Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Nat and packet limits with iptables
Special Forums IP Networking Nat and packet limits with iptables Post 302835173 by ahmerin on Monday 22nd of July 2013 04:16:35 AM
Old 07-22-2013
Nat and packet limits with iptables
Hi all,

I have a following situation:

- I want certain source IPs to be natted to a different destination IP and Port. Following is how I am achieving it:

Code:
/usr/local/sbin/iptables -t nat -A PREROUTING -p tcp -s 192.168.10.12
  --dport 1500 -j DNAT --to-destination 192.168.10.20:2000

Above runs on 192.168.10.12 and is working perfectly fine.

- Now, I want that if there are more than, say 20 packets per minute from source IP then further packets should be dropped.

Above is what I am having difficulty to achieve.


I have done the following but is not working:
Code:
/usr/local/sbin/iptables -t nat -A PREROUTING -p tcp -s 192.168.10.12 
  --dport 1500 -m limit --limit 20/m --limit-burst 5 -j DNAT --to-destination 192.168.10.20:2000

/usr/local/sbin/iptables -t nat -A PREROUTING -p tcp -s 192.168.10.12
  --dport 1500 -j LOG --log-level 4 --log-prefix "192.168.10.12 Packet Limit exceeded: "

/usr/local/sbin/iptables -A INPUT -p tcp -s 192.168.10.12 --dport 1500 -j DROP

Can someone help me get the correct statement or confirm whether I can achieve the above requirement through IP tables.

Many thanks for your help.

Regards
Ahmerin

---------- Post updated at 08:16 AM ---------- Previous update was at 06:44 AM ----------

Sorry... My mistake... the following IPtables command runs perfectly fine on the server where source actualy goes to first. It is not running on 192.168.10.12:

Code:
/usr/local/sbin/iptables -t nat -A PREROUTING -p tcp -s 192.168.10.12
  --dport 1500 -j DNAT --to-destination 192.168.10.20:2000

Last edited by Scott; 07-25-2013 at 09:24 AM.. Reason: Code tags
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

iptables internal NAT with two public IP

Hello Guys, I have a debian machine that work as a firewall (iptables + squid 2.6) with two physical interfaces: eth0 (public interface) and eth1 (internal interface LAN). I have created an alias eth1:1 in order to have two subnets on same physical interface: cat/etc/network/interfaces auto... (0 Replies)
Discussion started by: sincity2006
0 Replies

2. IP Networking

How to configure Full Cone NAT using iptables ?

Hi Experts; I want to find the right iptables commands combination to address the following need: - NEs are NATed thru the linux box (using iptables) towards the WAN cloud, where the NTP servers are situated. - In order to achieve redundancy, the NTP Servers are in a load balancing cluster... (0 Replies)
Discussion started by: lvl1s7a
0 Replies

3. Debian

Iptables Nat forward port 29070

Hello, the Nat and the forward worked on my debian server up to the reboot of machines. The following rules*: /sbin/iptables -t nat -A PREROUTING -p tcp -i eth2 -d xxx.xxx.xxx.xxx --dport 29070 -j DNAT --to-destination 10.0.1.7:29070 /sbin/iptables -A FORWARD -p tcp -i eth2 -o eth0 -d... (0 Replies)
Discussion started by: titoms
0 Replies

4. IP Networking

iptables NAT prerouting & postrouting

Good morning, I'm a newbie of iptables and as far as I've seen on tutorials on the Internet it seems that both prerouting and postrouting NAT chains are undergone both by a packet that goes from an internal LAN to the Internet and of a one that goes in the opposite direction (from the Internet to... (0 Replies)
Discussion started by: giac85
0 Replies

5. Red Hat

NAT Loopback and iptables

Hello, please can you help and explain me. I have two servers. Both are RHEL6. I use the first one like router and the second one for apache. Router forwards 80 port on the second server and I can open that from the internet (mysite.com, for example). But I can not open mysite.com if i try to... (0 Replies)
Discussion started by: 6765656755
0 Replies

