Cover V11, I01

New iptables Features

iptables not only supports stateful firewalling, it also is extensible. iptables has support for more sophisticated firewall features than ipchains. Some of these features require kernel support as described earlier in the section "Firewall Kernel Configuration".

You can use iptables to limit new inbound TCP packets to prevent a Denial of Service attack. This is accomplished with the following rules:

# Create syn-flood chain for detecting
# Denial of Service attacks
iptables -t nat -N syn-flood

# Limit 12 connections per second (burst to 24)
iptables -t nat -A syn-flood -m limit --limit 12/s \
  --limit-burst 24 -j RETURN
iptables -t nat -A syn-flood -j DROPLOG

# Check for DoS attack
iptables -t nat -A PREROUTING -i $EXT_IFACE \
  -d $IP -p tcp --syn -j syn-flood
These rules limit new inbound TCP connections (packets with SYN bit set) to 12 per second after 24 connections per second have been seen.

Using iptables, a transparent Squid proxy can be set up. This will transparently cache and log all outbound HTTP requests to the Internet. It requires no modification to the user's browser, and is useful for blocking unwanted content. This is accomplished with the following iptables rule at the top of the PREROUTING chain:

# Setup transparent Squid proxy for internal network
# For details on setting up Squid, see:
iptables -t nat -A PREROUTING -i $INT_IFACE \
  -p tcp --dport 80 -j REDIRECT --to-port 3128
Arbitrary TCP flags can now be matched, which means you can block XMAS-tree (all flags set) and NULL packets with the following rules:

# DROP XMAS & NULL TCP packets
iptables -t nat -A PREROUTING -p tcp \
  --tcp-flags ALL ALL -j DROPLOG
iptables -t nat -A PREROUTING -p tcp \
  --tcp-flags ALL NONE -j DROPLOG
Using the experimental netfilter psd patch, iptables can detect and block inbound port scans with the following rule:

# DROP inbound port scans
iptables -t nat -A PREROUTING -i $EXT_IFACE \
  -d $IP -m psd -j DROPLOG
Using the experimental netfilter iplimit patch, iptables can limit the number of connections received from a particular IP address with the following rule:

# DROP packets from hosts with more than 16
# active connections
iptables -t nat -A PREROUTING -i $EXT_IFACE -p tcp \
  --syn -d $IP -m iplimit --iplimit-above 16 \
One of the most powerful netfilter patches allows you to match packets based on their content. The experimental string-matching patch allows you to filter out packets that match a certain string. This is helpful to filter out the CodeRed or Nimda viruses before they hit your Web server. The following rules achieve this:

# DROP HTTP packets related to CodeRed and Nimda
# viruses silently
iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \
   -d $IP --dport http -m string \
   --string "/default.ida?" -j DROP
iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \
   -d $IP --dport http -m string \
   --string ".exe?/c+dir" -j DROP
iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \
   -d $IP --dport http -m string \
   --string ".exe?/c+tftp" -j DROP
Port forwarding is now built-in. The nat table uses a feature called "destination NAT" in the PREROUTING chain to accomplish this. The following rule can be used to port forward HTTP requests to a system on the internal network:

# Use DNAT to port forward http
iptables -t nat -A PREROUTING ! -i $INT_IFACE -p tcp \
  --destination-port 80 -j DNAT --to
You can also port forward UDP packets. If you port forward traffic for a particular port, you do not need to have a corresponding rule in the INPUT chain to accept inbound connections on that port.

If you port forward your HTTP requests to an internal host, you can filter out the CodeRed virus in the FORWARD chain with this rule:

iptables -t filter -A FORWARD -p tcp --dport http \
   -m string --string "/default.ida?" -j DROP
New iptables features are being released on a regular basis. One of the experimental modules is ip_nat_h323. This module will allow you to port forward inbound NetMeeting connections through a firewall. As of the time of this writing, it is still in development.