<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font size="-1">I had someone today ask me about tracking DNAT
connections. I modified the iptables rules of the system so log
new connections and I'm hammering it using Perl. Now that I have
gone down the rabbit hole I'm interested in tweaking the standard
rules to protect against DOS attacks. The user has no control
over the rules until we get to the custom section so I'm looking
to apply "best practices." <br>
<br>
I did find this info so some things I do will need to be via
sysctl.<br>
<br>
<a class="moz-txt-link-freetext" href="https://forums.digitalpoint.com/threads/ddos-protection-script-for-iptables.1031456/">https://forums.digitalpoint.com/threads/ddos-protection-script-for-iptables.1031456/</a><br>
<br>
I'm not sure why my limit is not working for logging. I'm trying
to limit logging to 20/min so that we do not<br>
fill flash. I'm seeing a limit of 5 in the log file.<br>
<br>
------------- [ cut here ]
-------------------------------------------------------------------<br>
<font face="Courier New, Courier, monospace">#!/bin/sh<br>
######################################################################<br>
# Flush all rules<br>
######################################################################<br>
/sbin/iptables -P INPUT ACCEPT<br>
/sbin/iptables -P FORWARD ACCEPT<br>
/sbin/iptables -P OUTPUT ACCEPT<br>
/sbin/iptables -F<br>
/sbin/iptables -X<br>
/sbin/iptables -t nat -F<br>
/sbin/iptables -t nat -X<br>
/sbin/iptables -t mangle -F<br>
/sbin/iptables -t mangle -X<br>
<br>
######################################################################<br>
# Enable Masquerading on net 1<br>
######################################################################<br>
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br>
<br>
######################################################################<br>
# Create a target to log all new inbound connections<br>
######################################################################<br>
/sbin/iptables -N LOGP<br>
# Limit logging to 20/min to prevent filling up flash.<br>
/sbin/iptables -A LOGP -j LOG -m limit --limit 20/min
--log-prefix ' INBOUND TCP ' --log-level 4<br>
/sbin/iptables -A LOGP -j ACCEPT<br>
/sbin/iptables -A INPUT -p tcp -m state --state
ESTABLISHED,RELATED -j ACCEPT<br>
/sbin/iptables -A INPUT -p tcp -i '!' lo -j LOGP<br>
<br>
######################################################################<br>
# Create a DNAT rules per configuration and allow access <br>
# to them via PPP interfaces.<br>
######################################################################<br>
# DNAT: 10.0.6.201 -> 192.168.1.201<br>
/sbin/iptables -t nat -A PREROUTING -d 10.0.6.201 -j DNAT
--to-destination 192.168.1.201<br>
/sbin/iptables -A INPUT -s 0/0 -i ppp+ -d 10.0.6.201 -j ACCEPT<br>
/sbin/iptables -A FORWARD -s 0/0 -i ppp+ -d 10.0.6.201 -j ACCEPT<br>
# DNAT: 10.0.6.254 -> 192.168.1.254<br>
/sbin/iptables -t nat -A PREROUTING -d 10.0.6.254 -j DNAT
--to-destination 192.168.1.254<br>
/sbin/iptables -A INPUT -s 0/0 -i ppp+ -d 10.0.6.254 -j ACCEPT<br>
/sbin/iptables -A FORWARD -s 0/0 -i ppp+ -d 10.0.6.254 -j ACCEPT<br>
<br>
######################################################################<br>
# Apply any custom rules from iptables config (if any are
enabled).<br>
######################################################################<br>
######################################################################<br>
# END<br>
######################################################################</font><br>
</font><font size="-1">------------- [ cut here ]
-------------------------------------------------------------------<br>
<br>
Thanks,<br>
Chris<br>
</font>
</body>
</html>