Iptables Tcp Flags Scripts

I enter this command:
iptables -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp ! --syn -j DROP

And in sysconfig/iptables I get this:

-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

I don't understand exactly how to interpret this line. It seems, at a first glance, absurd to me, because it says to drop all packets that start a tcp connection which do NOT have flags FIN,SYN,RST,ACK SYN. It's quite the reverse of what am writing.

How come all these show up?

Dear all,

This is my current iptables (with default policy = Accept) and no rules.
Code:

[root@racnode1 ~]# iptables -L -v
Chain INPUT (policy ACCEPT 77072 packets, 7890K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 70306 packets, 129M bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@racnode1 ~]#

I have decided to allow only incoming network connection from my own subnet and hence

Code:

[root@racnode1 ~]# iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
[root@racnode1 ~]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  178  9055 ACCEPT     all  --  any    any     192.168.0.0/24       anywhere            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 186 packets, 316K bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@racnode1 ~]#

Noted that my default policy is still ACCEPT, hence I

Code:

[root@racnode1 ~]# iptables --policy INPUT DROP

===============================================================

Upon this, I have 2 issues

a) my iptables -L -v command can't display fully, i am stuck at below

Quote:
[root@racnode1 ~]# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
b) my ssh login is very slow

Quote:
login as: root
-- waited quite sometime before prompting me for password
===============================================================

If i removed revert the INPUT policy to ACCEPT, then everything will be fine as normal.

Why ?

Thanks and look forward to your advises.

Regards,
Noob ;(

Hello! I hope this post get's in the right place, cause I'm a newbie @ Linux

I'm trying to set up a Webserver, apache. And I'm confused which chain to set in IPTables. I hope'd someone could answer me a little more in detail, I've tryed googeling, but the answers were quite confusing for me, anyway here are the statement;

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

and

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

A know that that -A INPUT is for incoming packaes, -p specifies protocol TCP. But I'm unsure what -m does? Cause in the first line it is just "-m tcp" and in the second it is "-m state --state". So if someone could explant the diffrence and which one to use, I would be grateful.

And another question while I'm at it; In the start of IPTables I have;
-A INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

What happens if I get a packet destined for some service, that isn't a chain in IPTables? Take port 80 for example, will IPTables accept the packet, but drop it at the end because there isn't any hit? If you understand what I mean. If -A INPUT would be DENY istead of ACCEPT, would the packet never ever get examined further then the first line?

Almost and the bottom of IPTables ther is a line;
-A INPUT -j REJECT --reject-with icmp-host-prohibited

Is it the chain that will be matched if there is not hit prior to it? What would happen if this line wasn't there?

Thank you very much for your help, I'm just wanna be sure little how IPTables work.

Best Regards; Stefan

I recently changed from Debian 7 to 8 which now uses systemd as the default init.
I had a init file that worked fine (see below) and works fine when directly invoked
Code:

$ sudo /etc/init.d/iptables start

however fails when indirectly invoked
Code:

$ sudo service iptables start
Job for iptables.service failed. See 'systemctl status iptables.service' and 'journalctl -xn' for details.

Code:

$ systemctl status iptables.service
 iptables.service - LSB: Iptable setup
   Loaded: loaded (/etc/init.d/iptables)
   Active: failed (Result: exit-code) since Mon 2015-05-25 17:18:37 PDT; 5s ago
  Process: 4825 ExecStart=/etc/init.d/iptables start (code=exited, status=203/EXEC)

Code:

$ journalctl -xn
No journal files were found.

I don't understand the error except that it "failed" and is loaded.
I have disabled and re-enabled the service with these commands:

Code:

sudo systemctl disable iptables
sudo systemctl enable iptables

which completes successfully but did not fix the problem.


INIT file
Code:

### BEGIN INIT INFO
# Provides:          iptables
# Required-Start:    $network $remote_fs $syslog
# Required-Stop:     $network $remote_fs $syslog
# Should-Start:      $portmap
# Should-Stop:       $portmap
# X-Start-Befo     nis
# X-Stop-After:      nis
# Default-Start:     2 
# Default-Stop:      1
# X-Interactive:     false
# Short-Description: Iptable setup
# Description:       Sets iptable rules
#                    
### END INIT INFO

ipt=/sbin/iptables

loadrules() {

if [ -e /etc/iptables_ruleset ]; then iptables-restore < /etc/iptables_ruleset && exit 0; fi

$ipt -F
$ipt -X

# Policies and Chains
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -N SSH
$ipt -N WEBSERVER

$ipt -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -i lo -j ACCEPT # Allow loopback

