So I have a server running CentOS6, and have 5 IP addresses registered to the server. I'd like to rotate through the 5 IPs every 2 hours using a different one. What would my best approach be to do this?
i found that it's possible withe the iptables firewall but i dont know how to make it
# iptables -t nat -I POSTROUTING -m state --state NEW -p tcp --dport 25 -o eth0 -m statistic --mode nth --every 5 -j SNAT --to-source 202.XXX.XX.2
if there is any other way to change the ip i'll be thankfull
The statistic module is not what you're looking for. You should use iptables's time module, as follows:
iptables RULE -m time --timestart 00:00:00 --timestop 01:59:59 -j ACTION-1
iptables RULE -m time --timestart 02:00:00 --timestop 03:59:59 -j ACTION-2
iptables RULE -m time --timestart 04:00:00 --timestop 05:59:59 -j ACTION-3
iptables RULE -m time --timestart 06:00:00 --timestop 07:59:59 -j ACTION-4
iptables RULE -m time --timestart 08:00:00 --timestop 09:59:59 -j ACTION-5
iptables RULE -m time --timestart 10:00:00 --timestop 11:59:59 -j ACTION-1
... and so on ...
More information about the time module, can be found in iptables-extensions man page.
EDIT: For example, an appropriate rule could look like:
iptables -t nat -I POSTROUTING -p tcp --dport 25 -o eth0 -m state --state NEW -m time --timestart 00:00:00 --timestop 01:59:59 -j SNAT --to-source 202.XXX.XX.2
Related
If my clients connect to my server on port 5000, how would I set IPTables, to split them evenly between 5001 and 5002?
All of this must be done with caution and make sure you have serial/terminal access because there is a chance of you losing your network connection
First enable ipV4 forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 5000 -m statistic --mode nth --every 3 --packet 0 -j REDIRECT --to-port 5000
iptables -t nat -A PREROUTING -p tcp --dport 5000 -m statistic --mode nth --every 2 --packet 0 -j REDIRECT --to-port 5001
iptables -t nat -A PREROUTING -p tcp --dport 5000 -j REDIRECT --to-port 5002
I would like to setup basic firewall rules with iptables.
The goal is to reject flood requests per IP. Like "ab -n 100000 -c 1000 "
There are only 2 rules:
iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m limit --limit 100/s --limit-burst 10000 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -i eth0 -j LOG --log-prefix "__test__"
But I when grep iptables log with "sort" and "uniq -c" I see lot's of IPs like:
1 SRC=173.252.77.112
1 SRC=173.252.114.116
1 SRC=173.252.114.114
1 SRC=173.252.114.113
Is "-m state --state NEW" effect only new connections? Then why IPs with low requests count appeared in log?
Please advice.
Finally the solution is:
iptables -A INPUT -i eth0 -p tcp --dport 80 -m hashlimit --hashlimit 1000/sec --hashlimit-burst 5000 --hashlimit-mode dstip --hashlimit-name hosts -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j REJECT
Do not block SE-crawlers packets and resists against http-flood like: ab -n 1000 -c 100 http://{host}/
I have the following rule in my iptables that redirects port 5060 to 5065.
-A PREROUTING -i eth0 -p udp -m udp --dport 5060 -j REDIRECT --to-ports 5065
I 'd like to apply this rule for several external IPs only, e.g. for example, to 123.123.123.123 and 124.124.124.124 only.
I added the following rule instead of above:
-A PREROUTING -s 123.123.123.123 -i eth0 -p udp -m udp --dport 5060 -j REDIRECT --to-ports 5065
But then when I tried to add the next rule:
-A PREROUTING -s 124.124.124.124 -i eth0 -p udp -m udp --dport 5060 -j REDIRECT --to-ports 5065
I got the following message:
iptables: No chain/target/match by that name
How to put these rules properly?
Thank you in advance,
For preprouting and postrouting you have t specify that you are working on the NAT chain.
ie :
iptables -t nat -A PREROUTING -s 124.124.124.124 -i eth0 -p udp -m udp --dport 5060 -j REDIRECT --to-ports 5065
I am trying to use iptable for load balancing.
The rule I have set is as follows wherein I want to route requests coming to my server with ipaddress 10.x.x.4 to internal ips of the server 10.x.x.1:1010 , 10.x.x.2:1010 and 10.x.x.3:1010
iptables -t nat -A PREROUTING -p udp -d 10.x.x.4 --dport 1010 -m state --state NEW -m statistic --mode nth --every 3 --packet 0 -j DNAT --to-destination 10.x.x.1:1010
iptables -t nat -A PREROUTING -p udp -d 10.x.x.4 --dport 1010 -m state --state NEW -m statistic --mode nth --every 3 --packet 0 -j DNAT --to-destination 10.x.x.2:1010
iptables -t nat -A PREROUTING -p udp -d 10.x.x.4 --dport 1010 -m state --state NEW -m statistic --mode nth --every 3 --packet 0 -j DNAT --to-destination 10.x.x.3:1010
When I execute , the first 4 packets gets routed to each ipaddress correctly.
The 5th packet doesn't get routed and is getting dropped.
How do I debug this issue. Should I increment to value given to --packet ? What should be the correct rule?
You should increment --packet from 0 to n-1 in each command line. Where n is the number given as the parameter to --every.
I'm securing my server (with iptables) so that only http and ssh ports are open and that is fine, although I use the mail command (server: CentOS 6.2) in some applications and it does not get through now thanks to iptables blocking everything.
What ports do I allow it access to?
Mail usage: echo "{{message}}" | mail -s "{{subject}}" me#mail.com
I've tried the standard mail port 25, but I have had no success with that.
Here is the current setup:
iptables --flush
iptables -P INPUT DROP
iptables -P OUTPUT DROP
# incoming ssh
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# outgoing ssh
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
#HTTP
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# mail (does not work)
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
(EDIT) ANSWER: The working iptables rule:
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
The OUTPUT commands should also refer to --dport, not --sport. You'll also want to allow NEW outgoing packets in order to initiate the connection to the SMTP server.
In general, however, since OUTPUT controls only those packets that your own system generates, you can set the OUTPUT policy to ACCEPT unless you need to prevent the generation of outgoing packets.
Two more comments:
1. Jay D's suggestion to "allow everything and then start blocking specific traffic" is insecure. Never configure iptables this way because you'd have to know in advance which ports an attacker might use and block them all individually. Always use a whitelist instead of a blacklist if you can.
2. A hint from the trenches: when you're debugging iptables, it's often helpful to -Insert and -Append log messages at the beginning and end of each chain, then clear the counters, and run an experiment. (In your case, issue the mail command.) Then check the counters and logs to understand how the packet(s) migrated through the chains and where they may have been dropped.