-ip_set 22250 16 xt_set,ip_set_list_set,ip_set_hash_netiface,ip_set_hash_netport,ip_set_hash_netnet,ip_set_hash_net,ip_set_hash_netportnet,ip_set_hash_mac,ip_set_hash_ipportnet,ip_set_hash_ipportip,ip_set_hash_ipport,ip_set_hash_ipmark,ip_set_hash_ip,ip_set_bitmap_port,ip_set_bitmap_ipmac,ip_set_bitmap_ip, Live 0x83010000 
-nfnetlink 4199 1 ip_set, Live 0x830b6000 
-</file> 
- 
-If not (and they are not be default), a new kernel needs to be created with  
-the ipset modules.  Using the OpenWrt ''make menuconfig'', follow 
-//Kernel Modules -> Netfilter Extensions -> kmod-ipt-ipset// 
-and set it to **built-in** (not a loadable module).  Then rebuild and install the 
-image. 
- 
-When the image is running and the ipset modules are confirmed, install the 
-user-space interface package ''ipset''. 
- 
-:!: The user-space package will fail to install if the kernel does not support 
-it.  DO NOT FORCE install or it will panic the router. 
- 
-Now create the ipset list of networks to be blocked: 
-<file> 
-ipset create dropcidr hash:net 
-ipset add dropcidr 42.56.0.0/16 
-ipset add dropcidr 180.178.160.0/20 
-ipset add dropcidr 79.133.43.0/24 
-ipset add dropcidr 27.44.0.0/15 
-ipset add dropcidr 192.168.3.0/24 
-... 
-ipset list dropcidr 
-</file> 
- 
-:!: ''192.168.3.0'' is a private network on the WAN-side used to test this feature. 
-The others are actual spam sources. 
- 
-Now create the chain and rule to DROP incoming WAN-side packets matching TCP port 25 (SMTP) and 
-a CIDR in the ipset. 
- 
-<file> 
-# create a new chain to handle the ipset 
-iptables -N wan_drop_cidr 
-# rule if incoming wan packet is TCP port=25 and src matches in dropcidr set 
-target is DROP (which is a final!) 
-iptables -A wan_drop_cidr -p tcp -m tcp --dport 25 -m set --match-set dropcidr src -m comment --comment "drop ipset cidr port=25" -j DROP 
-# insert as first chain in zone_wan_forward 
-iptables -I zone_wan_forward -j wan_drop_cidr 
-</file> 
- 
-To remove the ''wan_drop_cidr'' chain just created do: 
-<file> 
-# remove the chain from zone_wan_forward 
-iptables -D zone_wan_forward -j wan_drop_cidr 
-# flush all rules in the chain 
-iptables -F wan_drop_cidr 
-# delete the chain 
-iptables -X wan_drop_cidr 
-</file> 
- 
-After the rule is deleted, destroy the ipset: 
-<file> 
-ipset destroy dropcidr 
-</file> 
- 
-:!: The CIDRs can be dynamically added and deleted in the ''dropcidr'' table 
-while the netfilter rule is active but the ipset table cannot be destroyed 
-while being referenced by a netfilter rule.  For better maintenance, put the 
-ipset shell commands in seperate init or rc.local script rather than 
-''/etc/firewall.user''. 
  
  
  • Last modified: 2018/09/18 20:12
  • by dturvene