...making Linux just a little more fun!
The following features are discussed:
All of the features discussed in this article are extensions to
the packet matching modules of iptables. I used only two of these
extensions in the previous article: the
which allowed us to filter packets based on whether they were
INVALID connections; and the
extension, of which I will go into more detail on in this
Some of the modules introduced in this article (marked with an asterisk) have not made their way into the default Linux kernel yet but a netfilter utility called "patch-o-matic" can be used to add them to your own kernel and this will be discussed at the end of the article.
multiportmodule allows one to specify a number of different ports in one rule. This allows for fewer rules and easier maintenance of iptables configuration files. For example, if we wanted to allow global access to the SMTP, HTTP, HTTPS and SSH ports on our server we would normally use something like the following:
-A INPUT -i eth0 -p tcp -m state --state NEW --dport ssh -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW --dport smtp -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW --dport http -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW --dport https -j ACCEPTUsing the
multiportmatching module, we can now write:
-A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports ssh,smtp,http,https -j ACCEPTIt must be used in conjunction with either
-p udpand only up to 15 ports may be specified. The supported options are:
- matches source port(s)
- matches destination port(s)
- matches both source and destination port(s)
mport* is another similar extension that
also allows you to specify port ranges, e.g.
nthextensions can be used for load balancing. If, for example, you wished to balance incoming web traffic between four mirrored web servers then you could add either of the following rule sets to your
-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4 --packet 0 \ -j DNAT --to-destination 192.168.0.5:80 -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4 --packet 1 \ -j DNAT --to-destination 192.168.0.6:80 -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4 --packet 2 \ -j DNAT --to-destination 192.168.0.7:80 -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4 --packet 3 \ -j DNAT --to-destination 192.168.0.8:80or:
-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m random --average 25 \ -j DNAT --to-destination 192.168.0.5:80 -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m random --average 25 \ -j DNAT --to-destination 192.168.0.6:80 -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m random --average 25 \ -j DNAT --to-destination 192.168.0.7:80 -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW \ -j DNAT --to-destination 192.168.0.8:80The
nthmatching extension allows you to match the nth packet received by the rule. There are up to 16 (0...15) counters for matching the nth packets. The above four (
nth) rules use counter 0 to count every 4th packet. Once the 4th packet is received, the counter is reset to zero. The first rule matches the 1st packet (
--packet 0) of every four counted, the second rule matches the 2nd packet (
--packet 0), and so on.
random matching extension allows you to match
packets based on a given probability. The first rule from the set
random rules above matches 25% (
25) of the TCP connections to port 80 and redirects these to
the first mirrored web server. Of the 75% of connections not
matching on the first rule, 25% will match the second and a further
25% will match the third. The remaining 25% will be caught by the
Another use of the
random extension would be to
simulate a faulty network connection to evaluate the performance of
networking hardware/software, etc.
limitmatching extension can be used to limit the number of times a rule matches in a given time period while the
iplimitextension can restrict the number of parallel TCP connections from a particular host or network. These extensions can be used for a variety of purposes:
-A FORWARD -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -i eth1 \ -m limit --limit 50/hour --limit-burst 5 -j ACCEPTThis rule assumes that we are acting as a proxy server where the external connection is via
eth1connects to our office network. The rule limits all of our internal computers to only 50 new HTTP or HTTPS connections per hour and the use of
--limit-burstprevents any one employee from using up all 50 in one go. Packets can be matched
--limit-burst parameter can be quite confusing
at first. In the above example, it will ensure that if all
employees are trying to access the Internet throughout the hour
then only 5 connections are made every 5 minutes. If 30 minutes
pass with no connections and then there is a sudden rush for the
remaining 30 minutes, only 5 connections will be permitted every
2.5 minutes. I once heard it explained as follows:
limitrule, there's a "bucket" containing "tokens". Whenever the rule matches, a token is removed and when the token count reaches zero, the rule doesn't match anymore.
--limitis the bucket refill rate.
--limit-burstis the bucket size (number of tokens that it can hold).
iplimit extension allows us to restrict the
number of parallel TCP connections from a particular host or
network. If, for example, we wanted to limit the number of HTTP
connections made by any single IP address to 5 we could use:
-A INPUT -p tcp -m state --state NEW --dport http -m iplimit --iplimit-above 5 -j DROP
recentConnections to Match Against
recentextension one can dynamically create a list of IP addresses that match a rule and then match against these IPs in different ways later. One possible use would be to create a "temporary" bad-guy list by detecting possible port scans and to then
DROPall other connections from the same source for a given period of time
Port 139 is one of the most dangerous ports for Microsoft
Windows® users as it is through this port that the Windows file
and print sharing service runs. This also makes this port one of
the first scanned by many port scanners or potential hackers and a
target for many of the worms around today. We can use the
recent matching extension to temporarily block any IP
from connecting with our machine that scans this port as
-A FORWARD -m recent --name portscan --rcheck --seconds 300 -j DROP -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name portscan --set -j DROPNow anyone trying to connect to port 139 on our firewall will have all of their packets dropped until 300 seconds has passed. The supported options include:
- The name of the list to store the IP in or check it against. If no name is given then
DEFAULTwill be used
- This will add the source address of the packet to the list. If the source address is already in the list, this will update the existing entry.