6. Cybersecurity

iptables in a NAT scenario

Hi, I am learning IPTables have this question. My server is behind a firewall that does a PAT & NAT to the LAN address. Internet IP: 68.1.1.23 Port: 10022 Server LAN IP: 10.1.1.23 port: 22 Allowed Internet IPs: 131.1.1.23, 132.1.1.23 I want to allow a set of IPs are to be able to... (1 Reply)
Discussion started by: capri_guy84
1 Replies

7. IP Networking

Debugging NAT / prerouting issues (iptables)

Hello, Recently I discovered an issue with packet routing in the latest Android releases (4.4+ KitKat & Lollipop). It seems that the problem Android specific, but essentially it comes from the Linux kernel. I already filed a bug report to Google. You can see the details by searching for... (0 Replies)
Discussion started by: Vladislav
0 Replies

8. IP Networking

NAT via iptables - Won't work!!

Hi guys I'm running on debian on a small embedded system. I have a ppp interface that is connected to the internet (and works). My unit also has wifi access point (which works and I can connect to it). I want to allow connections to the wifi to be able to use the internet from ppp0... (1 Reply)
Discussion started by: alirezan1
1 Replies

9. UNIX for Dummies Questions & Answers

Soft and hard limits for nproc value in /etc/security/limits.conf file (Linux )

OS version : RHEL 6.5 Below is an excerpt from /etc/security/limits.conf file for OS User named appusr in our server appusr soft nproc 2047 appusr hard nproc 16384 What will happen if appusr has already spawned 2047 processes and wants to spawn 2048th process ? I just want to know... (3 Replies)
Discussion started by: kraljic
3 Replies

10. Cybersecurity

Openvpn nat and iptables

good day good people hi first to tell that firewall and vpn is working as expected, but I notice something strange. I have host system 11.11.11.11(local ip) firewall is blocking everything except port to vpn. I have vpn on virtualized system 22.22.22.22 (CentOS both host and virtual). ... (0 Replies)
Discussion started by: end
0 Replies

LEARN ABOUT DEBIAN

mxallowd

mxallowd(1)							   User Manuals 						       mxallowd(1)

NAME

       mxallowd - dynamically whitelist your Mail eXchanger

SYNOPSIS

       mxallowd  [-d]  [-c  configfile]  [-t whitelist-time] [-p pflog-interface] [-l pcap-filter] [-F] [-s] [-q] [-p] -f fake-mailserver -r real-
       mailserver -n queue-num

DESCRIPTION

       mxallowd is a daemon which uses libnetfilter_queue (on Linux) or pf and pflog (on BSD) to allow (or deny) connections to a  mailserver  (or
       similar application) if the remote host hasn't connected to a fake daemon before.

       This  is  an improved version of the so-called nolisting (see http://www.nolisting.org/). The assumption is that spammers are not using RFC
       2821-compatible SMTP-clients and are sending fire-and-forget spam (directly to the first or second MX-entry  without  retrying  on  error).
       This direct access is blocked with mxallowd, you'll only get a connection if you retry.

       NOTE:  It  is  highly recommended to install nscd (nameserver caching daemon) or a similar software in order to speed-up DNS lookups. Since
       version 1.3, DNS lookups are done in a thread (so they don't block the main process), however,  on  very-high-traffic-sites,  mxallowd  may
       show significantly better overall performance in combination with nscd.

OPTIONS

       -b, --no-rdns-whitelist
	      Disable whitelisting all IP-addresses that have the same RDNS as the connecting one (necessary for google mail)

       -c, --config
	      Specifies an alternative configuration file (instead of /etc/mxallowd.conf)

       -t, --whitelist-time
	      Specify the amount of time (in seconds) until an IP-address will be removed from the whitelist

       -s, --stdout
	      Log to stdout, not to syslog

       -q, --quiet
	      Don't log anything but errors.

