- Korean: 이 페이지는 아직 한글로 번역되지 않았습니다.
net-xtables.plugin.bash¤
xtables extended netfilter configurations.
Usage
net-xtables help|install|uninstall|download|disable|configgen|configapply|check|run|build|watch
$ net-xtables install - install xtables extended netfilter
$ net-xtables uninstall - uninstall xtables
$ net-xtables download - download xtables package files to pkg dir
$ net-xtables disable - disable xtables plugin
$ net-xtables configgen - generate xtables configuration files
$ net-xtables configapply - apply xtables configuration files
$ net-xtables check - check xtables plugin status
$ net-xtables run - run xtables rules
$ net-xtables build - build xtables rule files
$ net-xtables watch - watch xtables traffic
$ net-xtables help - show this help messageXtables provides extended netfilter configurations for advanced packet filtering.
Jangbi Configs¤
RUN_NET_XTABLES=1 # enable xtables extended netfilter
XTABLES_MODE="Gateway" # Gateway, Tunnelonly, Client
Check if running¤
$ iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
$ xtables-monitor
-A INPUT -s 192.168.1.0/24 -j ACCEPT
Current Configuration¤
Current configuration is stored in /etc/xtables/. it is generated by net-xtables configgen command on install.
You can edit it manually and not run install or configapply commands to keep current configurations.
-t mangle -A PREROUTING -p tcp -m connlimit --connlimit-above 100 --connlimit-mask 32 -m comment --comment xtmab_conlimitperip -j DROP
-t mangle -I PREROUTING -p all -m conntrack --ctstate INVALID -m comment --comment xtmab_dropinvalidstate -j DROP
-t mangle -I PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -m comment --comment xtmab_dropnonsyn -j DROP
-t mangle -I PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -m comment --comment xtmab_limitmss -j DROP
-t raw -A PREROUTING -p udp -m multiport --sports 19,53,123,111,123,137,389,1900,3702,5353 -m hashlimit --hashlimit-mode srcip,srcport --hashlimit-name xtrab_limitudppps --hashlimit-above 256/m -m comment --comment xtrab_limitudppps -j DROP
-t raw -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -m comment --comment xtrab_dropinvtcpflag1 -j DROP
-t raw -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -m comment --comment xtrab_dropinvtcpflag2 -j DROP
-t raw -A PREROUTING -p tcp --tcp-flags ACK,URG URG -m comment --comment xtrab_dropinvtcpflag3 -j DROP
-t raw -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -m comment --comment xtrab_dropinvtcpflag4 -j DROP
-t raw -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -m comment --comment xtrab_dropinvtcpflag5 -j DROP
-t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m comment --comment xtrab_dropinvtcpflag6 -j DROP
-t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m comment --comment xtrab_dropinvtcpflag7 -j DROP
-A INPUT -m state --state INVALID -m comment --comment XTABLES_GUARD_PORT_SCANNER1 -j DROP
-A INPUT -m state --state NEW -m set ! --match-set XTABLES_GUARD_SCANNED_PORTS src,dst -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name XTABLES_GUARD_PORT_SCANNER --hashlimit-htable-expire 10000 -j SET --add-set XTABLES_GUARD_PORT_SCANNER src --exist
-A INPUT -m state --state NEW -m set --match-set XTABLES_GUARD_PORT_SCANNER src -j DROP
-A INPUT -m state --state NEW -j SET --add-set XTABLES_GUARD_SCANNED_PORTS src,dst
-A INPUT -p tcp --dport 22 -m comment --comment xtfab_chaos_22 -j CHAOS --tarpit
-A INPUT -p tcp --dport 23 -m comment --comment xtfab_chaos_23 -j CHAOS --tarpit
-A INPUT -p tcp --dport 80 -m comment --comment xtfab_chaos_80 -j CHAOS --tarpit
-A INPUT -p tcp --dport 443 -m comment --comment xtfab_chaos_443 -j CHAOS --tarpit
-A INPUT -p tcp --dport 21 -m comment --comment fab_delude_21 -j DELUDE
-A INPUT -p tcp --dport 25 -m comment --comment fab_delude_25 -j DELUDE
-A INPUT -p tcp --dport 53 -m comment --comment fab_delude_53 -j DELUDE
-A INPUT -p tcp --dport 110 -m comment --comment fab_delude_110 -j DELUDE
-A INPUT -p tcp --dport 143 -m comment --comment fab_delude_143 -j DELUDE
-A INPUT -p tcp --dport 993 -m comment --comment fab_delude_993 -j DELUDE
-A INPUT -p tcp --dport 995 -m comment --comment fab_delude_995 -j DELUDE
-A INPUT -p udp -m pknock --knockports 3001,3002,3003 --name fai_pknock_22,80,443 --opensecret foo --closesecret bar --autoclose 240 -m comment --comment fai_pknock_knock -j DROP
-A INPUT -p tcp -m pknock --checkip --name fai_pknock_22,80,443 --dport 22 -m comment --comment fai_pknock_22 -j ACCEPT
-A INPUT -p tcp -m pknock --checkip --name fai_pknock_22,80,443 --dport 80 -m comment --comment fai_pknock_80 -j ACCEPT
-A INPUT -p tcp -m pknock --checkip --name fai_pknock_22,80,443 --dport 443 -m comment --comment fai_pknock_443 -j ACCEPT
Mangle Prerouting : Ip Connection Limit per IP¤
Allow all ARP except gateway interface.
