How to put PREROUTING iptables through a filter?

C

C_hard2019-07-19 13:28:14

linux

C_hard, 2019-07-19 13:28:14

Hello.
There was a need to drop packets at the PREROUTING stage. Here is the original script with the rules (on the example of port 80, in fact there are many different ports).

# SSH на машине
iptables -A INPUT -i ${WAN} -d ${WAN_IP} -p tcp --dport 22 -j ACCEPT
# Порты для двух виртуалок
iptables -A INPUT -i ${WAN} -d ${WAN_IP} -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i ${WAN} -d ${WAN_IP} -p tcp --dport 8080 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i ${WAN} -d ${WAN_IP} --dport 80 -j DNAT --to-destination ${LOCAL_VM_1}:80
iptables -t nat -A PREROUTING -p tcp -i ${WAN} -d ${WAN_IP} --dport 8080 -j DNAT --to-destination ${LOCAL_VM_2}:80

Thus, traffic is distributed between two virtual machines with local addresses LOCAL_VM_1 and LOCAL_VM_2, eventually having a common external IP address WAN_IP.
The problem is that in the input I can't drop packets if necessary (which means the line iptables -A INPUT -i ${WAN} -d ${WAN_IP} -p tcp --dport 80 -j ACCEPT is useless). I would also like to add filters for syn flood attacks there.
Here is what I tried to do:

iptables -A INPUT -i ${WAN} -d ${WAN_IP} -p tcp --dport 22 -j ACCEPT
iptables -N Filters
iptables -A Filters -j DROP
iptables -A Filters -i lo -j ACCEPT
iptables -A Filters -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A Filters -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A Filters -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A Filters -p icmp --icmp-type echo-request -j ACCEPT
iptables -A Filters -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A Filters -m state --state INVALID -j DROP
iptables -A Filters -p tcp ! --syn -m state --state NEW -j DROP

iptables -A Filters -i ${WAN} -d ${WAN_IP} -p tcp --dport 22 -j ACCEPT
iptables -A Filters -i ${WAN} -d ${WAN_IP} -p tcp --dport 80 -j ACCEPT
iptables -A Filters -i ${WAN} -d ${WAN_IP} -p tcp --dport 8080 -j ACCEPT

iptables -A Filters -p tcp -m connlimit --connlimit-above 10 --connlimit-mask 32 -j DROP
iptables -A Filters -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 32 -j DROP
iptables -A Filters -m limit --limit 200/sec --limit-burst 500 -j DROP
iptables -A INPUT -j Filters
iptables -A FORWARD -j Filters

iptables -t nat -A PREROUTING -p tcp -i ${WAN} -d ${WAN_IP} --dport 80 -j DNAT --to-destination ${LOCAL_VM_1}:80
iptables -t nat -A PREROUTING -p tcp -i ${WAN} -d ${WAN_IP} --dport 8080 -j DNAT --to-destination ${LOCAL_VM_2}:80

With this setup, I can connect to the main machine via ssh, but it doesn’t let me into the ports of the virtual machine.
Since there is a DDoS attack on the machine right now, I want to try to close all public ports and open them for each user individually.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

H

hint000, 2019-07-19
@C_hard

I want to try to close all public ports and open them for each user individually.

This is called whitelisting access . Below is an example of how you can do this. Only for me it is not in the format of an executable shell script, but in the format of a config loaded by the iptables-restore command.

# example

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# WhiteList (разрешенные внешние клиенты)
-N Wht
-A Wht -s 1.2.3.4      -j RETURN
-A Wht -s 2.3.4.5      -j RETURN
# разрешенная подсеть
-A Wht -s 3.4.5.0/24 -j RETURN
# ...

# go to hell
-A Wht  -j DNAT --to-destination 192.168.99.99

-A PREROUTING ! -s 192.168.0.0/16 -p tcp --dport 22 -j Wht
-A PREROUTING ! -s 192.168.0.0/16 -p tcp --dport 22 -j ACCEPT

-A PREROUTING ! -s 192.168.0.0/16 -p tcp --dport 80 -j Wht
-A PREROUTING ! -s 192.168.0.0/16 -p tcp --dport 80 -j DNAT --to-destination 192.168.42.18:80

-A PREROUTING ! -s 192.168.0.0/16 -p tcp --dport 8080 -j Wht
-A PREROUTING ! -s 192.168.0.0/16 -p tcp --dport 8080 -j DNAT --to-destination 192.168.42.19:80

-A PREROUTING -s 192.168.0.0/16 -j ACCEPT

COMMIT

I will explain about 192.168.99.99 - I chose this address (arbitrarily, you can use any other) as a "black hole" where you can send unnecessary packets without restriction. The "hole" is registered by the teamip route add blackhole 192.168.99.99

V

Vladimir, 2019-07-19
@MechanID

Of course, the line iptables -A INPUT -i ${WAN} -d ${LOCAL_IP} -p tcp --dport 80 -j ACCEPT is useless - since the ${WAN} interface is specified and the traffic there comes to ${WAN_IP}. - you need to replace ${LOCAL_IP} with ${WAN_IP} then the rule will work.
For a DDoS attack, it is dangerous to rate limit West traffic when you do this:
-A Filters -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit- mask 32 -j DROP
you ratelimit everything and everywhere, if your conntrac overflows, then packet loss will begin and the server may become unavailable, always specify the incoming interface and port in such rules.

C

CityCat4, 2019-07-19
@CityCat4

Mark traffic and drop it as soon as it hits the FILTER. No need to try to hammer the screws with a hammer - there is a screwdriver for this.
Here is how I, for example, suppress packets arriving "outside" with RFC1918 addresses: (iptables-restore format)

*mangle
-A PREROUTING -i eth0 -m set --match-set rfc1918 src -j MARK --set-mark 1
*filter
-A INPUT -m mark --mark 1 -j DROP

The rfc1918 set is the table that ipset makes up:

create rfc1918 hash:net family inet hashsize 1024 maxelem 65536 
add rfc1918 10.0.0.0/8
add rfc1918 172.16.0.0/12
add rfc1918 192.168.0.0/16

With its help, it is easy to organize access to ssh, for example, only for a certain list of addresses, and drop all the rest.