The Internet is becoming increasingly more saturated, due in part to the number of IP (IPv4) address depletion and increasing traffic of peer to peer (P2P) and streaming from the increasingly data technical improvements in speed and access points. All this causes increases in the major problems administrators and users face: attacks, intrusions, unwanted traffic, spam, etc. over being wronged by the dynamic allocation of IP addresses and the traffic over the P2P network that translates into an increase in unwanted packets that, due to this dynamic allocation, effect destinations which are not the object of this traffic causing numerous problems to administrators and users.
It is for this reason that the iptables may be used to address the issue of detection, control and containment of all that unnecessary traffic.
In understanding the iptables configuration, it is important to pay particular attention to the log (LOG) activities such as the following information:
The above tells us that some incoming traffic has been dropped.
Because of this type of traffic, there is an increase in the risk of covert intrusion or an attempt to attack, camouflaged within the rest of the traffic, so that after analyzing each case, the following set of chains and rules have to be modified by the administrator or the firewall and network security manager.
To understand this system, we must start at the end, since the beginning are linked chains and have established themselves in reverse order, otherwise, if a string refers to another which has not yet been defined, an error is generated.
If you enter any package by eth0, this is captured by the iptables which will look if there is any rule to define a mode of action. If you don’t find anything, it means that it is not welcome and dropped it (default policy), but all traffic is picked up by the LOG by using the following rule:
Now we have to analyze the traffic.
Once an incoming package generates any entry into the log according to the defined rules, a typical message is displayed, as indicated above, but unlike the rest of implementations, the end of the string is modified and, instead of discarding traffic, is sent to the SCAN_ALL string containing all that traffic and it will decide what to do with that package or packages :
Now, you create a table to store a series of IPs which, according to the defined rules, are marked as possible intrusion attempts along with the number of packages (or hits) that they have caused.
You can see the rule will create a table of name SCAN_ALL (/ proc/net/ipt_recent/SCAN_ALL) and mark an IP by giving it a “hit” as a possible intrusion if in the time of 1 minute has sent 5 packages.
Subsequently, to assess whether an IP address is a returning IP, the following rule will manage if it is an intrusion looking table and checking if in 1 minute 5 “hits” have been reached. It will be as a fact that that IP address is a possible source of attacks and will be sent to the BAN_ALL chain that will “ban” for 24 hours (or time) any package from that same IP address.
It is possible that this set of rules and chains will restrict permissions for any IP that sends 25 packs per minute. These IPs should be considered to be possible intrusions, attacks, or scans and it is recommended that they be blocked.
This article has been a generic route for all protocols and all discards without taking into account if they are malformed, disabled persons, icmp, flood, etc. In addition to the above rules, similar sentences could be added to separate different types of visiting IPs that could occur in different tables.