Monday, September 3, 2012

Linux: Iptables Examples For New SysAdmins Part -->2


Before see this post please read my previous post (Linux: Iptables Examples For New SysAdmins Part -->1)

#3: Delete Firewall Rules

To display line number along with other information for existing rules, enter:

# iptables -L INPUT  -n --line-numbers
# iptables -L OUTPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers | less
# iptables -L OUTPUT -n --line-numbers | grep 192.0.43.10


You will get the list of IP. Look at the number on the left, then use number to delete it. For example delete line number 4, enter:
# iptables -D INPUT 4

OR find source IP 192.0.43.10 and delete from rule:
# iptables -D INPUT -s 192.0.43.10-j DROP

Where,
Ø       -D : Delete one or more rules from the selected chain

#4: Insert Firewall Rules

To insert one or more rules in the selected chain as the given rule number use the following syntax. First find out line numbers, enter:


# iptables -L INPUT -n --line-numbers

Sample outputs:
Chain INPUT (policy DROP)
num  target     prot opt source          destination
1    DROP       all  --  192.0.43.10     0.0.0.0/0
2    ACCEPT     all  --  0.0.0.0/0       0.0.0.0/0   state NEW,ESTABLISHED

To insert rule between 1 and 2, enter:
# iptables -I INPUT 2 -s 192.0.43.10-j DROP

To view updated rules, enter:
# iptables -L INPUT -n --line-numbers

Sample outputs:
Chain INPUT (policy DROP)
num  target     prot opt source          destination
1    DROP       all  --  192.0.43.10     0.0.0.0/0
2    DROP       all  --  192.0.43.10     0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0       0.0.0.0/0   state NEW,ESTABLISHED

#5: Save Firewall Rules

To save firewall rules under CentOS / RHEL / Fedora Linux, enter:
# service iptables save

In this example, drop an IP and save firewall rules:
# iptables -A INPUT -s 192.0.43.10 -j DROP
# service iptables save

For all other distros use the iptables-save command:
# iptables-save > /root/my.active.firewall.rules
# cat /root/my.active.firewall.rules

#6: Restore Firewall Rules

To restore firewall rules form a file called /root/my.active.firewall.rules, enter:
# iptables-restore < /root/my.active.firewall.rules

To restore firewall rules under CentOS / RHEL / Fedora Linux, enter:
# service iptables restart

#7: Set the Default Firewall Policies

To drop all traffic:
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
# iptables -L -v -n

#### you will not able to connect anywhere as all traffic is dropped ###

# ping example.org
# wget http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2

#7.1: Only Block Incoming Traffic

To drop all incoming / forwarded packets, but allow outgoing traffic, enter:
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -L -v -n

### *** now ping and wget should work *** ###

# ping example.org
# wget http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2

#8:Drop Private Network Address On Public Interface

IP spoofing is nothing but to stop the following IPv4 address ranges for private networks on your public interfaces. Packets with non-routable source addresses should be rejected using the following syntax:

# iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

#8.1: IPv4 Address Ranges for Private Networks (make sure you block them on public interface)

Ø       10.0.0.0/8 (A)
Ø       172.16.0.0/12 (B)
Ø       192.168.0.0/16 (C)
Ø       224.0.0.0/4 (MULTICAST D)
Ø       240.0.0.0/5 (E)
Ø       127.0.0.0/8 (LOOPBACK)

#9: Blocking an IP Address (BLOCK IP)

To block an attackers ip address called 1.2.3.4, enter:
# iptables -A INPUT -s 1.2.3.4 -j DROP
# iptables -A INPUT -s 192.168.0.0/24 -j DROP

#10: Block Incoming Port Requests (BLOCK PORT)

To block all service requests on port 80, enter:
# iptables -A INPUT -p tcp --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP

To block port 80 only for an ip address 1.2.3.4, enter:
# iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP

#11: Block Outgoing IP Address

To block outgoing traffic to a particular host or domain such as example.org, enter:
# host -t a example.org

Sample outputs:
example.org has address 192.0.43.10

Note down its ip address and type the following to block all outgoing traffic to 192.0.43.10:

# iptables -A OUTPUT -d 192.0.43.10 -j DROP

You can use a subnet as follows:
# iptables -A OUTPUT -d 192.168.1.0/24 -j DROP
# iptables -A OUTPUT -o eth1 -d 192.168.1.0/24 -j DROP

#11.1: Example - Block Facebook.com Domain

First, find out all ip address of facebook.com, enter:

# host -t a www.facebook.com

Sample outputs:
www.facebook.com has address 69.171.228.70

Find CIDR for 69.171.228.70, enter:

# whois 69.171.228.70 | grep CIDR

Sample outputs:
CIDR:           69.171.224.0/19

To prevent outgoing access to www.facebook.com, enter:

# iptables -A OUTPUT -p tcp -d 69.171.224.0/19 -j DROP

You can also use domain name, enter:
# iptables -A OUTPUT -p tcp -d www.facebook.com -j DROP

# iptables -A OUTPUT -p tcp -d facebook.com -j DROP

From the iptables man page:
... specifying any name to be resolved with a remote query such as DNS (e.g., facebook.com is a really bad idea), a network IP address (with /mask), or a plain IP address ...

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Powered by Blogger.