(config)XTABLES_CONNLIMIT_PER_IP=100
(command)iptables -t mangle -A PREROUTING -p tcp -m connlimit --connlimit-above ${conlimitperip} --connlimit-mask 32 -m comment --comment ${funcname} -j DROP
Mangle Prerouting : Drop Invalid State¤
Drop packets with invalid connection state in mangle table prerouting chain.
(config)XTABLES_DROP_INVALID_STATE=1
(command)iptables -t mangle -I PREROUTING -p all -m conntrack --ctstate INVALID -m comment --comment ${funcname} -j DROP
Mangle Prerouting : Drop new non-SYN TCP Packets¤
Drop new TCP packets that do not have SYN flag set in mangle table prerouting chain.
(config)XTABLES_DROP_NON_SYN=1
(command)iptables -t mangle -I PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -m comment --comment ${funcname} -j DROP
Mangle Prerouting : Limit MSS¤
Drop TCP packets with MSS outside allowed range in mangle table prerouting chain.
(config)XTABLES_LIMIT_MSS=1
(command)iptables -t mangle -I PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss ${mss} -m comment --comment ${funcname} -j DROP
Raw Prerouting : Guard Overload Limit UDP PPS¤
Safeguard against CPU overload during amplified DDoS attacks by limiting UDP packets per second rate (PPS).
(config)XTABLES_GUARD_OVERLOAD=1
(command)iptables -t raw -A PREROUTING -p udp -m multiport --sports ${lusp} -m hashlimit --hashlimit-mode srcip,srcport --hashlimit-name ${funcname} --hashlimit-above 256/m -m comment --comment ${funcname} -j DROP
Raw Prerouting : Drop Invalid Tcp Flag¤
Drop packets with invalid TCP flag combinations in raw table prerouting chain.
(config)XTABLES_INVALID_TCPFLAG=1
(command)iptables -t raw -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -m comment --comment ${funcname}1 -j DROP
Filter Input : Drop Port Scanner IP¤
Detect and block port scanning attempts using ipset and hashlimit rules.
(config)XTABLES_GUARD_PORT_SCANNER=1
(command)iptables -A INPUT -m state --state NEW -m set ! --match-set XTABLES_GUARD_SCANNED_PORTS src,dst -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name XTABLES_GUARD_PORT_SCANNER --hashlimit-htable-expire 10000 -j SET --add-set XTABLES_GUARD_PORT_SCANNER src --exist
Filter Input : CHAOS responses to confuse attackers¤
Apply CHAOS target to confuse attackers by providing random responses to specified ports.
(config)XTABLES_CHAOS_PORTS="22,23,80,443"
(command)iptables -A INPUT -p tcp --dport ${port} -m comment --comment ${funcname}_${port} -j CHAOS --tarpit
Filter Input : DELUDE responses to make closed ports appear open¤
Apply DELUDE target to make closed ports appear open by replying with SYN-ACK to SYN packets.
(config)XTABLES_DELUDE_PORTS="22,23,80,443,21,25,53,110,143,993,995"
(command)iptables -A INPUT -p tcp --dport ${port} -m comment --comment ${funcname}_${port} -j DELUDE
Filter Input : Port Knocking with Open/Close Secrets (Example2)¤
Implement port knocking authentication with UDP knock sequence and secrets for secure access control.
(config)XTABLES_PKNOCK_PORTS="3001,3002,3003" XTABLES_PKNOCK_OPENSECRET="foo" XTABLES_PKNOCK_CLOSESECRET="bar" XTABLES_PKNOCK_TARGET_PORTS="22,80,443"
(command)iptables -A INPUT -p udp -m pknock --knockports ${pknockports} --name ${pnockrulename} --opensecret ${opensecret} --closesecret ${closesecret} --autoclose 240 -m comment --comment ${funcname}_knock -j DROP