I'm using RHEL or CentOS. I just want to know how to limit the concurrent/simultaneous connection counts.
Lets say:
I have a Media Streaming Server
(According to the Server Performance) I want my Server to be strictly serving to only 100 Viewers at a time. (Only 100 Viewers can be Viewing/ Downloading from my Server)
Is it possible and how to do it please?
Check out the iptables rate limiting feature:
http://codingfreak.blogspot.com/2010/01/iptables-rate-limit-incoming.html
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --hitcount 50 -j DROP
Related
CONTEXT:
I wanted to have a shell script that would block all Inbound/Outbound traffic to my computer, UNLESS I decide I want to use the browser or some other application, in which case I would summon it and only those applications would run.
I have researched previous scripts made by smart individuals (links to sources at the end), as well as invested the time to learn to use iptables myself (still working on this front).
Here is the result of the work done:
RESULTS:
before the shell script is run, a group called internet is created:
sudo groupadd internet
Shell Script:
#!/bin/sh
#only allow apps run from "internet" group to run
# clear previous rules
sudo iptables -F
# accept packets for internet group
sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT
sudo iptables -A OUTPUT -p udp -m owner --gid-owner internet -j ACCEPT
# also allow local connections
sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT
# reject packets for other users
sudo iptables -A OUTPUT -j REJECT
# same process for IPv6:
sudo ip6tables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT
sudo ip6tables -A OUTPUT -p udp -m owner --gid-owner internet -j ACCEPT
sudo ip6tables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT
sudo ip6tables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT
sudo ip6tables -A OUTPUT -j REJECT
this is the other part of the shell that I'm currently working on and not 100% confident with:
#DROPS ALL INPUT and FORWARD
sudo iptables -A INPUT -j DROP
sudo iptables -A FORWARD -j DROP
#ONLY ACCEPTS INPUT THAT WAS INITIATED BY SOME OUTPUT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#SAME REPEATED FOR IPv6
sudo ip6tables -A INPUT -j DROP
sudo ip6tables -A FORWARD -j DROP
sudo ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
after the whole script above is executed, the following command would open a terminal that would be part of the internet group, and hence any application (like firefox for instance) that were open by that terminal would have internet access, while all other INPUT/OUTPUT would be stopped
sudo -g internet -s
QUESTION:
Is the previous logic in order? Currently I am working on testing out all the features, by installing network monitoring software (nethogs), testing each line of code and seeing if the result is as expected, BUT at the same time, I only started learning about iptables 2 days ago, so even though the sources of the original code is done by experienced coders, I am not 100% confident in my ability to put it all together to produced the desired result. Thanks to anyone who took the time to read all this and participate in the discussion !!!
sources:
https://plus.google.com/+TobyKurien/posts/YZhZJCZmGgm
https://serverfault.com/questions/429400/iptables-rule-to-allow-all-outbound-locally-originating-traffic
P.S.: Thanks to #dirkt for previously helping me understand a lot of the fundamental concepts of iptables as well as answering some of my questions regarding the source code.
UPDATE:
So after having run the code, there seems to be something wrong. What happens is as follows. I run the shell script:
bash myscript
I get 2 errors as follows:
ip6tables v1.6.0: host/network 127.0.0.1 not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.6.0: host/network 198.168.0.1 not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
but everything else ran well, and when doing sudo iptables -L I did confirm all the other rules are in place. AFTER that, I tried the following:
Run firefox by manually double-clicking the icon. The result was as expected, right away I got a Server not found error, which was a good sign
After that I ran the command sudo -g internet -s in the terminal, and then firefox. NOW... when I tried loading a website, it didn't show me Server not found, but it keep loading for a long period of time, very long. This leads me to believe that maybe the output response was sent, BUT the input was being blocked.
If anyone knows why this might be happening, I would love to know your feedback!
I only started learning about iptables 2 days ago, so even though the sources of the original code is done by experienced coders, I am not 100% confident in my ability to put it all together to produced the desired result.
Coincidentally, I'm looking for the same solution around the same time and saw your post. Just sign-up SO, hope this could help you and others. I'm still learning and open to suggestion and advice :)
A few change to the code. I need to open all port to local connections to make it work.
Also changed 192.168.0.1/24 to 192.168.0.0/16. This range allowed wifi/usb tether to be included.
# also allow local connections
#TODO. Use log to see which port are actually needed.
sudo iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT
sudo iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
Is the previous logic in order?
Change the order for/to this code.
#ONLY ACCEPTS INPUT THAT WAS INITIATED BY SOME OUTPUT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#DROPS ALL INPUT and FORWARD
sudo iptables -A INPUT -j DROP
sudo iptables -A FORWARD -j DROP
Also add this code on top of previous code. These are taken from default firewall. Originally it contained specific interface.
sudo iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 67 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 67 -j ACCEPT
I get 2 errors as follows:
ip6tables v1.6.0: host/network 127.0.0.1 not found Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.6.0: host/network 198.168.0.1 not found Try `ip6tables -h' or 'ip6tables --help' for more information.
Probably because you are using IP4 address.
Change 127.0.0.1 to ::1/128 and 198.168.0.1 to fe80::/10.
Can't help much about IPv6. I have no idea how it work and I don't think mine using IPv6 at all.
Complete Script:
#!/bin/sh
#only allow apps run from "internet" group to run
# clear previous rules
sudo iptables -F
# accept packets for internet group
sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT
sudo iptables -A OUTPUT -p udp -m owner --gid-owner internet -j ACCEPT
#Some application need more port. Such as ping.
sudo iptables -A OUTPUT -p icmp -m owner --gid-owner internet -j ACCEPT
#Less secure. Open all port.
