7: Set the Default Firewall Policies
To drop all traffic:# iptables -P INPUT
DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
#
iptables -L -v -n
#### you will not able to connect anywhere as
all traffic is dropped ###
# ping cyberciti.biz
# wget
http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2#7.1: Only Block Incoming Traffic
To drop all incoming / forwarded packets, but allow outgoing traffic, enter:# iptables -P INPUT DROP
#
iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables
-A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -L
-v -n
### *** now ping and wget should work *** ###
# ping
cyberciti.biz
# wget
http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2#8:Drop Private Network Address On Public Interface
IP spoofing is nothing but to stop the following IPv4 address ranges for private networks on your public interfaces. Packets with non-routable source addresses should be rejected using the following syntax:# iptables -A INPUT -i eth1 -s
192.168.0.0/24 -j DROP
# iptables -A INPUT -i eth1 -s 10.0.0.0/8
-j DROP#8.1: IPv4 Address Ranges For Private Networks (make sure you block them on public interface)
- 10.0.0.0/8 -j (A)
- 172.16.0.0/12 (B)
- 192.168.0.0/16 (C)
- 224.0.0.0/4 (MULTICAST D)
- 240.0.0.0/5 (E)
- 127.0.0.0/8 (LOOPBACK)
#9: Blocking an IP Address (BLOCK IP)
To block an attackers ip address called 1.2.3.4, enter:#
iptables -A INPUT -s 1.2.3.4 -j DROP
# iptables -A INPUT -s
192.168.0.0/24 -j DROP#10: Block Incoming Port Requests (BLOCK PORT)
To block all service requests on port 80, enter:#
iptables -A INPUT -p tcp --dport 80 -j DROP
# iptables -A INPUT -i
eth1 -p tcp --dport 80 -j DROPTo block port 80 only for an ip address 1.2.3.4, enter:
#
iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP
# iptables
-A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP#11: Block Outgoing IP Address
To block outgoing traffic to a particular host or domain such as cyberciti.biz, enter:# host -t a
cyberciti.bizSample outputs:
cyberciti.biz has address 75.126.153.206Note down its ip address and type the following to block all outgoing traffic to 75.126.153.206:
# iptables -A
OUTPUT -d 75.126.153.206 -j DROPYou can use a subnet as follows:
# iptables -A OUTPUT -d
192.168.1.0/24 -j DROP
# iptables -A OUTPUT -o eth1 -d
192.168.1.0/24 -j DROP#11.1: Example - Block Facebook.com Domain
First, find out all ip address of facebook.com, enter:#
host -t a www.facebook.comSample outputs:
www.facebook.com has address 69.171.228.40Find CIDR for 69.171.228.40, enter:
# whois
69.171.228.40 | grep CIDRSample outputs:
CIDR: 69.171.224.0/19To prevent outgoing access to www.facebook.com, enter:
#
iptables -A OUTPUT -p tcp -d 69.171.224.0/19 -j DROPYou can also use domain name, enter:
# iptables
-A OUTPUT -p tcp -d www.facebook.com -j DROP
# iptables -A OUTPUT
-p tcp -d facebook.com -j DROPFrom the iptables man page:
... specifying any name to be resolved with a remote query such as DNS (e.g., facebook.com is a really bad idea), a network IP address (with /mask), or a plain IP address ...
#12: Log and Drop Packets
Type the following to log and block IP spoofing on public interface called eth1# iptables -A INPUT -i
eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A: "
#
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROPBy default everything is logged to /var/log/messages file.
