
Introduction:
In today’s connected world, the need for robust security measures for servers and networks is more important than ever. One of the most effective ways to secure your Linux server is by using a host-based firewall, and one of the most popular firewall utilities for Linux is Iptables.
Iptables is a built-in firewall utility for Linux operating systems that comes pre-installed on most Linux distributions. However, you can update or install Iptables with the command “sudo apt-get install iptables
”. In this blog, we will discuss some basic Iptables commands that can help you protect your server from various types of attacks.
Filtering non-TCP packets:
- One of the most basic ways to secure your server is by filtering non-TCP packets. This can be done by using the following command: “
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
”. This command will drop any non-TCP packets that do not have the SYN flag set, which is typically used to initiate a connection.
Blocking XMAS scan attack:
- Another common type of attack is the XMAS scan attack. This type of attack is characterized by the use of all TCP flags, which can make it difficult to detect. To block this type of attack, you can use the following command: “
iptables -A INPUT -p tcp --tcp-flags ALL -j DROP
”. This command will drop any packets that have all TCP flags set.
Drop any NULL packets:
- NULL packets are packets that do not have any payload or data. These packets can be used to conduct reconnaissance and scan for open ports on your server. To drop any NULL packets, you can use the following command: “
iptables -A INPUT -f -j DROP
”.
Drop any fragmented packets:
- Fragmented packets are packets that have been broken down into smaller pieces for transmission. These packets can be used to bypass firewalls and other security measures. To drop any fragmented packets, you can use the following command: “
iptables -A INPUT -f -j DROP
”.
Block network flood on Apache port:
- If you have an Apache server running on your server, it is important to block network floods on the Apache port. You can do this by using the following command: “
iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT
”. This command will limit the number of incoming connections on port 80 to 100 per minute, with a burst limit of 200.
Block incoming ping requests:
- Ping requests are used to check if a server is online. However, if your server is being flooded with ping requests, it can lead to a denial of service attack. To block incoming ping requests, you can use the following command: “
iptables -A INPUT -p icmp -i eth0 -j DROP
”.
Block access to a specific MAC address:
- If you want to block access to a specific MAC address, you can use the following command: “
iptables -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP
”. This command will block access to the specified MAC address.
Block connection on network interface:
If you want to block a specific IP address from connecting to your server, you can use the following command: “iptables -A INPUT -s [IP address] -j DROP
” where [IP address] is the IP you want to block. For example, to block the IP 10.10.10.55, you would use the command “iptables -A INPUT -s 10.10.10.55 -j DROP
”
Another common task is to block a specific type of scan attack, such as the XMAS scan. This can be done using the command “iptables -A INPUT -p tcp --tcp-flags ALL -j DROP
” which will drop any incoming packets that have all TCP flags set.
You can also drop any NULL or fragmented packets using the commands “iptables -A INPUT -f -j DROP
” and “iptables -A INPUT -f -j DROP
” respectively.
To check the existing firewall rules on your system, use the command “sudo iptables -L -n -v
”
These are just a few examples of the many ways you can use Iptables to secure your Linux system. It’s important to note that firewall rules can be complex and potentially disruptive, so it’s always a good idea to test your rules on a non-production system before implementing them on your live server.