EzDev.org

iptables interview questions

Top iptables frequently asked interview questions


How to Unban an IP properly with Fail2Ban

I'm using Fail2Ban on a server and I'm wondering how to unban an IP properly.

I know I can work with IPTables directly: iptables -D fail2ban-ssh <number>

But is there not a way to do it with the fail2ban-client?

In the manuals it states something like: fail2ban-client get ssh actionunban <IP>. But that doesn't work.

Also, I don't want to /etc/init.d/fail2ban restart as that would lose all the bans in the list.


Source: (StackOverflow)

How can I port forward with iptables?

I want connections coming in on ppp0 on port 8001 to be routed to 192.168.1.200 on eth0 on port 8080.

I've got these two rules

-A PREROUTING  -p tcp -m tcp --dport 8001 -j DNAT --to-destination 192.168.1.200:8080

-A FORWARD -m state -p tcp -d 192.168.1.200 --dport 8080 --state NEW,ESTABLISHED,RELATED -j ACCEPT

and it doesn't work. What am I missing?


Source: (StackOverflow)

How can I block all traffic *except* Tor?

On a Linux system, is there a way to block all in and outbound traffic unless it passes through the Tor network. This includes any form of IP communication, not just TCP connections. For example I want UDP to be completely blocked since it cannot pass through Tor. I want this systems Internet usage to be entirely anonymous, and I don't want any applications leaking.

I realize this might be complicated because Tor itself needs to communicate with relay nodes somehow.


Source: (StackOverflow)

Windows equivalent of iptables?

Dumb question:

Is there an equivalent of iptables on Windows? Could I install one via cygwin?

The real question: how can I accomplish on Windows what I can accomplish via iptables? Just looking for basic firewall functionality (e.g. blocking certain IP addresses)


Source: (StackOverflow)

Iptables, what's the difference between -m state and -m conntrack?

What's the practical difference between:

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

and

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Which one is best to use?

Thank you.


Source: (StackOverflow)

IPTABLES - Limit rate of a specific incoming IP

I do not wish to limit the rate of a specific service. My goals is to limit rate based solely on the incoming IP address. For example using a pseudo-rule:

john.domain.local (192.168.1.100) can only download from our httpd/ftp servers at "10KB/s" (instead of 1MB/s)

How could I rate limit using IPTables based on incoming IP addresses?


Source: (StackOverflow)

Why not block ICMP?

I think I almost have my iptables setup complete on my CentOS 5.3 system. Here is my script...

# Establish a clean slate
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F # Flush all rules
iptables -X # Delete all chains

# Disable routing. Drop packets if they reach the end of the chain.
iptables -P FORWARD DROP

# Drop all packets with a bad state
iptables -A INPUT -m state --state INVALID -j DROP
# Accept any packets that have something to do with ones we've sent on outbound
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Accept any packets coming or going on localhost (this can be very important)
iptables -A INPUT -i lo -j ACCEPT
# Accept ICMP
iptables -A INPUT -p icmp -j ACCEPT

# Allow ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow httpd
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Allow SSL
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Block all other traffic 
iptables -A INPUT -j DROP

For context, this machine is a Virtual Private Server Web app host.

In a previous question, Lee B said that I should "lock down ICMP a bit more." Why not just block it altogether? What would happen if I did that (what bad thing would happen)?

If I need to not block ICMP, how could I go about locking it down more?


Source: (StackOverflow)

iptables equivalent for mac os x

I want to forward requests from 192.168.99.100:80 to 127.0.0.1:8000. This is how I'd do it in linux using iptables:

iptables -t nat -A OUTPUT -p tcp --dport 80 -d 192.168.99.100 -j DNAT --to-destination 127.0.0.1:8000

How do I do the same thing in MacOS X? I tried out a combination of ipfw commands without much success:

ipfw add fwd 127.0.0.1,8000 tcp from any to 192.168.99.100 80

(Success for me is pointing a browser at http://192.168.99.100 and getting a response back from a development server that I have running on localhost:8000)


Source: (StackOverflow)

Hardware Firewall Vs. Software Firewall (IP Tables, RHEL)

TL;DR
My hosting company says IP Tables is useless and doesn't provide any protection. Is this BS?