# Services
$ipt -A INPUT -p tcp -m multiport --dport 443,80 -j WEBSERVER # WEBSERVER chain 
$ipt -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j SSH # Jump to SSH chain
$ipt -A INPUT -p tcp -s 192.168.1.1/24 --dport 445 -j ACCEPT # samba

# Reject message for LAN
$ipt -A INPUT -s 192.168.1.1/24 -j REJECT

# WEBSERVER chain
$ipt -A WEBSERVER -p tcp -m multiport --dport 443,80 -m conntrack --ctstate NEW -j LOG
$ipt -A WEBSERVER -p tcp -m multiport --dport 443,80 -j ACCEPT

# SSH chain
$ipt -A SSH -p tcp --dport 22 -m recent --set --name SSH # Set SSH recent
$ipt -A SSH -p tcp --dport 22 -m recent --name SSH --update --seconds 10 --hitcount 2 --rttl -j LOG # Log if over counter
$ipt -A SSH -p tcp --dport 22 -s 192.168.1.1/24 -m recent --name SSH --update --seconds 10 --hitcount 10 --rttl -j REJECT # Reject from lan if over counter
$ipt -A SSH -p tcp --dport 22 ! -s 192.168.1.1/24 -m recent --name SSH --update --seconds 10 --hitcount 2 --rttl -j DROP # Drop if over counter
$ipt -A SSH -p tcp --dport 22 -j ACCEPT

iptables-save > /etc/iptables_ruleset
}

removerules() {
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -F
$ipt -X
}

restartrules() {
rm /etc/iptables_ruleset
loadrules
}

case "$1" in
	start)
		loadrules
		;;
	stop)
		removerules
		;;
        restart)
                restartrules
                ;;
    	*)
        	echo "Usage: $0 start|stop|restart" >&2
        	exit 3
        	;;
esac

Edit:
Checking /var/log/daemon.log gives me this info:
Code:

May 25 19:13:29 hostname systemd[6004]: Failed at step EXEC spawning /etc/init.d/iptables: Exec format error
May 25 19:13:29 hostname systemd[1]: iptables.service: control process exited, code=exited status=203
May 25 19:13:29 hostname systemd[1]: Failed to start LSB: Iptable setup.
May 25 19:13:29 hostname systemd[1]: Unit iptables.service entered failed state.

Hi Friends,

I have migrated from RHEL-5.9 to RHEL-6.5 on my server. But iptables rules are not working in RHEL-6.5 as it is working with RHEL-5.9 with the same rules. Please check my rules and details are below.

eth1 for incoming traffic
ppp0,ppp1,ppp2 and ppp3 are DSL connection and it using for outgoing traffic.

I am able to send the traffic through each line separately but could not load-balance with all ppp interfaces through iptables.

I am using iptable mangle rules to distribute the traffic.

/sbin/iptables -t mangle -A OUTPUT -p tcp -m statistic --mode nth --every 4 --packet 0 -m tcp --tcp-flags FIN,SYN,ACK SYN -j MARK --set-mark 1
/sbin/iptables -t mangle -A OUTPUT -p tcp -m statistic --mode nth --every 4 --packet 1 -m tcp --tcp-flags FIN,SYN,ACK SYN -j MARK --set-mark 2
/sbin/iptables -t mangle -A OUTPUT -p tcp -m statistic --mode nth --every 4 --packet 2 -m tcp --tcp-flags FIN,SYN,ACK SYN -j MARK --set-mark 3
/sbin/iptables -t mangle -A OUTPUT -p tcp -m statistic --mode nth --every 4 -m tcp --tcp-flags FIN,SYN,ACK SYN -j MARK --set-mark 4

/sbin/ip route add table ppp0 default dev ppp0
/sbin/ip route add table ppp1 default dev ppp1
/sbin/ip route add table ppp2 default dev ppp2
/sbin/ip route add table ppp3 default dev ppp3

/sbin/ip rule add fwmark 1 pref 200 table ppp1
/sbin/ip rule add fwmark 2 pref 200 table ppp2
/sbin/ip rule add fwmark 3 pref 200 table ppp3
/sbin/ip rule add fwmark 4 pref 200 table ppp0

/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o ppp1 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o ppp2 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o ppp3 -j MASQUERADE

/sbin/ip route app default equalize nexthop dev ppp0 nexthop dev ppp1 nexthop dev ppp2 nexthop dev ppp3

It was not working completely and after read some article to change the kernel parameter I am able to send the traffic but it is working only for some time and dropping connections without any errors.

"echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
"echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter"
"net.ipv4.conf.default.rp_filter = 2"

The same rules were working perfectly in RHEL-5.9. Do i need to change any other kernel parameter get this done?

Please let me know what are the kernel parameters have to be changed to get this working as like RHEL-5.9 ?

