Port load balance with IPTables - iptables

If my clients connect to my server on port 5000, how would I set IPTables, to split them evenly between 5001 and 5002?

All of this must be done with caution and make sure you have serial/terminal access because there is a chance of you losing your network connection
First enable ipV4 forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 5000 -m statistic --mode nth --every 3 --packet 0 -j REDIRECT --to-port 5000
iptables -t nat -A PREROUTING -p tcp --dport 5000 -m statistic --mode nth --every 2 --packet 0 -j REDIRECT --to-port 5001
iptables -t nat -A PREROUTING -p tcp --dport 5000 -j REDIRECT --to-port 5002

Related

iptables DNAT does not work port forwarding between 2 interface

I have one interface which visible to my network, and a loopback (127.0.0.1),
ens192 -> 192.168.22.100
lo -> 127.0.0.1
I have a service running on lo interface on port 3333, and I want to reach that port via ens192 via port 4444
192.168.22.100:4444 -> 127.0.0.1:3333
I have tried all available solutions on StackOverflow it doesn't work.
sysctl -w net.ipv4.conf.[IFNAME].route_localnet=1
iptables -t nat -A PREROUTING -p tcp -d 192.168.22.100 --dport 4444 -j DNAT --to 127.0.0.1:3333
iptables -A INPUT -i ens192 -p tcp --dport 4444 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ens192 -p tcp --sport 4444 -m state --state ESTABLISHED -j ACCEPT

Redirection using iptables

I have a server on cloud with following iptables.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 9200 -m state --state New,RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j DROP
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2900 -j DNAT --to-destination 127.0.0.1:9200
What I have to add in other chains so that i can access my service on 2900 port.
Rules apply from the top down.
6.2 Destination NAT
This is done in the PREROUTING chain, just as the packet comes in; this means that anything else on the Linux box itself (routing, packet filtering) will see the packet going to its `real' destination
https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html#ss6.2
So you want the PREROUTING line at the top, so the NAT happens first.
Then an INPUT entry allowing incoming connections on your destination port, after NAT.
Except, what's up with your INPUT rules not accepting RELATED and ESTABLISHED and your output rules setting specific source ports? Outbound traffic usually comes from random high ports.
From https://serverfault.com/a/578781/57144 and https://serverfault.com/a/578787/57144 you want to explicitly say NEW connections for incoming ports, and should prefer fewer rules for performance (if applicable).
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2900 -j DNAT --to-destination 127.0.0.1:9200
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 9200 -j ACCEPT
# or
# iptables -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 80,443,9200 -j ACCEPT
iptables -A INPUT -j DROP

Setup iptable with preventing ab -n 1000 -c 100

I would like to setup basic firewall rules with iptables.
The goal is to reject flood requests per IP. Like "ab -n 100000 -c 1000 "
There are only 2 rules:
iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m limit --limit 100/s --limit-burst 10000 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -i eth0 -j LOG --log-prefix "__test__"
But I when grep iptables log with "sort" and "uniq -c" I see lot's of IPs like:
1 SRC=173.252.77.112
1 SRC=173.252.114.116
1 SRC=173.252.114.114
1 SRC=173.252.114.113
Is "-m state --state NEW" effect only new connections? Then why IPs with low requests count appeared in log?
Please advice.
Finally the solution is:
iptables -A INPUT -i eth0 -p tcp --dport 80 -m hashlimit --hashlimit 1000/sec --hashlimit-burst 5000 --hashlimit-mode dstip --hashlimit-name hosts -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j REJECT
Do not block SE-crawlers packets and resists against http-flood like: ab -n 1000 -c 100 http://{host}/

Load balancing with iptables in "nth" mode

Here is my iptables script, it does not work. Port 9000 is closed, opened ports are 9001-9003. I want to balance loadage between three services located at these ports on localhost. What am I doing wrong?
#!/bin/bash
start()
{
echo -e "\e[32mStarting firewall ...\e[m"
iptables -F
iptables -t nat -A PREROUTING -p tcp --dport 9000 -j DNAT --to-destination 127.0.0.1:9001 -m statistic --mode nth --every 3 --packet 0
iptables -t nat -A PREROUTING -p tcp --dport 9000 -j DNAT --to-destination 127.0.0.1:9002 -m statistic --mode nth --every 2 --packet 0
iptables -t nat -A PREROUTING -p tcp --dport 9000 -j DNAT --to-destination 127.0.0.1:9003 -m statistic --mode nth --every 1 --packet 0
}
stop()
{
echo -e "\e[31mStoping firewall ...\e[m"
iptables -F
}
case "$1" in
'start')
start
;;
'stop')
stop
;;
'restart')
stop
start
;;
*)
echo -e "\e[36mUsage:\e[m {start|stop|restart}"
esac
Thank you.
Here is solution:
#!/bin/bash
start()
{
echo -e "\e[32mStarting firewall ...\e[m"
iptables -t nat -F
iptables -t nat -A OUTPUT -p tcp --dport 9000 -m state --state NEW -m statistic --mode nth --every 3 --packet 0 -j DNAT --to-destination :9001
iptables -t nat -A OUTPUT -p tcp --dport 9000 -m state --state NEW -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination :9002
iptables -t nat -A OUTPUT -p tcp --dport 9000 -m state --state NEW -m statistic --mode nth --every 1 --packet 0 -j DNAT --to-destination :9003
}
stop()
{
echo -e "\e[31mStoping firewall ...\e[m"
iptables -t nat -F
}
case "$1" in
'start')
start
;;
'stop')
stop
;;
'restart')
stop
start
;;
*)
echo -e "\e[36mUsage:\e[m {start|stop|restart}"
esac
This will send one package to 9001, the next to 9002 and so on...
iptables -t nat -A PREROUTING -p tcp --dport 9000 -j DNAT --to-destination 127.0.0.1:9001 -m nth --every 3 --packet 0
iptables -t nat -A PREROUTING -p tcp --dport 9000 -j DNAT --to-destination 127.0.0.1:9002 -m nth --every 3 --packet 1
iptables -t nat -A PREROUTING -p tcp --dport 9000 -j DNAT --to-destination 127.0.0.1:9003 -m nth --every 3 --packet 2
You specified the mode parameter twice, -m and --mode.

IPtables used for load balancing

I am trying to use iptable for load balancing.
The rule I have set is as follows wherein I want to route requests coming to my server with ipaddress 10.x.x.4 to internal ips of the server 10.x.x.1:1010 , 10.x.x.2:1010 and 10.x.x.3:1010
iptables -t nat -A PREROUTING -p udp -d 10.x.x.4 --dport 1010 -m state --state NEW -m statistic --mode nth --every 3 --packet 0 -j DNAT --to-destination 10.x.x.1:1010
iptables -t nat -A PREROUTING -p udp -d 10.x.x.4 --dport 1010 -m state --state NEW -m statistic --mode nth --every 3 --packet 0 -j DNAT --to-destination 10.x.x.2:1010
iptables -t nat -A PREROUTING -p udp -d 10.x.x.4 --dport 1010 -m state --state NEW -m statistic --mode nth --every 3 --packet 0 -j DNAT --to-destination 10.x.x.3:1010
When I execute , the first 4 packets gets routed to each ipaddress correctly.
The 5th packet doesn't get routed and is getting dropped.
How do I debug this issue. Should I increment to value given to --packet ? What should be the correct rule?
You should increment --packet from 0 to n-1 in each command line. Where n is the number given as the parameter to --every.