#sudo iptables -A OUTPUT -m owner --gid-owner internet -j ACCEPT
# also allow local connections
#TODO. Use log to see which port are actually needed.
sudo iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT
sudo iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
# reject packets for other users
sudo iptables -A OUTPUT -j REJECT
#Taken from default rules.
sudo iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 67 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 67 -j ACCEPT
#ONLY ACCEPTS INPUT THAT WAS INITIATED BY SOME OUTPUT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#DROPS ALL INPUT and FORWARD
sudo iptables -A INPUT -j DROP
sudo iptables -A FORWARD -j DROP
#IPv6 Section
# Flush ip6tables too
sudo ip6tables -F
# same process for IPv6:
sudo ip6tables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT
sudo ip6tables -A OUTPUT -p udp -m owner --gid-owner internet -j ACCEPT
sudo ip6tables -A OUTPUT -d ::1/128 -j ACCEPT
sudo ip6tables -A OUTPUT -d fe80::/10 -j ACCEPT
sudo ip6tables -A OUTPUT -j REJECT
sudo ip6tables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
sudo ip6tables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
sudo ip6tables -A INPUT -p udp -m udp --dport 67 -j ACCEPT
sudo ip6tables -A INPUT -p tcp -m tcp --dport 67 -j ACCEPT
sudo ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo ip6tables -A INPUT -j DROP
sudo ip6tables -A FORWARD -j DROP
I would like to block traffic to a VM running on my machine except for certain ports. I added some rules to virtual bridge to accept traffic on port 80 in the filter table in the FORWARD chain, since the virtual bridge is set up to forward traffic from the VMs.
I wrote the following:
sudo iptables -F
sudo iptables -I FORWARD -o [bridge_iface] -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I FORWARD -i [bridge_iface] -p tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I FORWARD -o [bridge_iface] -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -I FORWARD -i [bridge_iface] -p tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -P FORWARD DROP
When I connect tot he vm on the bridge i can't connect to an external web site. If i remove the last line, of course, everything works but everything is open too. So that's not quite right.
IF you want to drop the traffic TO your VM, why are you filtering also the other direction, do you really want to prevent your VM from accessing the internet?
iptables -I FORWARD -o [bridge_iface] -m state --state NEW,ESTABLISHED -j DROP
iptables -I FORWARD -o [bridge_iface] -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT
iptables -I FORWARD -o [bridge_iface] -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT
Please note: DNS is using mostly UDP, not TCP, so you should filter for UDP.
The whole idea about my setup: you should ALLOW your computer to forward anything, only DROP connections to a specific interface by default, and open the specific ports also on thad device.
I suspect that you're using port forwarding on incoming connections on port 80 and 53 to be served by the VM, am i correct ?
If you want to deny your VM from accessing the internet, except for the 2 ports we just set up, you have to change -o to -i in the script.
I'm hosting several websites, and some of them use scripts to ddos externals servers from my server.
There is a possibility to control the outgoing traffic by, for example, limiting the number of request per second or so ?
Here are some example to prevent DOS, you can man iptables to search the keyword 'limit, connlimit, hitcount' for more informations.
Allow 5 new connection packets per second
iptables -A OUTPUT -p tcp --syn -m limit --limit 1/s --limit-burst 5 -j ACCEPT
Allow 30 connections during 60 seconds each IP.
iptables -A OUTPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --update --seconds 60 --hitcount 30 -j REJECT
50 max connections per IP to httpd
iptables -A OUTPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j REJECT
I've installed Confluence on Debian Linux 7.0. It runs on 8081 port (for connector, 8091 is used as TomCat server port). I've configured Apache to act as reverse proxy and serve on https://confluence.<mydomain>.com (SSL is configured on Apache side).
The configuration worked perfect unless I set up firewall rules. It still works as expected but became extremely slow (memory and CPU utilisations are low). Switching firewall off brings the performance back to normal. The set of firewall rules for IPv4 is:
*filter
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
# Allow all loopback (lo0) traffic
-A INPUT -i lo -j ACCEPT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Allows SSH connections
-A INPUT -p tcp --dport 22 -j ACCEPT
# Allow all HTTP and HTTPS connections
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
COMMIT
IPv6 traffic is completely disabled:
*filter
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
COMMIT
I'm using Oracle JVM (1.7), startup options are configured in the following way:
JAVA_OPTS="-Xms512m -Xmx2048m -XX:MaxPermSize=1024m $JAVA_OPTS -Djava.awt.headless=true"
Confluence version is "Confluence 5.4.2 - Standalone (TAR.GZ Archive)", license is Starter (10 users). Database is locally installed PostreSQL.
Anyone has an idea on what I'm doing wrong?
I was wondering if anybody can share some installation steps on Redhat Satellite server. I tried to look at Google but couldn't find relevant.
It would be really great help.
Thanks in advance,
Suman
Really? "redhat satellite server installation" query in Google yields a metric ton of results, including: Official RedHat Installation Guide
The command to register a RHEL system with RHN is:
rhn_register
• After the system is registered with RHN, you should fully update the system and reboot before attempting to install Satellite.
• To update a RHEL system with all current updates:
yum -y update
• Update HOSTNAME in /etc/sysconfig/network with the xxx.xxx.
• Configure IPTables to allow inbound TCP ports 80, 443, and 5222.
• Restart the IPTables service.
• Configure IPTables to allow inbound TCP ports 80, 443, and 5222.
o Add the following to /etc/sysconfig/iptables after the line with “dport 22”:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5222 -j ACCEPT
• Restart the IPTables service.
serviceiptables restart
• Mount the satellite ISO in root’s home directory to /mnt:
mount -o loop /setupfiles/satellite-5.5.0-20120911-rhel-6-x86_64.iso /mnt
cd /mnt
./install.pl --disconnected
rhn-satellite start
Done