Voxel Help needed with iptables rules

[agneev]

How do I delete rules after I've set them?

So for redirection purpose all you need is this

Without the SNAT rule, the redirection is not complete. E.g. dig says it expected an answer from x.x.x.x instead of 10.0.0.10.

 

[HELLO_wORLD]

How do I delete rules after I've set them?

Here is the help output for iptables… look at Commands -> --delete

root@HERMES:~$ iptables -h
iptables v1.8.7

Usage: iptables -[ACD] chain rule-specification [options]
       iptables -I chain [rulenum] rule-specification [options]
       iptables -R chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LS] [chain [rulenum]] [options]
       iptables -[FZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands:
Either long or short options are allowed.
  --append  -A chain		Append to chain
  --check   -C chain		Check for the existence of a rule
  --delete  -D chain		Delete matching rule from chain
  --delete  -D chain rulenum
				Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
				Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
				Replace rule rulenum (1 = first) in chain
  --list    -L [chain [rulenum]]
				List the rules in a chain or all chains
  --list-rules -S [chain [rulenum]]
				Print the rules in a chain or all chains
  --flush   -F [chain]		Delete all rules in  chain or all chains
  --zero    -Z [chain [rulenum]]
				Zero counters in chain or all chains
  --new     -N chain		Create a new user-defined chain
  --delete-chain
            -X [chain]		Delete a user-defined chain
  --policy  -P chain target
				Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
				Change chain name, (moving any references)
Options:
    --ipv4	-4		Nothing (line is ignored by ip6tables-restore)
    --ipv6	-6		Error (line is ignored by iptables-restore)
[!] --protocol	-p proto	protocol: by number or name, eg. `tcp'
[!] --source	-s address[/mask][...]
				source specification
[!] --destination -d address[/mask][...]
				destination specification
[!] --in-interface -i input name[+]
				network interface name ([+] for wildcard)
 --jump	-j target
				target for rule (may load target extension)
  --goto      -g chain
                              jump to chain with no return
  --match	-m match
				extended match (may load extension)
  --numeric	-n		numeric output of addresses and ports
[!] --out-interface -o output name[+]
				network interface name ([+] for wildcard)
  --table	-t table	table to manipulate (default: `filter')
  --verbose	-v		verbose mode
  --wait	-w [seconds]	maximum wait to acquire xtables lock before give up
  --wait-interval -W [usecs]	wait time to try to acquire xtables lock
				default is 1 second
  --line-numbers		print line numbers when listing
  --exact	-x		expand numbers (display exact values)
[!] --fragment	-f		match second or further fragments only
  --modprobe=<command>		try to insert modules using this command
  --set-counters PKTS BYTES	set the counter during insert/append
[!] --version	-V		print package version.

Without the SNAT rule, the redirection is not complete. E.g. dig says it expected an answer from x.x.x.x instead of 10.0.0.10.

Hence this at the end of my post :

And as you were told in the post you refer too, this rule is needed or not depending on your LAN subnet:

iptables -t nat -I POSTROUTING -d 10.0.0.10 -j SNAT --to 10.0.0.1

This rule is not for DNS redirection per say, but seems to be required for your specific network setup (LAN, subnet, etc.)

 

[R. Gerrits]

How do I delete rules after I've set them?

depends whether you added the rules to /opt/scripts/firewall-start.sh or not.

if you did, remove them from there and execute /usr/sbin/net-wall restart.

if you didn't, then easiest would be to again execute /usr/sbin/net-wall restart
and then re-run the iptables command that you wanted to keep.

or use iptables --delete command (with the correct syntax) to remove rules

(and not having the rules in firewall-start.sh is a bad idea, because the router periodically reloads the firewall, causing rules to disappear again.
so it should only be used during testing.)

