So far, we have talked about the most widely used function of Iptables: Packet filtering, and a bit about connection tracking and logging. Leaves us with one more function: rate limiting.
Rate limiting can be a life saver: It can limit the packages coming into the PC or network and this way spare your services from a DOS syn-flood attack.
For example: iptables -A FORWARD -p tcp -syn -m limit -limit 2/s -j ACCEPT
This rule forwards all traffic that is TCP, and has set the SYN flag and limits the packets to 2 packets a second.
You can also set a trigger from which the rule should apply. This is done by setting the -limit-burst option.
Iptables -A FORWARD -p tcp -syn -m limit -limit 2/s -burst-limit 8/s -j ACCEPT
This example is the same as above, with the difference that after the firewall received 8/s of tcp syn packets,
it starts limiting the packets to 2/s.
If you don’t set a limit-burst, iptables uses a standard value of 5/s.
So, now we have come to the end of this small IPtables firewall tutorial, you should be able to create your own firewall.
The last thing you should know, is when you are using the FORWARD table you should first enable IP forwarding in the kernel:
echo “1″ > /proc/sys/net/ipv4/ip_forward
If this file does not exist, you have not configured the right modules in your kernel.
A few guidelines to set up your firewall:
– Set your firewall up to only allow traffic which has been triggered from the internal network.
– If you have lots of servers which should communicate with the intern network and the internet,
consider creating a Demilitarized Zone ( DMZ ) to create a boundary between the two.
– Be carefull with forwarding ports. Just forward ports you REALLY need. Every open port is another possible security breach because of bugs or poor application configuration.
– If you need to forward a port temporarily, leave a note in you (digital) agenda with a reminder so you don’t forget to take the rule(s) out again when the service doesn’t have to be forwarded anymore.