Suppose INPUT is the default DROP, I’ll give examples of IPTables rules for FreeRADIUS:
Continue reading “IPTables rules for FreeRADIUS”Tag Archives: IPTables
Blocking social networks using iptables
Once on one of the NAT servers I needed to block some sites.
If the sites are located on several IP addresses, then you need to find out these ranges of IP addresses, for example, look for VKontakte on bgp.he.net, for example, a list of subnets for one of the AS belonging to VK “http://bgp.he.net/AS47541#_prefixes”.
When networks or hosts are known, add rules for them in iptables, for example:
/sbin/iptables -A FORWARD -s 87.240.128.0/18 -j DROP /sbin/iptables -A FORWARD -s 95.142.192.0/20 -j DROP
Thus, we prohibit the passage of the traffic of these networks through the server.
See also my articles:
Blocking social networks on Cisco
Blocking social networks on Mikrotik routers
IPTables rules for DNS
Suppose the default INPUT DROP and a DNS server is installed, now I will give an example of IPTables rules so that clients can access the DNS server.
To open the DNS port in IPTables, let’s execute the rule:
Continue reading “IPTables rules for DNS”IPTables rules for DHCP
Assume the default server INPUT DROP, now I will give an example of a simple rule permitting DHCP requests to the server, this will be enough for clients to get IP from the server (where em1 is the network interface on which the DHCP server is running):
Continue reading “IPTables rules for DHCP”The solution to the error “Another app is currently holding the xtables lock”
Recently noticed on one server with the billing system ABillS, that when the script /etc/ppp/ip-up is executed in bulk, an error occurs:
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Having looked at the script code, I found that there are two rules among the iptables rules that can slow down the work, namely, the search for ipoe interfaces by two commands:
IPTABLES="/sbin/iptables"
EXIST=`${IPTABLES} -t nat -L PREROUTING -v | grep "${IFNAME} "; ${IPTABLES} -L -v | grep DROP | grep "${IFNAME} "`
To raise 3000 sessions, it took more than 30 minutes and some rules could not be added at all or deleted by the script.
By default, if the -L option is used, iptables resolves the IP addresses and tries to display DNS names instead of them, which takes a long time, and so that this does not happen, you need to add the -n option, and just in case I added the -w 20 switch, which will cause the new rules to be postponed until 20 seconds if iptables is already busy executing another command:
IPTABLES="/sbin/iptables"
IPTABLES_WAIT="-w 20"
EXIST=`${IPTABLES} $IPTABLES_WAIT -t nat -n -L PREROUTING -v | grep "${IFNAME} "; ${IPTABLES} $IPTABLES_WAIT -n -L -v | grep DROP | grep "${IFNAME} "`
After that, the script with iptables rules began to work out instantly.
Since the old rules are not all fulfilled, I checked this by counting some by the team:
iptables -n -L -t nat -v | grep DNAT | wc -l
And I checked with the number of sessions, the rules were obviously smaller, so I had to clear all rules and restart the session so that the /etc/ppp/ip-up script worked correctly, this time at 3000 sessions it did its job in less than a minute.
Note that in the / etc / ppp / scripts, it’s better not to use iptables rules.
IPTables rules for the web server
To open the web server port in IPTables, execute the following command:
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
If HTTPS is used, then also:
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
To open only a particular network, for example 192.168.0.0/24:
sudo iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
You can also restrict access by the IP configuration of the web server itself, for example, as I described for Apache2 in this article – Access Control Apache2.
To set the connection limit on port 80:
iptables -A INPUT -p tcp --dport 80 -m limit --limit 50/second -j ACCEPT
To remove a rule, we’ll specify the same command, replacing -A with -D, for example:
sudo iptables -D INPUT -p tcp -m tcp --dport 80 -j ACCEPT
To view the list of rules, use the command:
sudo iptables -nvL
See also:
Configuring IPTables
IPTables rules for SSH
To enable access to the SSH server in IPTables, you must add a rule:
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
To open only a particular network, for example 192.168.0.0/24:
sudo iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
You can also restrict access by the IP configuration of the SSH itself.
To remove a rule, we’ll specify the same command, replacing -A with -D, for example:
sudo iptables -D INPUT -p tcp --dport 22 -j ACCEPT
To view the list of rules, use the command:
sudo iptables -nvL
See also:
Installing and Configuring SSH
Configuring IPTables
IPTables rules for Iperf
Let’s look at the current IPTables rules:
iptables -nvL
To open a port for the Iperf server, add the rule:
sudo iptables -A INPUT -p tcp --dport 5001 -j ACCEPT
To open a port for a specific IP or network:
sudo iptables -A INPUT -s 192.168.5.11/32 -p tcp --dport 5001 -j ACCEPT
See also my articles:
Configuring IPTables
Testing network bandwidth with Iperf
IPTables rules for ntopng
First of all, let’s look at the current IPTables rules:
iptables -nvL
To open the ntopng port, add the rule:
sudo iptables -A INPUT -m tcp -p tcp --dport 3000 -j ACCEPT
To open the ntopng port for a specific network or IP only:
sudo iptables -A INPUT -m tcp -p tcp --dport 3000 -s 10.0.0.0/24 -j ACCEPT
See also my articles:
Configuring IPTables
Install and configure ntopng
IPTables rules for nprobe
First of all, let’s look at the current IPTables rules:
iptables -nvL
In order for nprobe to accept NetFlow data, open the port for it:
sudo iptables -A INPUT -p udp --dport 2055 -j ACCEPT
In order for nprobe to accept NetFlow data only from a particular network or IP:
sudo iptables -A INPUT -s 10.0.0.0/24 -p udp --dport 2055 -j ACCEPT
See also my articles:
Configuring IPTables
Install and configure nprobe