Iptables tips

Eric Sauvageau edited this page Feb 15, 2015 · 5 revisions
Clone this wiki locally

Quite a few tricks can be done through the implementation of a few iptable rules either in the firewall-start scripts or the nat-start scripts.

These tricks will require first that you enable the JFFS partition, and then that you put your rules in one of the user scripts (either firewall-start or nat-start, depending on the case).

Allow port forwarding to a service (like RDesktop) only from a specific IP

Let's say you want to create a port forward that will only accept connections from a specific IP (for example, you want to only allow RDesktop connection coming from IP First, make sure you do NOT forward that port on the Virtual server page. Then, use a rule like this inside the nat-start script:

iptables -t nat -I VSERVER 3 -p tcp -m tcp -s --dport 3389 -j DNAT --to

This will forward connections coming from to your PC running RDesktop, on IP

The same method can be used to allow forwarding SSH, FTP, etc... Just adjust the --dport to match the service port you want to forward to.

Configure a port forward with brute force detection

The following nat-start script will create a port forward that will only forward connections if there is no more than a set number of attempts within a period if time. This example will forward SSH to an internal server sitting on, limiting connection attempts at 5 per period of 60 seconds:


logger "firewall" "Applying nat-start rules"
iptables -N SSHVSBFP -t nat
iptables -A SSHVSBFP -t nat -m recent --set --name SSHVS --rsource
iptables -A SSHVSBFP -t nat -m recent --update --seconds 60 --hitcount 5 --name SSHVS --rsource -j RETURN
iptables -A SSHVSBFP -t nat -p tcp --dport 22 -m state --state NEW -j DNAT --to-destination
iptables -I VSERVER -t nat -i eth0 -p tcp --dport 22 -m state --state NEW -j SSHVSBFP

Make sure to remove any existing port forward rule - this script will take care of creating the forward rule.