- This will check if the source address of the packet is currently in the list.
- This will check if the source address of the packet is currently in the list. If it is then that entry will be updated and the rule will return true.
- This will check if the source address of the packet is currently in the list and if so that address will be removed from the list and the rule will return true.
- This option must be used in conjunction with one of
--update. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds.
- This option must be used in conjunction with one of
--update. When used, this will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to the given value. This option may be used along with `seconds' to create an even narrower match requiring a certain number of hits within a specific time frame.
string* in a Packet's Data Payload
stringextension allows one to match a string anywhere in a packet's data payload. Although this extension does have many valid uses, I would strongly advise caution. Let's say, for example, that our Linux firewall is protecting an internal network with some computers running Microsoft Windows® and we would like to block all executable files. We might try something like:
-A FORWARD -m string --string '.com' -j DROP -A FORWARD -m string --string '.exe' -j DROPThis has a number of problems:
.com' or '
.exe' is split across two packets it will not be matched
timemodule. This could be used to limit staff web usage to lunch-times, to take each of a set of mirrored web servers out of action for automated backups or system maintenance, etc. The following example allows web access during lunch hour:
-A FORWARD -p tcp -m multiport --dport http,https -o eth0 -i eth1 \ -m time --timestart 12:30 --timestop 13:30 --days Mon,Tue,Wed,Thu,Fri -j ACCEPTClearly the start and stop times are 24-hour with the format
HH:MM. The day is a comma-separated list that is case sensitive and made up of
-A INPUT -p tcp -m quota --quota 2147483648 -j ACCEPT -A INPUT -j DROPYou can then view your usage with the following command:
$ iptables -v -L
You would also need to reset the quota every month manually (by
restarting iptables) or with a cron job. Clearly your computer
would need to be 'always-on' for this example to be of any use, but
there are also any other situations where the
extension would be useful.
As an interesting aside: this is actually how the
traceroute command works. It sends a packet to the
destination with a TTL of 1 first and gets a reply from the first
intermediate host. It then sends a packet with a TTL of 2 and
receives a reply from the second intermediate host and so on until
it reaches its destination.
The usefulness of packet matching based on TTL value depends on your imagination. One possible use is to identify "man-in-the-middle" attacks. If you regularly connect from home to work you could monitor your TTL values and establish a reasonable maximum value at the receiving end. You can the use this to deny any packets that arrive with a higher TTL value as it may indicate a possible "man-in-the-middle" attack; someone intercepting your packets, reading/storing them and resending them onto the destination. There are of course "man-in-the-middle" methods that wouldn't alter the TTL value but, as always, security is never absolute, only incremental. TTL matching could also be used for network debugging or to find hosts with bad default TTL values.
As a simple example, let's reject all packets from a specific IP with a TTL of less than 40:
-A INPUT -s 220.127.116.11 -m ttl --ttl-lt 40 -j REJECTYou can also check for TTL values that are less than (
--ttl-gt) or equal to (
--ttl-eq) a particular value.
Patch-o-matic can be downloaded from the netfilter homepage,
You will also need the source code for your kernel (if you are
using a kernel supplied with your distribution, install the
kernel-source package or install a new kernel by
downloading the latest kernel source code from http://www.kernel.org/) and the source
code for iptables which you can also download from the netfilter
homepage. Once you have these, unpack them and execute the
runme script from patch-o-matic as follows:
$ KERNEL_DIR=<path to the kernel source code>
IPTABLES_DIR=<path to the iptables source code> ./runme
The script describes each new extension and asks whether or not to patch the kernel for it. Once that is finished you will need to recompile the kernel, the netfilter kernel modules and the iptables binaries. This is outside the scope of this article but you will find useful information on the following sites:
Barry O'Donovan graduated from the National University of Ireland, Galway
with a B.Sc. (Hons) in computer science and mathematics. He is currently
completing a Ph.D. in computer science with the Information Hiding Laboratory, University
College Dublin, Ireland in the area of audio watermarking.
Barry has been using Linux since 1997 and his current flavor of choice
is Fedora Core. He is a member of the Irish
Linux Users Group. Whenever he's not doing his Ph.D. he can usually be
found supporting his finances by doing some work for Open Hosting, in the pub with friends or running in the local
Barry has been using Linux since 1997 and his current flavor of choice is Fedora Core. He is a member of the Irish Linux Users Group. Whenever he's not doing his Ph.D. he can usually be found supporting his finances by doing some work for Open Hosting, in the pub with friends or running in the local park.