Monday, September 3, 2012

Linux: Iptables Examples For New SysAdmins Part -->3


Before see this post please read my previous post (Linux: Iptables Examples For New SysAdmins Part -->2)


#12: Log and Drop Packets

 

Type the following to log and block IP spoofing on public interface called eth1

# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A:

# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP


By default everything is logged to /var/log/messages file.

# tail -f /var/log/messages

# grep --color 'IP SPOOF' /var/log/messages

 

#13: Log and Drop Packets with Limited Number of Log Entries

 

The -m limit module can limit the number of log entries created per time. This is used to prevent flooding your log file. To log and drop spoofing per 5 minutes, in bursts of at most 7 entries .

# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -m limit --limit 5/m --limit-burst 7 
-j LOG --log-prefix "IP_SPOOF A: "

# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

 

#14: Drop or Accept Traffic From Mac Address

Use the following syntax:

# iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP

##*only accept traffic for TCP port # 8080 from mac 00:0F:EA:91:04:07 *##

# iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:
91:04:07 -j ACCEPT

 

#15: Block or Allow ICMP Ping Request

 

Type the following command to block ICMP ping requests:

# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

# iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP

Ping responses can also be limited to certain networks or hosts:

# iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT

The following only accepts limited type of ICMP requests:

### ** assumed that default INPUT policy set to DROP ** #############

iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

## ** all our server to respond to pings ** ##

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

 

#16: Open Range of Ports

 

Use the following syntax to open a range of ports:

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT

 

#17: Open Range of IP Addresses

 

Use the following syntax to open a range of IP address:

## only accept connection to tcp port 80 (Apache) if ip is between 
192.168.1.100and 192.168.1.200 ##

iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 
192.168.1.100-192.168.1.200 -j ACCEPT
## nat example ##

iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.20-192.168.1.25

 

#18: Established Connections and Restarting The Firewall

 

When you restart the iptables service it will drop established connections as it unload modules from the system under RHEL / Fedora / CentOS Linux. Edit, /etc/sysconfig/iptables-config and set IPTABLES_MODULES_UNLOAD as follows:

IPTABLES_MODULES_UNLOAD = no

 

#19: Help Iptables Flooding My Server Screen

 

Use the crit log level to send messages to a log file instead of console:

iptables -A INPUT -s 1.2.3.4 -p tcp --destination-port80 -j LOG --log-level crit

 

#20: Block or Open Common Ports

 

The following shows syntax for opening and closing common TCP and UDP ports:

Replace ACCEPT with DROP to block port:
## open port ssh tcp port 22 ##
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j 
ACCEPT
 
## open cups (printing service) udp/tcp port 631 for LAN users ##
iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT
 
## allow time sync via NTP for lan users (open udp port 123) ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 
123 -j ACCEPT
 
## open tcp port 25 (smtp) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
 
# open dns server ports for all ##
iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
 
## open http/https (Apache) server port to all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
 
## open tcp port 110 (pop3) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT
 
## open tcp port 143 (imap) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
 
## open access to Samba file server for lan users only ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp 
--dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp 
--dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp 
--dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp 
--dport 445 -j ACCEPT
 
## open access to proxy server for lan users only ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp 
--dport 3128 -j ACCEPT
 
## open access to mysql server for lan users only ##
iptables -I INPUT -p tcp --dport 3306 -j ACCEPT

 

#21: Restrict the Number of Parallel Connections To a Server Per Client IP

 

You can use connlimit module to put such restrictions. To allow 3 ssh connections per client host, enter:

# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 
3 -j REJECT

Set HTTP requests to 20:

# iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 
--connlimit-mask 24 -j DROP

Where,
  1. --connlimit-above 3 : Match if the number of existing connections is above 3.
  2. --connlimit-mask 24 : Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32.

 

#22: How TO: Use iptables Like a Pro

 

For more information about iptables, please see the manual page by typing man iptables from the command line:

$ man iptables

You can see the help using the following syntax too:

# iptables -h

To see help with specific commands and targets, enter:

# iptables -j DROP -h

 

#22.1: Testing Your Firewall


Find out if ports are open or not, enter:

# netstat -tulpn

Find out if tcp port 80 open or not, enter:

# netstat -tulpn | grep :80

If port 80 is not open, start the Apache, enter:
# service httpd start

Make sure iptables allowing access to the port 80:

# iptables -L INPUT -v -n | grep 80

Otherwise open port 80 using the iptables for all users:

# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

# service iptables save

Use the telnet command to see if firewall allows to connect to port 80:

$ telnet www.example.org 80

Sample outputs:

Trying 75.126.153.206...
Connected to www.example.org.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

You can use nmap to probe your own server using the following syntax:

$ nmap -sS -p 80 www.example.org

Sample outputs:

Starting Nmap 5.00 ( http://nmap.org ) at 2011-12-13 13:19 IST
Interesting ports on www.example.org (75.126.153.206):
PORT   STATE SERVICE
80/tcp open  http
Nmap done: 1 IP address (1 host up) scanned in 1.00 seconds

I also recommend you install and use sniffer such as tcpdupm and ngrep to test your firewall settings.

0 comments:

Powered by Blogger.