IPTables is the first focus for demonstrating how to identify and eliminate IP blocks to protect a server, protocol or ports. Although there is much ado about firewalld my preference is IPTables for this reason:
I can add, remove or modify the firewall without ever having to restart nftables or iptables. This is the primary reason. From my perspective the general reason for the firewalld firewall is that it is easier for someone less knowledgeable about networking, TCP/IP and protocols perform basic firewall functions. But that is just my perspective after having learned Firewalld, IPTables and Windows Firewall with Advanced Security IPTables is my preferred tool for firewall security. Rocky Linux is my preferred Enterprise Server operating system and became so shortly after IBM purchased CentOS. Debian flavored operating systems were always the Desktop version of Linux and referred to as “The Hackers version of Linux” by my late mentor. Indeed it has taken off through Ubuntu which is based (or was) based out of the UK and to me truly does still live up to the title “Hackers version of Linux” as that is what Kali is built on if anyone has ever heard of that. It is a pretty slick tool though and I run it on occasion as a VPS on my local network with VirtualBox.
IPTables is going to be depricated in future versions of Rocky Linux 9.x according to the documentation at Rockylinux.org. However IMHO iptables is still supirior to firewalld in just the simple fact that you can update the firewall dynamically without restarting the firewall. In order to install IPTables:
1. ~]# dnf install iptables-services iptables-utils
2. ~]# systemctl disable firewalld
3. ~]# systemctl enable –now iptables
Appending a rule will add the rule to the end of the chain where as Inserting a rule places the rule at the top of the chain.
Appending a simple rule:
~]# iptables -A INPUT 8.8.8.8 -p tcp -j ACCEPT # Allows all traffic from 8.8.8.8 that is TCP protocol
~]# iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT # Allows established connections
~]# iptables -A INPUT -p udp -m udp –dport 53 -j ACCEPT # Allows DNS traffic
Adding an ipset to a rule:
First you need to create the ipset. Here is an example to create an ipset for spoofed IP addresses:
~]# ipset -N spoof-ips hash:net -exist # Sets up ipset with name spoof-ips to use network addresses
~]# ipset -F spoof-ips # flushes spoof-ips data making set empty
~]# ipset -A spoof-ips 192.168.0.0/16 # Appends IP CIDR spoof range
~]# ipset -A spoof-ips 10.0.0.0/8 # Spoof range
~]# ipset -A spoof-ips 172.16.0.0/12 # Spoof range
Now add the IPSet block to your iptables chain with:
~]# iptables -A INPUT -m set –match-set spoof-ips src -j DROP
Inserting a rule places the rule at the top of the chain instead of appending it to the bottom and is done like so (this whitelists MXToolbox diagnostic IP Addresses):
iptables -I INPUT -p tcp -s 64.20.227.128/28 -j ACCEPT
iptables -I INPUT -p tcp -s 208.123.79.32/27 -j ACCEPT
iptables -I INPUT-p tcp -s 54.164.124.219 -j ACCEPT
iptables -I INPUT -p tcp -s 54.88.4.135 -j ACCEPT
iptables -I INPUT -p tcp -s 54.84.234.24 -j ACCEPT
To drop a rule in IPTables do the following:
1. Find the full rule you want to drop with:
]# iptables -S | grep Durango # For example this returns:
-A INPUT -m set –match-set US-CO.Durango src -j DROP
2. Prefix the next line with iptables -D then complete the rule you got from step 1 as follows:
]# iptables -D INPUT -m set –match-set US-CO.Durango src -j DROP
]# ipset del set-name 127.0.0.1 # Deletes 127.0.0.1 from ipset
Adding an ipset to a rule:
First you need to create the ipset. Here is an example to create an ipset for spoofed IP addresses:
~]# ipset -N spoof-ips hash:net -exist # Sets up ipset with name spoof-ips to use network addresses
~]# ipset -F spoof-ips # flushes spoof-ips data making set empty
~]# ipset -A spoof-ips 192.168.0.0/16 # Appends IP CIDR spoof range
~]# ipset -A spoof-ips 10.0.0.0/8 # Spoof range
~]# ipset -A spoof-ips 172.16.0.0/12 # Spoof range
Now add the IPSet block to your iptables chain with:
~]# iptables -A INPUT -m set –match-set spoof-ips src -j DROP