Thanks,
Sekar

Hi everyone
I have a question about iptables

This line
Code:

iptables -A INPUT -p tcp  -m tcp --dport 80 -j ACCEPT

why there is a "-m tcp"? what does this mean? I checked some book and man, I did not find what does this mean.

Thank you very much for your help.

Good Morning! I am supporting the coffee and Doritos industry with my frustration with this problem. I have been battling it for two months. I have several Red Hat books, the official Red Hat study guide, and have searched the forums for weeks with no avail. I was wondering if you have ever had this?

I am trying to "telnet server.example.com 25" or telnet in general. Both servers are running on a KVM on the 192.168.122.0/24 network.


[root@server ~]# telnet server.example.com
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
Trying 192.168.122.191...
telnet: connect to address 192.168.122.191: Connection refused

I can ssh, run NFS, and also run internal postfix e-mails.

IPTABLES IS TURNED OFF ON BOTH CLIENTS

Postfix and Telnet is configured on both clients, with both listening:

[root@server ~]# netstat -tulpn |grep :25
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1802/

When I Telnet from client named 'Server' to client named 'ISCSI', tpcdump on client 'ISCSI' gives the following:

19:01:23.579330 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:2e:85:0e.8003, length 43
19:01:23.632750 IP server.57477 > iscsi.example.com.telnet: Flags [S], seq 2403459934, win 14600, options [mss 1460,sackOK,TS val 2679191 ecr 0,nop,wscale 6], length 0
19:01:23.632882 IP iscsi.example.com.telnet > server.57477: Flags [R.], seq 0, ack 2403459935, win 0, length 0
19:01:24.428091 IP server.57478 > iscsi.example.com.telnet: Flags [S], seq 942066757, win 14600, options [mss 1460,sackOK,TS val 2679990 ecr 0,nop,wscale 6], length 0
19:01:24.428163 IP iscsi.example.com.telnet > server.57478: Flags [R.], seq 0, ack 942066758, win 0, length 0
19:01:25.006222 IP server.57479 > iscsi.example.com.telnet: Flags [S], seq 2689610466, win 14600, options [mss 1460,sackOK,TS val 2680564 ecr 0,nop,wscale 6], length 0

I am trying to set up a "Proxy Server" in Linux, without using Squid (Part of my project). However I have beginner's knowledge of iptables. I am using the following script from "http://www.aboutdebian.com/proxy.

#!/bin/sh
INTIF="eth1"
EXTIF="eth0"
EXTIP="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Question is there is no packet forwarding from eth1 to eth0 (verified from wireshark, a windows is using eth1's ip address as its default gateway)

Any help would be highly appreciated!

Hello

I have problem with creating pptp connection on my centos vps.
VPS is under OpenVZ, so in customer panel i enabled TUN/TAP, PPP and IPSEC.

On my centos 6.5 vps i made changes based on this tutorial
http://www.zedt.eu/tech/linux/settin...os-openvz-vps/

and on windows 7 this
http://www.howtogeek.com/51237/setti...ver-on-debian/

And now, windows 7 is giving me 807 error.

Is this iptables rules are correct ?
Code:

iptables -A INPUT -i venet0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i venet0 -p gre -j ACCEPT
iptables -t nat -A POSTROUTING -j SNAT --to-source [VPS's IP]
iptables -A FORWARD -i ppp0 -o venet0 -j ACCEPT
iptables -A FORWARD -i venet0 -o ppp0 -j ACCEPT

I have no ppp0 interface, and i have additionally vnet0:0 with external ip, and gre0 and gretap0 interfaces.

So ifconfig -a shows:
Code:

[root@vps ~]# ifconfig -a
gretap0   Link encap:Ethernet  HWaddr 00:00:00:00:00:00  
          BROADCAST MULTICAST  MTU:1476  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

gre0      Link encap:UNSPEC  HWaddr 00-00-00-00-FF-FF-80-4B-00-00-00-00-00-00-00-00  
          NOARP  MTU:1476  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:127.0.0.1  P-t-P:127.0.0.1  Bcast:0.0.0.0  Mask:255.255.255.255
          inet6 addr: 2602:ffc5::ffc5:6f61/128 Scope:Global
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:101201 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42319 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:131220862 (125.1 MiB)  TX bytes:4717867 (4.4 MiB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:x.x.x.x  P-t-P:x.x.x.x  Bcast:x.x.x.x
Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

So is vnet0 should be vnet0:0 ?
And what should be instead of ppp0 interface ?

I'm trying to find out if Iptables supports creating jitter, like it does for packet loss. I'm using 'iptables -A INPUT -m statistic --mode random --probability 0.02 -j DROP' to simulate packet loss, but can I do something similar to create jitter? I think TC will do it, but our firmware does not support it. If there is an alternate solution, any advice would be greatly appreciated.