How to Use “ipset” to Block IPs from Country

Previously we learned how we can restrict or allow a particular country using GeoIP but in this article, we’ll cover how we can block large IP ranges using ipset module with iptables. IPset is a command line based utility which is used to administer the framework called IP sets inside the Linux kernel. An IP set may store IP addresses, networks, (TCP/UDP) port numbers, MAC addresses, interface names or combinations of them in a way, which ensures lightning speed when matching an entry against a set. It is an associative application for the iptables Linux firewall which allows us to setup rules quickly and easily to block a set of IP addresses. Here, we’ll see how we can use ipset module with iptables to block a large ranges of IP addresses in our linux based machine.

Source: How to Use “ipset” to Block IPs from Country (LinOxide)

How to Block IPs from Countries using Iptables Geoip Addons

We’ll learn how we can block traffic originated from specific country IPs using GeoIP database and linux iptables. Iptables is a command based utility program for configuring the linux kernel firewall which is implemented within the Netfilter project. Whereas GeoIP is a collection of IPs corresponding with the geographical locations where the geographical location is mapped with the IP addresses allocated at those specific organization, city, state and countries. The geographical co-ordinates in the GeoIP database are the often near the center of the population so it should not be used to identify a particular address or household. And with the help of a module called xt_geoip consisting in an iptables extension xtables-addon and the GeoIP database, we’ll perform country-based traffic filtering which helps us block or allow the traffic from a specific country.

Source: How to Block IPs from Countries using Iptables Geoip Addons (LinOxide)

Linux iptables Firewall Simplified Examples

In the previous post, we’ve talked about how to Secure Linux Server Using Hardening Best Practices and some people ask me about firewall section which was a brief introduction about iptables firewall. Today we will discuss in detail the Linux iptables firewall and how to secure our servers traffic using that awesome tool.

Source: Linux iptables Firewall Simplified Examples – Like Geeks

Simple IPTables Tricks – Idol Star Astronomer

Securing your linux system using iptables can be a daunting task. There are some utilities that can help, but when it comes to security a deep understanding is often very useful. Fundamentally, iptables are lists of rules, executed in order, to determine if a packet should be accepted, dropped, or forwarded along. It has some very powerful features which can help you defend your services, log potential attacks, and forward traffic between computers as well as between ports on the same computer. I will cover some of the basics below.

Source: Simple IPTables Tricks – Idol Star Astronomer

Install And Configure Arno Iptables On Ubuntu 14.04

Today, we will come to know how we can install and configure arno iptables on Ubuntu 14.04 LTS. This is related to security hardening of your server. A good System Administrator must secure his Linux driven servers. There are many ways we can secure our servers. Setting up a good solid firewall is an essential step to take in securing any modern operating system according to your needs. I will show you how to install & Configure arno iptables On Ubuntu 14.04 LTS for securing your servers.

Source: Install And Configure Arno Iptables On Ubuntu 14.04 (Unixmen)

How to set up an alternate SIP port (other than 5060) using Webmin

One problem that some VoIP users are experiencing these days is that they have trouble connecting to their home Asterisk, FreeSWITCH, YATE, or other software PBX server, but only when using certain ISP’s.  One suspicion is that certain ISP’s that offer their own VoIP or traditional landline service attempt to mess with packets using the common SIP port 5060, hoping customers will think that VoIP is unreliable and will subscribe to the company’s overpriced offering instead (see this thread at BroadbandReports.com).

There are various ways to enable an alternate SIP port on the server (in addition to the usual port 5060) but if you are using Webmin to manage your firewall, here’s an easy way, in just three steps:

Step 1:

If you use Webmin to manage your firewall, then you already know how to get to the Linux Firewall page.  So go there and select the Network Address Translation (nat) table in the dropdown at the top of the page.  Then when the page changes, click the topmost Add Rule button (in the Packets before routing (PREROUTING) section):

SIP Port Forwarding 1

Step 2:

Now you should see this page. The items you need to change are indicated by the red ovals.  The Destination TCP or UDP port is set to 7654 in this example, but don’t use that.  Pick your own unique port; just make sure that it’s not used by anything else on the server already.  And yes, you really do put the alternate SIP port you want to use in the Destination setting; it may not make intuitive sense but that’s just how it is.  Avoid using ports in the range 10000 through 20000 because those are used for RTP traffic, and avoid ports below 1024 because those are protected ports that are reserved by the system.  There are also other ports you should avoid (those used by other software on your system) but if you don’t know how to find ports in use on your system, a bit of time with a search engine will lead you to several pages that show you how to detect already active ports.  It can vary a bit depending on your operating system, and it’s beyond the scope of this article.

SIP traffic is UDP only, not TCP (there may be rare exceptions but most software PBX’s use UDP by default).  If by some very odd chance you are using TCP for SIP traffic (why?!?) then you will need to specify that under the Network Protocol item.  Also, note that the incoming interface is set to eth0 in this example – Webmin will usually show the correct one by default, but you want to select the interface used by incoming SIP traffic if you happen to have more than one.  Don’t forget to click Save when you’re finished.

SIP Port Forwarding 2

Step 3:

After you have saved the page you should be back at the page you came from, and it should now show your new forwarding rule.  If it does, just click Apply Configuration at the bottom of the page to make it active:

SIP Port Forwarding 3One other thing you might need to to is add a rule on the main Linux Firewall page allowing incoming traffic on your selected alternate port, if you have a restrictive firewall that blocks most traffic by default.  Try it first without doing that, but if your clients can’t connect on the alternate port, just be aware that you may need to do that before they will be able to connect.  For more security, you can enable access to your SIP ports only from specific IP addresses, if your remote clients are at fixed IP addresses.

Now you should be able to change the port number on your SIP endpoints from the default 5060 to your alternate port.  Of course I can’t guarantee it will always work, but if you try it and suddenly find that your SIP connections become far more reliable, you might want to leave a comment, and mention the ISP that you suspect might be messing with SIP traffic.

By the way, if you are NOT using Webmin to manage your firewall, and have iptables installed, then all you should need to do is enter these two lines from a command prompt (replace 7654 with your chosen alternate port).  But I strongly caution you NOT to do this if you are using Webmin to manage your firewall:

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 7654 -j REDIRECT --to-ports 5060
/etc/init.d/iptables save

Link: 18 Examples to Learn Iptable Rules On CentOS

Iptable is the administration tool for IPv4 packet filtering and NAT. Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined.Each table contains a number of built-in chains and may also contain user-defined chains.Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `target’,which may be a jump to a user-defined chain in the same table.

Full article here:
18 Examples to Learn Iptable Rules On CentOS (LinOxide)

Link: How to set up Internet connection sharing with iptables on Linux

In this tutorial, I’ll explain how to share a single Internet connection among multiple devices on Linux. While consumer-grade WiFi routers have become mainstream nowadays, making this problem a non-issue, suppose you don’t have one at home. However, say you have a Linux box already assembled with a modem and a LAN card. The modem is connected to the Internet with a dynamic public IP address, and the LAN card connected to your switch/hub. Other devices (Linux/Windows PC, laptop) are connected to the switch without having any Internet connection. To share the Internet connection of the Linux box, you have to turn the box into a gateway, so that it can relay traffic to and from other devices.

Full article here:
How to set up Internet connection sharing with iptables on Linux (Xmodulo)