How to regulate output traffic with iptables - linux

I'm hosting several websites, and some of them use scripts to ddos externals servers from my server.
There is a possibility to control the outgoing traffic by, for example, limiting the number of request per second or so ?

Here are some example to prevent DOS, you can man iptables to search the keyword 'limit, connlimit, hitcount' for more informations.
Allow 5 new connection packets per second
iptables -A OUTPUT -p tcp --syn -m limit --limit 1/s --limit-burst 5 -j ACCEPT
Allow 30 connections during 60 seconds each IP.
iptables -A OUTPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --update --seconds 60 --hitcount 30 -j REJECT
50 max connections per IP to httpd
iptables -A OUTPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j REJECT

Related

Can't Access Port number 80 and 443 after adding Iptables rules

In my CentOS 6 i added a IPtables rules like DROP all the policy like
iptables -P INPUT DROP
Then I allow Port NO 22,80,443 with this command,
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
Now can access SSH with putty. But i can't access Internet. I have to know the exact problem of this.? Please help me.
Ofcourse you cannot access the Internet. You just added a rule that drops all incoming traffic (except for traffic coming in to ports 22, 80 and 443).
When you try to access the internet (if you're using a browser), your machine establishes a connection from
<local IP>:<port1> <----> <remote IP>:80
When the remote server responds to you, it will respond back to the same port1 that you sent the request from (which will NOT be 22, or 80, or 443. It will be a number usually higher than 32768), so it will get dropped by iptables.
Try these rules instead:
iptables -P INPUT DROP
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
The second rule tells IP tables to ACCEPT traffic that is coming to us, if it's coming to a port that we used to send outgoing traffic. This will allow you to see the response from the server, which you were dropping.
However, there's still a problem with DNS traffic, since it uses UDP not TCP. You can work around that by changing the first rule to:
iptables -P INPUT -p tcp DROP
so it only drops TCP traffic but not UDP traffic. There may be other ways to work around the DNS problem, depending on what exactly you want to do.
So your final ruleset should look like this:
iptables -P INPUT -p tcp DROP
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT

Block all traffic but on specific ports for VM

I would like to block traffic to a VM running on my machine except for certain ports. I added some rules to virtual bridge to accept traffic on port 80 in the filter table in the FORWARD chain, since the virtual bridge is set up to forward traffic from the VMs.
I wrote the following:
sudo iptables -F
sudo iptables -I FORWARD -o [bridge_iface] -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I FORWARD -i [bridge_iface] -p tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I FORWARD -o [bridge_iface] -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I FORWARD -i [bridge_iface] -p tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -P FORWARD DROP
When I connect tot he vm on the bridge i can't connect to an external web site. If i remove the last line, of course, everything works but everything is open too. So that's not quite right.
IF you want to drop the traffic TO your VM, why are you filtering also the other direction, do you really want to prevent your VM from accessing the internet?
iptables -I FORWARD -o [bridge_iface] -m state --state NEW,ESTABLISHED -j DROP
iptables -I FORWARD -o [bridge_iface] -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT
iptables -I FORWARD -o [bridge_iface] -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT
Please note: DNS is using mostly UDP, not TCP, so you should filter for UDP.
The whole idea about my setup: you should ALLOW your computer to forward anything, only DROP connections to a specific interface by default, and open the specific ports also on thad device.
I suspect that you're using port forwarding on incoming connections on port 80 and 53 to be served by the VM, am i correct ?
If you want to deny your VM from accessing the internet, except for the 2 ports we just set up, you have to change -o to -i in the script.

Port forwarding with VPSGet

I bought a domain on GoDaddy but developed the website using Node.js. So, I bought a VPS on VPSGet and deployed the server. I managed to link the domain name to the VPS IP address. However, since my node.js application is running a particular port number I needed to do port forwarding so that www.domain-name.com will redirect to the process and port on the VPS. I tried to configure my firewall as follows
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 7497
COMMIT
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accept all established inbounds connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbounds traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere. Here, we use normal ports for http and ssl
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow http connections to node.js app
-A INPUT -p tcp --dport 7497 -j ACCEPT
-A INPUT -p tcp --dport 7525 -j ACCEPT
-A INPUT -p tcp --dport 2368 -j ACCEPT
# Allow forwarding to port 7497
-A FORWARD -p tcp -m tcp --dport 7497 -j ACCEPT
# Allow ports for testing
-A INPUT -p tcp --dport 8080:8099 -j ACCEPT
# Allow ports for mobile shell
-A INPUT -p tcp --dport 60000:61000 -j ACCEPT
# Allow ssh connections
-A INPUT -p tcp -m state --state NEW --dport 7112 -j ACCEPT
# Allow Ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied:" --log-level 7
# Reject all other outbounds
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
However, the redirection is not working. Could someone tell me what I am doing wrong? Please note that I am running a Ubuntu 12.04 on the VPS.
Thanks,
José
Have you tried to create the support request with detailed explanation to vpsget.com ?
Regarding to the wiki
http://wiki.vpsget.com/index.php/Forward_(redirect/nat)_traffic_with_iptables
you should use venet0 instead eth0

Confluence is very slow behind firewall

I've installed Confluence on Debian Linux 7.0. It runs on 8081 port (for connector, 8091 is used as TomCat server port). I've configured Apache to act as reverse proxy and serve on https://confluence.<mydomain>.com (SSL is configured on Apache side).
The configuration worked perfect unless I set up firewall rules. It still works as expected but became extremely slow (memory and CPU utilisations are low). Switching firewall off brings the performance back to normal. The set of firewall rules for IPv4 is:
*filter
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
# Allow all loopback (lo0) traffic
-A INPUT -i lo -j ACCEPT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Allows SSH connections
-A INPUT -p tcp --dport 22 -j ACCEPT
# Allow all HTTP and HTTPS connections
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
COMMIT
IPv6 traffic is completely disabled:
*filter
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
COMMIT
I'm using Oracle JVM (1.7), startup options are configured in the following way:
JAVA_OPTS="-Xms512m -Xmx2048m -XX:MaxPermSize=1024m $JAVA_OPTS -Djava.awt.headless=true"
Confluence version is "Confluence 5.4.2 - Standalone (TAR.GZ Archive)", license is Starter (10 users). Database is locally installed PostreSQL.
Anyone has an idea on what I'm doing wrong?

LINUX : How to LIMIT incoming (concurrent) connection COUNT?

I'm using RHEL or CentOS. I just want to know how to limit the concurrent/simultaneous connection counts.
Lets say:
I have a Media Streaming Server
(According to the Server Performance) I want my Server to be strictly serving to only 100 Viewers at a time. (Only 100 Viewers can be Viewing/ Downloading from my Server)
Is it possible and how to do it please?
Check out the iptables rate limiting feature:
http://codingfreak.blogspot.com/2010/01/iptables-rate-limit-incoming.html
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --hitcount 50 -j DROP

Resources