Advanced iptables Configurations

Beyond basic port filtering, iptables offers sophisticated capabilities for protecting web servers against various attacks. These advanced configurations require understanding of both attack patterns and iptables modules that can detect and mitigate them.

Implement connection rate limiting to prevent brute force attacks:

# Limit SSH connections to 3 per minute per IP
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

# Limit HTTP/HTTPS connections to prevent DDoS
sudo iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT

Protect against common attack patterns:

# Drop invalid packets
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

# Prevent SYN flood attacks
sudo iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Block port scanning
sudo iptables -N PORT_SCAN
sudo iptables -A PORT_SCAN -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
sudo iptables -A PORT_SCAN -j DROP

String matching for application-layer filtering:

# Block requests containing SQL injection patterns
sudo iptables -A INPUT -p tcp --dport 80 -m string --string "union select" --algo bm -j DROP
sudo iptables -A INPUT -p tcp --dport 80 -m string --string "../../" --algo bm -j DROP

# Block user agents from known bad bots
sudo iptables -A INPUT -p tcp --dport 80 -m string --string "BadBot" --algo bm -j DROP