Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| inbox:firewall:netfilter_iptables:netfilter_examples [2018/09/05 23:39] – dturvene | docs:guide-user:firewall:netfilter_iptables:netfilter_examples [2018/09/18 20:12] (current) – dturvene | ||
|---|---|---|---|
| Line 2: | Line 2: | ||
| This section contains a collection of netfilter configuration examples that are | This section contains a collection of netfilter configuration examples that are | ||
| difficult or impossible to provision through the | difficult or impossible to provision through the | ||
| - | [[inbox:firewall:firewall3: | + | [[docs:guide-user:firewall: |
| These rule sets will generally be added to ''/ | These rule sets will generally be added to ''/ | ||
| Line 11: | Line 11: | ||
| To reiterate an earlier point, the netfilter chains can get a tricky | To reiterate an earlier point, the netfilter chains can get a tricky | ||
| - | because the [[inbox:firewall:firewall3: | + | because the [[docs:guide-user:firewall: |
| implicitly creates a number of them to organize rule sets. | implicitly creates a number of them to organize rule sets. | ||
| - | See [[inbox: | + | See [[docs: |
| - | management]] for tools to diagnose '' | + | for tools to diagnose '' |
| The examples in this section explicitly use the '' | The examples in this section explicitly use the '' | ||
| Line 42: | Line 42: | ||
| iptables -t filter -A syn_flood -p tcp -m tcp --tcp-flags FIN, | iptables -t filter -A syn_flood -p tcp -m tcp --tcp-flags FIN, | ||
| </ | </ | ||
| - | |||
| - | ===== Use ipset to drop traffic from WAN-side networks ===== | ||
| - | [[http:// | ||
| - | manage a group of stations/ | ||
| - | packet source or destination against the group. | ||
| - | the need to combat rogue networks sending spam or vulnerability attacks. | ||
| - | |||
| - | In order to use the [[http:// | ||
| - | the kernel must be built with the netfilter kernel modules implementing | ||
| - | ipset. All the kmods start with '' | ||
| - | are loaded. | ||
| - | |||
| - | < | ||
| - | root# cat / | ||
| - | ip_set_list_set 6704 0 - Live 0x8301c000 | ||
| - | ip_set_hash_netiface 23888 0 - Live 0x830f0000 | ||
| - | ip_set_hash_netport 23856 0 - Live 0x830e8000 | ||
| - | ip_set_hash_netnet 25584 0 - Live 0x830e0000 | ||
| - | ip_set_hash_net 22480 1 - Live 0x830d8000 | ||
| - | ip_set_hash_netportnet 26960 0 - Live 0x830d0000 | ||
| - | ip_set_hash_mac 10000 0 - Live 0x830cc000 | ||
| - | ip_set_hash_ipportnet 25520 0 - Live 0x83038000 | ||
| - | ip_set_hash_ipportip 20848 0 - Live 0x830c0000 | ||
| - | ip_set_hash_ipport 19792 0 - Live 0x83030000 | ||
| - | ip_set_hash_ipmark 19056 0 - Live 0x83020000 | ||
| - | ip_set_hash_ip 18768 0 - Live 0x83028000 | ||
| - | ip_set_bitmap_port 5648 0 - Live 0x8301e000 | ||
| - | ip_set_bitmap_ipmac 6544 0 - Live 0x8301a000 | ||
| - | ip_set_bitmap_ip 6384 0 - Live 0x8300e000 | ||
| - | ip_set 22250 16 xt_set, | ||
| - | nfnetlink 4199 1 ip_set, Live 0x830b6000 | ||
| - | </ | ||
| - | |||
| - | If not (and they are not be default), a new kernel needs to be created with | ||
| - | the ipset modules. | ||
| - | //Kernel Modules -> Netfilter Extensions -> kmod-ipt-ipset// | ||
| - | and set it to **built-in** (not a loadable module). | ||
| - | image. | ||
| - | |||
| - | When the image is running and the ipset modules are confirmed, install the | ||
| - | user-space interface package '' | ||
| - | |||
| - | :!: The user-space package will fail to install if the kernel does not support | ||
| - | it. DO NOT FORCE install or it will panic the router. | ||
| - | |||
| - | Now create the ipset list of networks to be blocked: | ||
| - | < | ||
| - | ipset create dropcidr hash:net | ||
| - | ipset add dropcidr 42.56.0.0/ | ||
| - | ipset add dropcidr 180.178.160.0/ | ||
| - | ipset add dropcidr 79.133.43.0/ | ||
| - | ipset add dropcidr 27.44.0.0/ | ||
| - | ipset add dropcidr 192.168.3.0/ | ||
| - | ... | ||
| - | ipset list dropcidr | ||
| - | </ | ||
| - | |||
| - | :!: '' | ||
| - | The others are actual spam sources. | ||
| - | |||
| - | Now create the chain and rule to DROP incoming WAN-side packets matching TCP port 25 (SMTP) and | ||
| - | a CIDR in the ipset. | ||
| - | |||
| - | < | ||
| - | # create a new chain to handle the ipset | ||
| - | iptables -N wan_drop_cidr | ||
| - | # rule if incoming wan packet is TCP port=25 and src matches in dropcidr set | ||
| - | target is DROP (which is a final!) | ||
| - | iptables -A wan_drop_cidr -p tcp -m tcp --dport 25 -m set --match-set dropcidr src -m comment --comment "drop ipset cidr port=25" | ||
| - | # insert as first chain in zone_wan_forward | ||
| - | iptables -I zone_wan_forward -j wan_drop_cidr | ||
| - | </ | ||
| - | |||
| - | To remove the '' | ||
| - | < | ||
| - | # remove the chain from zone_wan_forward | ||
| - | iptables -D zone_wan_forward -j wan_drop_cidr | ||
| - | # flush all rules in the chain | ||
| - | iptables -F wan_drop_cidr | ||
| - | # delete the chain | ||
| - | iptables -X wan_drop_cidr | ||
| - | </ | ||
| - | |||
| - | After the rule is deleted, destroy the ipset: | ||
| - | < | ||
| - | ipset destroy dropcidr | ||
| - | </ | ||
| - | |||
| - | :!: The CIDRs can be dynamically added and deleted in the '' | ||
| - | while the netfilter rule is active but the ipset table cannot be destroyed | ||
| - | while being referenced by a netfilter rule. For better maintenance, | ||
| - | ipset shell commands in seperate init or rc.local script rather than | ||
| - | ''/ | ||