This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
iptables [2014/11/24 01:14] 0.0.0.0 created |
iptables [2014/11/24 02:15] (current) ben |
||
---|---|---|---|
Line 3: | Line 3: | ||
===== Gateway Firewall Configuration ===== | ===== Gateway Firewall Configuration ===== | ||
The firewall configuration is held in subversion, at the url | The firewall configuration is held in subversion, at the url | ||
- | <tt>svn+ssh:// | + | '' |
- | To test rules while editing the rules file, the <tt>iptables-restore</ | + | To test rules while editing the rules file, the '' |
To add new holes for specific machines, scroll to the bottom of the file and copy an existing example. To add new machines is slightly more complex, but there are already examples for most scenarios in this file. | To add new holes for specific machines, scroll to the bottom of the file and copy an existing example. To add new machines is slightly more complex, but there are already examples for most scenarios in this file. | ||
To permanently affect the changes to the configuration, | To permanently affect the changes to the configuration, | ||
- | {{Command|< | + | {{Command|'' |
===== Host firewalls ===== | ===== Host firewalls ===== | ||
Line 23: | Line 23: | ||
Policy routing needs the following kernel options set: | Policy routing needs the following kernel options set: | ||
- | {{Kernel|2.6.28-gentoo-r1|< | + | {{Kernel|2.6.28-gentoo-r1|'' |
- | Create an alternate routing table by adding the following line to the end of <tt>rt_tables</tt>. | + | Create an alternate routing table by adding the following line to the end of '' |
- | {{File|/ | + | {{File|/ |
{{Note|The name " | {{Note|The name " | ||
The default gateway should be added to both routing tables, along with any other static routes if needed. | The default gateway should be added to both routing tables, along with any other static routes if needed. | ||
- | {{File|/ | + | {{File|/ |
- | Now we need to specify that certain connections will be sent according to the alternate routing table instead of the main one. These scripts are stored in subversion, under <tt>routing-rules</ | + | Now we need to specify that certain connections will be sent according to the alternate routing table instead of the main one. These scripts are stored in subversion, under '' |
- | {{File|/ | + | {{File|/ |
- | {{File|/ | + | {{File|/ |
The final bit of magic comes in the form of some iptables rules, which mark particular connections to use the alternate routing table: | The final bit of magic comes in the form of some iptables rules, which mark particular connections to use the alternate routing table: | ||
- | {{File|iptables-rules|< | + | {{File|iptables-rules|'' |
==== Traffic Shaping ==== | ==== Traffic Shaping ==== | ||
Line 52: | Line 52: | ||
In the mangle table | In the mangle table | ||
- | <source lang="bash"> | + | <code bash> |
- Mark packets depending on which vlan the arrived from | - Mark packets depending on which vlan the arrived from | ||
- use the lower 4 bits of the mark space to store this information | - use the lower 4 bits of the mark space to store this information | ||
Line 69: | Line 69: | ||
-A PREROUTING -m state --state NEW -m physdev --physdev-in vlan11 -j CONNMARK --set-mark 11/15 | -A PREROUTING -m state --state NEW -m physdev --physdev-in vlan11 -j CONNMARK --set-mark 11/15 | ||
-A PREROUTING -m state --state NEW -m physdev --physdev-in ath0 -j CONNMARK --set-mark 12/15 | -A PREROUTING -m state --state NEW -m physdev --physdev-in ath0 -j CONNMARK --set-mark 12/15 | ||
- | </source> | + | </code> |
==== Blocking too many rapid connection attempts ==== | ==== Blocking too many rapid connection attempts ==== | ||
The following iptables rules block rapid SSH connections from a single source. | The following iptables rules block rapid SSH connections from a single source. | ||
- | <source lang="bash"> | + | <code bash> |
- Ssh Whitelisting | - Ssh Whitelisting | ||
-N SSH_WHITELIST | -N SSH_WHITELIST | ||
Line 92: | Line 92: | ||
-A SSH_WHITELIST -s 152.78.0.0/ | -A SSH_WHITELIST -s 152.78.0.0/ | ||
-A SSH_WHITELIST -j RETURN | -A SSH_WHITELIST -j RETURN | ||
- | </source> | + | </code> |