 

[agneev]

All rules are in firewall-start.sh, yes

or use iptables --delete command (with the correct syntax)

As an example, to delete this rule, is the following syntax correct?

iptables -t nat -I POSTROUTING -d 10.0.0.10 -j SNAT --to 10.0.0.1

iptables --delete -t nat -I POSTROUTING -d 10.0.0.10 -j SNAT --to 10.0.0.1

 

[R. Gerrits]

As an example, to delete this rule, is the following syntax correct?

nope.
iptables -t nat -I POSTROUTING -d 10.0.0.10 -j SNAT --to 10.0.0.1 means:

iptables -t nat = use iptables on table nat
-I POSTROUTING = insert into chain POSTROUTING
And -d 10.0.0.10 -j SNAT --to 10.0.0.1 is then the actual rule

So to delete, simply replace the -I (or --insert) with -D (or --delete)

iptables -t nat -D POSTROUTING -d 10.0.0.10 -j SNAT --to 10.0.0.1

 

[agneev]

Can the DROP rules be changed to REJECT, so clients know that the port is not reachable, rather waiting for the timeout?

iptables -t mangle -I PREROUTING -p tcp --dport 853 ! -s 10.0.0.10 -d 8.8.8.8 -j DROP
iptables -t mangle -I PREROUTING -p tcp --dport 853 ! -s 10.0.0.10 -d 8.8.4.4 -j DROP

 

[HELLO_wORLD]

Can the DROP rules be changed to REJECT, so clients know that the port is not reachable, rather waiting for the timeout?

iptables -t mangle -I PREROUTING -p tcp --dport 853 ! -s 10.0.0.10 -d 8.8.8.8 -j DROP
iptables -t mangle -I PREROUTING -p tcp --dport 853 ! -s 10.0.0.10 -d 8.8.4.4 -j DROP

Absolutely, you can use -j REJECT --reject-with icmp-admin-prohibited
As a matter of habit, blocking inside your LAN, REJECT is a good idea as you prevent the timeout.
However, blocking anything from the WAN (not your case here), DROP is better, as it simulates the absence of a device answering.

 

[agneev]

I did try it, however it doesn't look like the mangle table supports that:

~# iptables -t mangle -I PREROUTING -p tcp -m multiport --dports 443,8
53 ! -s 10.0.0.10 -d 8.8.8.8 -j REJECT --reject-with icmp-admin-prohibited
iptables: Invalid argument. Run `dmesg' for more information.

x_tables: ip_tables: REJECT target: only valid in filter table, not mangle

 

[HELLO_wORLD]

I did try it, however it doesn't look like the mangle table supports that:

~# iptables -t mangle -I PREROUTING -p tcp -m multiport --dports 443,8
53 ! -s 10.0.0.10 -d 8.8.8.8 -j REJECT --reject-with icmp-admin-prohibited
iptables: Invalid argument. Run `dmesg' for more information.

x_tables: ip_tables: REJECT target: only valid in filter table, not mangle

Yes, mangle is limited compared to filter…
You would have to move your rules to the filter table to use REJECT, or continue to use DROP in mangle.

Other solution, but complicated for nothing would be to mark the packets, and then REJECT the marked packets in the filter table, but as I said… uselessly complicated as you could put your rules in the filter table for that purpose.

 

[HELLO_wORLD]

Here is a good article explaining iptables tables and chains, in which order they go, etc…:

A Deep Dive into Iptables and Netfilter Architecture | DigitalOcean

Firewalls are an important tool that can be configured to protect your servers and infrastructure. In the Linux ecosystem, iptables is a widely used firewall…

www.digitalocean.com

 

[agneev]

Thanks for the link but iptables is like math to me.

What if I were to move the rules to the filter table? What would the rules look like then?

 

[Tech Junky]

firewall-start.sh

I'd this is the file then just scp the file and edit in notepad++ and copy it back instead of messing around in the cli.

 

[HELLO_wORLD]

I'd this is the file then just scp the file and edit in notepad++ and copy it back instead of messing around in the cli.

I don't see the file, but you would just have to replace -t mangle by -t filter or just remove -t mangle as without -t information, the default table is filter.

EDIT: this answer was intended for @agneev , my mistake.

 

[Tech Junky]

Well, there's more than just a couple of sections in the iptables format.

# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*mangle
:PREROUTING ACCEPT [41:49134]
:INPUT ACCEPT [39:49020]
:FORWARD ACCEPT [2:114]
:OUTPUT ACCEPT [21:1544]
:POSTROUTING ACCEPT [22:1474]
COMMIT
# Completed on Sun Jan 23 20:51:32 2022
# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*security
:INPUT ACCEPT [24:32068]
:FORWARD ACCEPT [2:114]
:OUTPUT ACCEPT [20:1360]
COMMIT
# Completed on Sun Jan 23 20:51:32 2022
# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*raw
:PREROUTING ACCEPT [41:49134]
:OUTPUT ACCEPT [21:1544]
:FORWARD - [0:0]
COMMIT
# Completed on Sun Jan 23 20:51:32 2022
# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:PERMIT-FWD - [0:0]
:PERMIT-IN - [0:0]
:PERMIT-OUT - [0:0]
-A INPUT -j PERMIT-IN
-A FORWARD -j PERMIT-FWD
-A OUTPUT -j PERMIT-OUT
-A PERMIT-FWD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-FWD -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-FWD -j DROP
-A PERMIT-IN -i lo -j ACCEPT
-A PERMIT-IN -i br0 -j ACCEPT
-A PERMIT-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-IN -j DROP
-A PERMIT-OUT -o lo -j ACCEPT
-A PERMIT-OUT -o br0 -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-OUT -j DROP
COMMIT
# Completed on Sun Jan 23 20:51:32 2022
# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o bo0 -j MASQUERADE
COMMIT
# Completed on Sun Jan 23 20:51:32 2022

*mangle
*security
*raw
*filter
*nat

They're processed from top down.

 

[HELLO_wORLD]

Well, there's more than just a couple of sections in the iptables format.

# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*mangle
:PREROUTING ACCEPT [41:49134]
:INPUT ACCEPT [39:49020]
:FORWARD ACCEPT [2:114]
:OUTPUT ACCEPT [21:1544]
:POSTROUTING ACCEPT [22:1474]
COMMIT
# Completed on Sun Jan 23 20:51:32 2022
# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*security
:INPUT ACCEPT [24:32068]
:FORWARD ACCEPT [2:114]
:OUTPUT ACCEPT [20:1360]
COMMIT
# Completed on Sun Jan 23 20:51:32 2022
# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*raw
:PREROUTING ACCEPT [41:49134]
:OUTPUT ACCEPT [21:1544]
:FORWARD - [0:0]
COMMIT
# Completed on Sun Jan 23 20:51:32 2022
# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:PERMIT-FWD - [0:0]
:PERMIT-IN - [0:0]
:PERMIT-OUT - [0:0]
-A INPUT -j PERMIT-IN
-A FORWARD -j PERMIT-FWD
-A OUTPUT -j PERMIT-OUT
-A PERMIT-FWD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-FWD -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-FWD -j DROP
-A PERMIT-IN -i lo -j ACCEPT
-A PERMIT-IN -i br0 -j ACCEPT
-A PERMIT-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-IN -j DROP
-A PERMIT-OUT -o lo -j ACCEPT
-A PERMIT-OUT -o br0 -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-OUT -j DROP
COMMIT
# Completed on Sun Jan 23 20:51:32 2022
# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o bo0 -j MASQUERADE
COMMIT
# Completed on Sun Jan 23 20:51:32 2022

*mangle
*security
*raw
*filter
*nat

They're processed from top down.

There is no security table by default in R7800 iptables. But yes, there is a specific order in which tables and chains are read, and it is important to have that in mind when building rules (particularly more complex ones).

As for @agneev , here is what you need to do to go from mangle to filter:
Just replace -t mangle by -t filter or just remove -t mangle (as without -t information, the default table is filter).

 

[Tech Junky]

(particularly more complex ones).

Not necessarily more complex but more granular. The more specific the rule the tighter the match criteria and if you want to block or process something that's higher priority then move it to the top and when there's a hit it just moves to the next packet.