#
tail -f /var/log/messages
# grep --color 'IP SPOOF'
/var/log/messages#13: Log and Drop Packets with Limited Number of Log Entries
The -m limit module can limit the number of log entries created per time. This is used to prevent flooding your log file. To log and drop spoofing per 5 minutes, in bursts of at most 7 entries .#
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -m limit --limit 5/m
--limit-burst 7 -j LOG --log-prefix "IP_SPOOF A: "
#
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP#14: Drop or Accept Traffic From Mac Address
Use the following syntax:# iptables -A
INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
## *only
accept traffic for TCP port # 8080 from mac 00:0F:EA:91:04:07 * ##
#
iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source
00:0F:EA:91:04:07 -j ACCEPT#15: Block or Allow ICMP Ping Request
Type the following command to block ICMP ping requests:#
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
#
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j
DROPPing responses can also be limited to certain networks or hosts:
# iptables -A INPUT -s
192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPTThe following only accepts limited type of ICMP requests:
###
** assumed that default INPUT policy set to DROP **
#############
iptables -A INPUT -p icmp --icmp-type echo-reply -j
ACCEPT
iptables -A INPUT -p icmp --icmp-type
destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp
--icmp-type time-exceeded -j ACCEPT
## ** all our server to
respond to pings ** ##
iptables -A INPUT -p icmp --icmp-type
echo-request -j ACCEPT#16: Open Range of Ports
Use the following syntax to open a range of ports:iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j
ACCEPT
#17: Open Range of IP Addresses
Use the following syntax to open a range of IP address:##
only accept connection to tcp port 80 (Apache) if ip is between
192.168.1.100 and 192.168.1.200 ##
iptables -A INPUT -p tcp
--destination-port 80 -m iprange --src-range
192.168.1.100-192.168.1.200 -j ACCEPT## nat example ##
iptables -t nat -A
POSTROUTING -j SNAT --to-source 192.168.1.20-192.168.1.25#18: Established Connections and Restaring The Firewall
When you restart the iptables service it will drop established connections as it unload modules from the system under RHEL / Fedora / CentOS Linux. Edit, /etc/sysconfig/iptables-config and set IPTABLES_MODULES_UNLOAD as follows:IPTABLES_MODULES_UNLOAD = no
#19: Help Iptables Flooding My Server Screen
Use the crit log level to send messages to a log file instead of console:iptables -A INPUT -s 1.2.3.4 -p tcp
--destination-port 80 -j LOG --log-level crit#20: Block or Open Common Ports
The following shows syntax for opening and closing common TCP and UDP ports:Replace ACCEPT with DROP to block port: ## open port ssh tcp port 22 ## iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT ## open cups (printing service) udp/tcp port 631 for LAN users ## iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT ## allow time sync via NTP for lan users (open udp port 123) ## iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT ## open tcp port 25 (smtp) for all ## iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT # open dns server ports for all ## iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT ## open http/https (Apache) server port to all ## iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT ## open tcp port 110 (pop3) for all ## iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT ## open tcp port 143 (imap) for all ## iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT ## open access to Samba file server for lan users only ## iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT ## open access to proxy server for lan users only ## iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT ## open access to mysql server for lan users only ## iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
#21: Restrict the Number of Parallel Connections To a Server Per Client IP
You can use connlimit module to put such restrictions. To allow 3 ssh connections per client host, enter:#
iptables -A INPUT -p tcp --syn --dport 22 -m connlimit
--connlimit-above 3 -j REJECTSet HTTP requests to 20:
# iptables -p
tcp --syn --dport 80 -m connlimit --connlimit-above 20
--connlimit-mask 24 -j DROPWhere,
- --connlimit-above 3 : Match if the number of existing connections is above 3.
- --connlimit-mask 24 : Group hosts using the
prefix length. For IPv4, this must be a number between (including) 0
and 32.
#22: HowTO: Use iptables Like a Pro
For more information about iptables, please see the manual page by typing man iptables from the command line:$
man iptablesYou can see the help using the following syntax too:
# iptables -hTo see help with specific commands and targets, enter:
#
iptables -j DROP -h#22.1: Testing Your Firewall
Find out if ports are open or not, enter:#
netstat -tulpnFind out if tcp port 80 open or not, enter:
# netstat -tulpn | grep :80If port 80 is not open, start the Apache, enter:
#
service httpd startMake sure iptables allowing access to the port 80:
# iptables -L INPUT -v -n |
grep 80Otherwise open port 80 using the iptables for all users:
# iptables -A INPUT -m state --state
NEW -p tcp --dport 80 -j ACCEPT
# service iptables saveUse the telnet command to see if firewall allows to connect to port 80:
$
telnet www.cyberciti.biz 80Sample outputs:
Trying 75.126.153.206... Connected to www.cyberciti.biz. Escape character is '^]'. ^] telnet> quit Connection closed.You can use nmap to probe your own server using the following syntax:
$ nmap -sS -p 80
www.cyberciti.bizSample outputs:
Starting Nmap 5.00 ( http://nmap.org ) at 2011-12-13 13:19 IST Interesting ports on www.cyberciti.biz (75.126.153.206): PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 1.00 secondsI also recommend you install and use sniffer such as tcpdupm and ngrep to test your firewall settings.
No comments:
Post a Comment