I have two, co-located servers. Yesterday my DC company contacted me to tell me that because I'm using a software firewall my server is "Vulnerable to multiple, critical security threats" and my current solution offers "No protection from any form of attack".

They say I need to get a dedicated Cisco firewall ($1000 installation then $200/month EACH) to protect my servers. I was always under the impression that, while hardware firewalls are more secure, something like IPTables on RedHat offered enough protection for your average server.

Both servers are just web-servers, there's nothing critically important on them but I've used IPTables to lock down SSH to just my static IP address and block everything except the basic ports (HTTP(S), FTP and a few other standard services).

I'm not going to get the firewall, if ether of the servers were hacked it would be an inconvenience but all they run is a few Wordpress and Joomla sites so I definitely don't think it's worth the money.


Source: (StackOverflow)

Use IPtables or null route for blacklisting about 1 million IP addresses?

I've come across a situation where a client needs to blacklist a set of just under 1 million individual IP addresses (no subnets), and network performance is a concern. While I would conjecture that IPTables rules would have less of a performance impact than routes, that's just conjecture.

Does anyone have any solid evidence or other justification for favoring either IPTables or null routing as solution for blacklisting long lists of IP addresses? In this case everything is automated, so ease-of-use isn't really a concern.

EDIT 26-Nov-11

After some testing and development, it appears that none of these options are workable. It appears that both route lookups and iptables do linear searches through the ruleset, and take simply too long to process this many rules. On modern hardware, putting 1M items in an iptables blacklist slows the server down to about 2 dozen packets per second. So IPTables and null routes are out.

ipset, as recommended by Jimmy Hedman, would be great, except that it doesn't allow you to track more than 65536 addresses in a set, so I can't even try to use it unless someone has any ideas.

Apparently the only solution for blocking this many IPs is doing an indexed lookup in the application layer. Is that not so?


More Information:

The usage case in this instance is blocking a "known offenders" list of IP addresses from accessing static content on a web server. FWIW, doing blocking through Apache's Deny from is equally slow (if not more so) as it also does a linear scan.


FYI: Final working solution was to use apache's mod_rewrite in conjunction with a berkeley DB map to do lookups against the blacklist. The indexed nature of berkeley DBs allowed the list to scale with O(log N) performance.


Source: (StackOverflow)

I accidentaly forbid SSH connection to a remote server... What's next?

Let's say it again, we all make mistakes, and I have just made one.

A brief history: I was doing some stuff on a VPS (Debian) I'm renting, when I noticed some strange behaviour. Using the netstat command I saw an non-authorized connection through SSH. I didn't know what to do, so I decided to close his connection using iptables:

iptables -A INPUT -p tcp --dport ssh -s IP -j DROP

But I am tired, and I wrote

iptables -A INPUT -p tcp --dport ssh -j DROP

and I kicked myself (and everyone else) out...

How do I fix this?


Source: (StackOverflow)

How to start/stop iptables on Ubuntu?

How can I start/stop the iptables service on Ubuntu?

I have tried

 service iptables stop

but it is giving "unrecognized service".

Why is it doing so? Is there any other method?


Source: (StackOverflow)

Where does UFW (uncomplicated firewall) save command-line rules to?

You add a rule like this:

ufw allow 22/tcp

The rule is saved, and is applied even after reboot. But it's not written anywhere in /etc/ufw. Where is it saved to? (Ubuntu, using ufw as pre-installed.)


Source: (StackOverflow)

Why is tampering with the TTL of IP dangerous?

I've been reading the iptables man-page (light bedtime reading) and i came across the 'TTL' target, but it warns:

Setting or incrementing the TTL field can potentially be very dangerous

and

Don't ever set or increment the value on packets that leave your local network!

I can see how perhaps decrementing or setting the TTL lower could cause packets to be dropped before reaching the destination, but what effect could incrementing have?


Source: (StackOverflow)

Block range of IP Addresses

I am getting bombarded with attempted hacks from China all with similar IPs.

How would I block the IP range with something like 116.10.191.* etc.

I am running Ubuntu Server 13.10.

The current line I am using is:

sudo /sbin/iptables -A INPUT -s 116.10.191.207 -j DROP

This only lets me block each one at a time but the hackers are changing the IPs at every attempt.


Source: (StackOverflow)