This is why when you create a ton of rules and they're not prioritized it slows down the connection due to excessive processing.

 

[HELLO_wORLD]

Not necessarily more complex but more granular. The more specific the rule the tighter the match criteria and if you want to block or process something that's higher priority then move it to the top and when there's a hit it just moves to the next packet.

This is why when you create a ton of rules and they're not prioritized it slows down the connection due to excessive processing.

Amen to that!

 

[agneev]

@HELLO_wORLD Here's the script I'm using currently:

iptables -t mangle -I PREROUTING -p tcp -m multiport --dports 443,853 ! -s 10.0.0.10 -d 8.8.8.8 -j REJECT
iptables -t mangle -I PREROUTING -p tcp -m multiport --dports 443,853 ! -s 10.0.0.10 -d 8.8.4.4 -j REJECT
iptables -t nat -I PREROUTING -p udp --dport 53 -d 111.111.111.111 -j DNAT --to 10.0.0.10:1053
iptables -t nat -I PREROUTING -p tcp --dport 53 ! -s 10.0.0.10 ! -d 10.0.0.10 -j DNAT --to 10.0.0.10
iptables -t nat -I PREROUTING -p udp --dport 53 ! -s 10.0.0.10 ! -d 10.0.0.10 -j DNAT --to 10.0.0.10
iptables -t nat -I POSTROUTING -d 10.0.0.10 -j SNAT --to 10.0.0.1

@Tech Junky yes, as you said in the beginning, I'm trying to prevent the possible loss of performance

 

[HELLO_wORLD]

@HELLO_wORLD Here's the script I'm using currently:

iptables -t mangle -I PREROUTING -p tcp -m multiport --dports 443,853 ! -s 10.0.0.10 -d 8.8.8.8 -j REJECT
iptables -t mangle -I PREROUTING -p tcp -m multiport --dports 443,853 ! -s 10.0.0.10 -d 8.8.4.4 -j REJECT
iptables -t nat -I PREROUTING -p udp --dport 53 -d 111.111.111.111 -j DNAT --to 10.0.0.10:1053
iptables -t nat -I PREROUTING -p tcp --dport 53 ! -s 10.0.0.10 ! -d 10.0.0.10 -j DNAT --to 10.0.0.10
iptables -t nat -I PREROUTING -p udp --dport 53 ! -s 10.0.0.10 ! -d 10.0.0.10 -j DNAT --to 10.0.0.10
iptables -t nat -I POSTROUTING -d 10.0.0.10 -j SNAT --to 10.0.0.1

@Tech Junky yes, as you said in the beginning, I'm trying to prevent the possible loss of performance

Here is what I suggest:

iptables -I INPUT -p tcp -m multiport --dports 443,853 ! -s 10.0.0.10 -d 8.8.8.8 -j REJECT --reject-with icmp-admin-prohibited
iptables -I INPUT -p tcp -m multiport --dports 443,853 ! -s 10.0.0.10 -d 8.8.4.4 -j REJECT --reject-with icmp-admin-prohibited
iptables -t nat -I PREROUTING -p udp --dport 53 -d 111.111.111.111 -j DNAT --to 10.0.0.10:1053
iptables -t nat -I PREROUTING -p tcp --dport 53 ! -s 10.0.0.10 ! -d 10.0.0.10 -j DNAT --to 10.0.0.10
iptables -t nat -I PREROUTING -p udp --dport 53 ! -s 10.0.0.10 ! -d 10.0.0.10 -j DNAT --to 10.0.0.10
iptables -t nat -I POSTROUTING -d 10.0.0.10 -j SNAT --to 10.0.0.1

Using the table filter, chain INPUT instead of the table mangle, chain PREROUTING, to be able to use REJECT.

