iptables
SYNOPSIS
iptables [-t table] {-A|-D} chain rule-specification [options...]
iptables [-t table] -I [rulenum] rule-specification [options...]
iptables [-t table] -R rulenum rule-specification [options...]
iptables [-t table] -D chain rulenum [options...]
iptables [-t table] -S [chain]
iptables [-t table] {-F|-L|-Z} [chain] [options...]
iptables [-t table] -N chain
iptables [-t table] -X [chain]
iptables [-t table] -P chain target [options...]
iptables [-t table] -E old-chain-name new-chain-name
Lister les règles définies avec leur id
serveur:~# iptables -L --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 DROP all -- sh15.ruskyhost.ru anywhere 2 DROP tcp -- host-41.234.161.207.tedata.net anywhere tcp dpt:www
Ou en précisant la chaîne INPUT
serveur:~# iptables -L INPUT --line-numbers
Supprimer la règle n°2
serveur:~# iptables -D INPUT 2 iptables: No chain/target/match by that name
Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation. in is valid in the PREROUTING, INPUT and FORWARD chains, out is valid
in the POSTROUTING, OUTPUT and FORWARD chains.
Extrait du man d'iptables
-D, --delete chain rule-specification
-D, --delete chain rulenum
Delete one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule
to match.
-X, --delete-chain [chain]
Delete the optional user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted.
The chain must be empty, i.e. not contain any rules. If no argument is given, it will attempt to delete every non-builtin chain in the table.
-n, --numeric
Numeric output. IP addresses and port numbers will be printed in numeric format. By default, the program will try to display them as host names, network names, or services (whenever
applicable).
--line-numbers
When listing rules, add line numbers to the beginning of each rule, corresponding to that rule's position in the chain.
Gestion des règles iptables par id (identifiant numérique : rulenum)
serveur:~# iptables --help |grep rulenum
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
--list-rules -S [chain [rulenum]]
serveur:~# iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- sh15.ruskyhost.ru anywhere DROP udp -- host-41.234.161.207.tedata.net anywhere udp dpt:28960 DROP udp -- ctv-79-132-179-83.vinita.lt anywhere udp dpt:28960 DROP udp -- 83-156-229-36.rev.libertysurf.net anywhere udp dpt:28960 DROP udp -- lns-bzn-55-82-255-143-210.adsl.proxad.net anywhere udp dpt:28960 DROP tcp -- 95.84.16.113 anywhere tcp dpt:www DROP tcp -- server.globalcar.com anywhere tcp dpt:www DROP tcp -- mail.jackpine.net anywhere tcp dpt:www DROP tcp -- 209589-app1.barnstormers.com anywhere tcp dpt:www DROP tcp -- 234868-web1.barnstormers.com anywhere tcp dpt:www DROP tcp -- 223690-web1.wcwshost.com anywhere tcp dpt:www Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
serveur:~# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
iptables syn limiter : Syn-flood et Spoofing
- Question règles IPTables - Syn-flood et Spoofing ?
- Linux Iptables to block syn-flood attacks
- iptables: syn-flood rule for a busy webserver?
- Linux Iptables Limit the number of incoming tcp connection / syn-flood attacks
- Iptables Limits Connections Per IP : iptables -A INPUT -p tcp
syndport 22 -m connlimit --connlimit-above 3 -j REJECT - Debian Administration : Using iptables to rate-limit incoming connections
- Netfilter : Enregistrement : les logs : iptables -A INPUT
state NEW -p TCPtcp-flags ! ALL SYN -m limitlimit 3/s -j LOGlog-prefix "BAD INPUT "
Un SYN flood est une forme de déni de service attaque dans laquelle un attaquant envoyait une succession de requêtes SYN à un système cible. Il s'agit d'un type bien connu d'attaque et n'est généralement pas efficace contre les réseaux modernes. Cela fonctionne si un serveur alloue des ressources après avoir reçu un SYN, mais avant d'avoir reçu l'accusé de réception.
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN
Toutes les connexions entrantes ne sont autorisés jusqu'à la limite est atteinte:
- --limit 1/s : moyenne du maximum des taux d'appariement en quelques secondes
- --limit-burst 3 : Nombre maximum de trames initiales de match
Exemple : Limiter les connexions HTTP par IP / Host
Only allow 20 http connections per IP (MaxClients is set to 60 in httpd.conf):
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
Comment tester que mon pare feux (firewall) fonctionne ?
#!/bin/bash ip="202.1.2.3" port="80" for i in {1..100} do # do nothing just connect and exit echo "exit" | nc ${ip} ${port}; done
Bloquer un sous réseau (masque)
- Les masques réseaux
- Help:Range blocks/fr Table d'exemples de plages
Masque Netmask Hexa Wildcard Nombre d'adresses possible 255.255.255.255 / 32 ffffffff 0.0.0.0 1 255.255.255.0 / 24 ffffff00 0.0.0.255 256 255.255.0.0 / 16 ffff0000 0.0.255.255 65 536
CIDR Début de plage Fin de plage Nombre d'adresses bloquées 69.208.0.0/16 69.208.0.0 69.208.255.255 65,536 69.208.0.0/24 69.208.0.0 69.208.0.255 256 69.208.0.0/32 69.208.0.0 69.208.0.0 1