User Tools

Site Tools


docs:guide-user:firewall:netfilter_iptables:netfilter_examples

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
docs:guide-user:firewall:netfilter_iptables:netfilter_examples [2018/09/16 12:49]
bobafetthotmail ↷ Page moved from inbox:firewall:netfilter_iptables:netfilter_examples to docs:guide-user:firewall:netfilter_iptables:netfilter_examples
docs:guide-user:firewall:netfilter_iptables:netfilter_examples [2018/09/18 20:12] (current)
dturvene
Line 2: Line 2:
 This section contains a collection of netfilter configuration examples that are This section contains a collection of netfilter configuration examples that are
 difficult or impossible to provision through the difficult or impossible to provision through the
-[[inbox:​firewall:​overview|fw3 application]].+[[docs:​guide-user:​firewall:​overview|fw3 application]].
  
 These rule sets will generally be added to ''/​etc/​firewall.user''​ and will be These rule sets will generally be added to ''/​etc/​firewall.user''​ and will be
Line 11: Line 11:
  
 To reiterate an earlier point, the netfilter chains can get a tricky To reiterate an earlier point, the netfilter chains can get a tricky
-because the [[inbox:​firewall:​overview|fw3 application]]+because the [[docs:​guide-user:​firewall:​overview|fw3 application]]
 implicitly creates a number of them to organize rule sets. implicitly creates a number of them to organize rule sets.
-See [[inbox:​firewall:​netfilter_iptables:​netfilter_management|netfilter management]] ​+See [[docs:​guide-user:​firewall:​netfilter_iptables:​netfilter_management|netfilter management]] ​
 for tools to diagnose ''​iptables''​ commands. for tools to diagnose ''​iptables''​ commands.
  
Line 42: Line 42:
 iptables -t filter -A syn_flood -p tcp -m tcp --tcp-flags FIN,​SYN,​RST,​ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "​!fw3"​ -j RETURN iptables -t filter -A syn_flood -p tcp -m tcp --tcp-flags FIN,​SYN,​RST,​ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "​!fw3"​ -j RETURN
 </​file>​ </​file>​
- 
-===== Use ipset to drop traffic from WAN-side networks ===== 
-[[http://​ipset.netfilter.org/​|ipset]] is a relative recent netfilter feature to 
-manage a group of stations/​networks as a large set using a hash to match the 
-packet source or destination against the group. ​ It was created in response to 
-the need to combat rogue networks sending spam or vulnerability attacks. 
- 
-In order to use the [[http://​ipset.netfilter.org/​|ipset]] netfilter feature, 
-the kernel must be built with the netfilter kernel modules implementing 
-ipset. All the kmods start with ''​ip_set'';​ confirm the following modules 
-are loaded. 
- 
-<​file>​ 
-root# cat /​proc/​modules | grep ip_set 
-ip_set_list_set 6704 0 - Live 0x8301c000 
-ip_set_hash_netiface 23888 0 - Live 0x830f0000 
-ip_set_hash_netport 23856 0 - Live 0x830e8000 
-ip_set_hash_netnet 25584 0 - Live 0x830e0000 
-ip_set_hash_net 22480 1 - Live 0x830d8000 
-ip_set_hash_netportnet 26960 0 - Live 0x830d0000 
-ip_set_hash_mac 10000 0 - Live 0x830cc000 
-ip_set_hash_ipportnet 25520 0 - Live 0x83038000 
-ip_set_hash_ipportip 20848 0 - Live 0x830c0000 
-ip_set_hash_ipport 19792 0 - Live 0x83030000 
-ip_set_hash_ipmark 19056 0 - Live 0x83020000 
-ip_set_hash_ip 18768 0 - Live 0x83028000 
-ip_set_bitmap_port 5648 0 - Live 0x8301e000 
-ip_set_bitmap_ipmac 6544 0 - Live 0x8301a000 
-ip_set_bitmap_ip 6384 0 - Live 0x8300e000 
-ip_set 22250 16 xt_set,​ip_set_list_set,​ip_set_hash_netiface,​ip_set_hash_netport,​ip_set_hash_netnet,​ip_set_hash_net,​ip_set_hash_netportnet,​ip_set_hash_mac,​ip_set_hash_ipportnet,​ip_set_hash_ipportip,​ip_set_hash_ipport,​ip_set_hash_ipmark,​ip_set_hash_ip,​ip_set_bitmap_port,​ip_set_bitmap_ipmac,​ip_set_bitmap_ip,​ Live 0x83010000 
-nfnetlink 4199 1 ip_set, Live 0x830b6000 
-</​file>​ 
- 
-If not (and they are not be default), a new kernel needs to be created with  
-the ipset modules. ​ Using the OpenWrt ''​make menuconfig'',​ follow 
-//Kernel Modules -> Netfilter Extensions -> kmod-ipt-ipset//​ 
-and set it to **built-in** (not a loadable module). ​ Then rebuild and install the 
-image. 
- 
-When the image is running and the ipset modules are confirmed, install the 
-user-space interface package ''​ipset''​. 
- 
-:!: The user-space package will fail to install if the kernel does not support 
-it.  DO NOT FORCE install or it will panic the router. 
- 
-Now create the ipset list of networks to be blocked: 
-<​file>​ 
-ipset create dropcidr hash:net 
-ipset add dropcidr 42.56.0.0/​16 
-ipset add dropcidr 180.178.160.0/​20 
-ipset add dropcidr 79.133.43.0/​24 
-ipset add dropcidr 27.44.0.0/​15 
-ipset add dropcidr 192.168.3.0/​24 
-... 
-ipset list dropcidr 
-</​file>​ 
- 
-:!: ''​192.168.3.0''​ is a private network on the WAN-side used to test this feature. 
-The others are actual spam sources. 
- 
-Now create the chain and rule to DROP incoming WAN-side packets matching TCP port 25 (SMTP) and 
-a CIDR in the ipset. 
- 
-<​file>​ 
-# create a new chain to handle the ipset 
-iptables -N wan_drop_cidr 
-# rule if incoming wan packet is TCP port=25 and src matches in dropcidr set 
-target is DROP (which is a final!) 
-iptables -A wan_drop_cidr -p tcp -m tcp --dport 25 -m set --match-set dropcidr src -m comment --comment "drop ipset cidr port=25"​ -j DROP 
-# insert as first chain in zone_wan_forward 
-iptables -I zone_wan_forward -j wan_drop_cidr 
-</​file>​ 
- 
-To remove the ''​wan_drop_cidr''​ chain just created do: 
-<​file>​ 
-# remove the chain from zone_wan_forward 
-iptables -D zone_wan_forward -j wan_drop_cidr 
-# flush all rules in the chain 
-iptables -F wan_drop_cidr 
-# delete the chain 
-iptables -X wan_drop_cidr 
-</​file>​ 
- 
-After the rule is deleted, destroy the ipset: 
-<​file>​ 
-ipset destroy dropcidr 
-</​file>​ 
- 
-:!: The CIDRs can be dynamically added and deleted in the ''​dropcidr''​ table 
-while the netfilter rule is active but the ipset table cannot be destroyed 
-while being referenced by a netfilter rule.  For better maintenance,​ put the 
-ipset shell commands in seperate init or rc.local script rather than 
-''/​etc/​firewall.user''​. 
  
  
docs/guide-user/firewall/netfilter_iptables/netfilter_examples.1537102147.txt.gz · Last modified: 2018/09/16 12:49 by bobafetthotmail