 

[Jauger]

@HELLO_wORLD , not to highjack someone elses thread here, but can I get you to check my iptables? DNS forward to both my piholes ( 10.0.0.3 & 10.0.04)

iptables -t nat -A PREROUTING -i br0 -d 8.8.8.8/32 -p udp --dport 53 -j DNAT --to-destination 10.0.0.4
iptables -t nat -A PREROUTING -i br0 -d 8.8.4.4/32 -p udp --dport 53 -j DNAT --to-destination 10.0.0.4
iptables -t nat -A POSTROUTING -o br0 -s 10.0.0.4/32 -p udp --sport 53 -j SNAT --to-source 8.8.8.8
iptables -t nat -A POSTROUTING -o br0 -s 10.0.0.4/32 -p udp --sport 53 -j SNAT --to-source 8.8.4.4

iptables -t nat -A PREROUTING -i br0 -d 8.8.8.8/32 -p tcp --dport 53 -j DNAT --to-destination 10.0.0.3
iptables -t nat -A PREROUTING -i br0 -d 8.8.4.4/32 -p tcp --dport 53 -j DNAT --to-destination 10.0.0.3
iptables -t nat -A POSTROUTING -o br0 -s 10.0.0.3/32 -p tcp --sport 53 -j SNAT --to-source 8.8.8.8
iptables -t nat -A POSTROUTING -o br0 -s 10.0.0.3/32 -p tcp --sport 53 -j SNAT --to-source 8.8.4.4

iptables -t nat -A PREROUTING -i br-lan ! -s 10.0.0.3 -p tcp --dport 53 -j DNAT --to 10.0.0.3
iptables -t nat -A PREROUTING -i br-lan ! -s 10.0.0.4 -p udp --dport 53 -j DNAT --to 10.0.0.4
iptables -t nat -A POSTROUTING -j MASQUERADE

iptables -t nat -A PREROUTING -i br-lan ! -s 10.0.0.3 -p tcp --dport 853 -j DNAT --to 10.0.0.3
iptables -t nat -A PREROUTING -i br-lan ! -s 10.0.0.4 -p udp --dport 853 -j DNAT --to 10.0.0.4

iptables -t nat -A PREROUTING -i br0 -d 8.8.8.8/32 -p udp --dport 853 -j DNAT --to-destination 10.0.0.4
iptables -t nat -A PREROUTING -i br0 -d 8.8.4.4/32 -p udp --dport 853 -j DNAT --to-destination 10.0.0.4
iptables -t nat -A POSTROUTING -o br0 -s 10.0.0.4/32 -p udp --sport 853 -j SNAT --to-source 8.8.8.8
iptables -t nat -A POSTROUTING -o br0 -s 10.0.0.4/32 -p udp --sport 853 -j SNAT --to-source 8.8.4.4

iptables -t nat -A PREROUTING -i br0 -d 8.8.8.8/32 -p tcp --dport 853 -j DNAT --to-destination 10.0.0.3
iptables -t nat -A PREROUTING -i br0 -d 8.8.4.4/32 -p tcp --dport 853 -j DNAT --to-destination 10.0.0.3
iptables -t nat -A POSTROUTING -o br0 -s 10.0.0.3/32 -p tcp --sport 853 -j SNAT --to-source 8.8.8.8
iptables -t nat -A POSTROUTING -o br0 -s 10.0.0.3/32 -p tcp --sport 853 -j SNAT --to-source 8.8.4.4

iptables -t mangle -N bolemo_ddos
iptables -t mangle -A PREROUTING -i brwan -j bolemo_ddos
iptables -t mangle -A bolemo_ddos -m conntrack --ctstate INVALID -j DROP
iptables -t mangle -A bolemo_ddos -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
iptables -t mangle -A bolemo_ddos -p icmp -m icmp --icmp-type 8 -m limit --limit 20/sec -j RETURN
iptables -t mangle -A bolemo_ddos -p icmp -m icmp --icmp-type 8 -j DROP
iptables -t mangle -A bolemo_ddos -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
iptables -t mangle -A bolemo_ddos -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
iptables -t mangle -A bolemo_ddos -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 10000/sec --limit-burst 100 -j RETURN
iptables -t mangle -A bolemo_ddos -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP


Thanks