       -f, --fake-mailserver
	      Specify which IP-address the fake mailserver has (connecting to it will whitelist you for the real mailserver)

       -r, --real-mailserver
	      Specify which IP-address the real mailserver has

       -F, --foreground
	      Do not fork into background, stay on console

       -n, --queue-num (only available when compiled for netfilter_queue)
	      Specify  the  queue  number which will be used for the netfilter_queue-link. This has to be the same which is specified in the ipta-
	      bles-rule and it has to be specified, there is no default.

       -p, --pflog-interface (only available when compiled for pf)
	      Specify the pflog(4) interface which you configured in pf(4). The default is pflog0. Also see the pcap-filter-option if you  use	an
	      interface which does not only get smtp-traffic.

       -l, --pcap-filter (only available when compiled for pf)
	      Specify the filter for pcap. The default is "port 25". See tcpdump(8) for more information on the filters.

FILES

       /etc/mxallowd.conf
	      System-wide configuration file. Use the long options without the beginning two dashes. For example:

		   stdout
		   fake-mailserver 192.168.1.3
		   fake-mailserver 192.168.1.4
		   real-mailserver 192.168.1.5
		   queue-num 23

EXAMPLES FOR NETFILTER

       The  machine  has  two  IP-addresses.  The  mailserver  only  listens  on 192.168.1.4, the nameserver returns the mx-records mx1.domain.com
       (192.168.1.3) with priority 5 and mx2.domain.com (192.168.1.4) with priority 10.

       # modprobe nfnetlink_queue
       # iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j NFQUEUE --queue-num 23
       # mxallowd -s -F -f 192.168.1.3 -r 192.168.1.4 -n 23

       Then open a separate terminal and connect via telnet on your real mailserver. You'll see the connection attempt being dropped. Now  connect
       to the fake mailserver and watch mxallowd's output. Afterwards, connect to the real mailserver to verify your mailserver is still working.

EXAMPLES FOR PF

       The  machine  has  two  IP-addresses.  The  mailserver  only  listens  on 192.168.1.4, the nameserver returns the mx-records mx1.domain.com
       (192.168.1.3) with priority 5 and mx2.domain.com (192.168.1.4) with priority 10.

       Create a pf.conf like this:

	    table <mx-white> persist

	    real_mailserver="192.168.1.4"
	    fake_mailserver="192.168.1.3"

	    real_mailserver6="2001:dead:beef::1"
	    fake_mailserver6="2001:dead:beef::2"

	    pass in quick log on fxp0 proto tcp from <mx-white> to $real_mailserver port smtp
	    pass in quick log on fxp0 inet6 proto tcp from <mx-white> to $real_mailserver6 port smtp
	    block in log on fxp0 proto tcp to { $fake_mailserver $real_mailserver } port smtp
	    block in log on fxp0 inet6 proto tcp to { $fake_mailserver6 $real_mailserver6 } port smtp

       Afterwards, load it and start mxallowd using the following commands:

       # pfctl -f /etc/pf.conf
       # mxallowd -s -F -f 192.168.1.3 -r 192.168.1.4

       Then open a separate terminal and connect via telnet on your real mailserver. You'll see the connection attempt being dropped. Now  connect
       to the fake mailserver and watch mxallowd's output. Afterwards, connect to the real mailserver to verify your mailserver is still working.

       The ruleset for pf is actually longer because pf does more than netfilter on linux -- netfilter passes the packets and lets mxallowd decide
       whether to drop/accept whilst pf blocks/passes before even "passing" to mxallowd.

SEE ALSO

       iptables(8), pf(4), pflog(4), tcpdump(8)

AUTHOR

       Michael Stapelberg <michael+mxallowd at stapelberg dot de>

Linux								    MARCH 2012							       mxallowd(1)
All times are GMT -4. The time now is 08:37 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy