Page 6 of 7 FirstFirst ... 4567 LastLast
Results 51 to 60 of 69

Thread: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

  1. #51
    Join Date
    Apr 2010
    Location
    sudan
    Beans
    25
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    and another question ... I wrote the script and make it executable but nothing change ... the firewall wasn't work successfully ... so I need your help ... another thing that i replace the eth0 with my USB DataCard path which is : /dev/ttyUSB0 ...
    can that make any different ...

  2. #52
    Join Date
    Jul 2012
    Beans
    30

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    Dear Frodon.

    Thank you very much for your tutorial!!!
    It is hard to find a detailed "howto" like yours, nearly impossible!!!

    I do have one question, ergo one proposal.
    Why are we dropping all other packets. In order to prevent some badguys from brutforcing, i found this http://http://blog.zioup.org/2008/iptables_recent/

    Take a look at it, it´s very interesting. I would like to hear your oppinion on this one.

    thanks

  3. #53
    Join Date
    Sep 2007
    Location
    Oklahoma, USA
    Beans
    2,343
    Distro
    Xubuntu 16.04 Xenial Xerus

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    That link does not work. Attempting to correct it takes me to Google...

    Here's the correct one: http://blog.zioup.org/2008/iptables_recent/
    Last edited by JKyleOKC; July 21st, 2012 at 07:37 PM. Reason: To provide corrected link
    --
    Jim Kyle in Oklahoma, USA
    Linux Counter #259718
    Howto mark thread: https://wiki.ubuntu.com/UnansweredPo.../SolvedThreads

  4. #54
    Join Date
    Jul 2012
    Beans
    30

    Exclamation Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    Good morning.

    Thank´s
    It seems, that i was in a hurry

  5. #55
    Join Date
    Jul 2012
    Beans
    30

    Question Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    Dear frodon.

    I try to run your script on a small server.
    i need the following services
    FTP 20/21
    SSH 22
    HTTP 80
    HTTPS 443

    If i run your script, i can not connect to the server, neither is the HTTP service reachable. would you be so kind to help me on this

    please find the script in below

    cat /etc/firewall.bash
    #!/bin/bash

    # ftp.service
    # No spoofing !!!
    if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
    then
    for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
    do
    echo 1 > $filtre
    done
    fi

    # No icmp
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    modprobe ip_tables
    modprobe ip_nat_ftp
    modprobe ip_nat_irc
    modprobe ip_conntrack_irc
    modprobe ip_conntrack_ftp
    modprobe iptable_filter
    modprobe iptable_nat

    # Remove all rules
    iptables -F
    iptables -X

    # first set the default behaviour => accept connections
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT

    # New chains
    iptables -N FIREWALL
    iptables -N TRUSTED

    # Log chain
    iptables -N LOG_DROP
    iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
    iptables -A LOG_DROP -j DROP

    # Allow ESTABLISHED and RELATED incoming connection
    iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Allow self communication
    iptables -A FIREWALL -i lo -j ACCEPT
    iptables -A FIREWALL -o lo -j ACCEPT
    # Send all package to the TRUSTED chain
    iptables -A FIREWALL -j TRUSTED
    # DROP all other packets
    iptables -A FIREWALL -j DROP

    # Send all through the FIREWALL chain
    iptables -A INPUT -j FIREWALL
    iptables -A FORWARD -j DROP
    iptables -A OUTPUT -j FIREWALL

    # Allow ssh
    iptables -A TRUSTED -i eth0 -p udp -m udp --sport 22 -j ACCEPT
    iptables -A TRUSTED -o eth0 -p udp -m udp --dport 22 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 22 -j ACCEPT
    iptables -A TRUSTED -o eth0 -p tcp -m tcp --dport 22 -j ACCEPT

    # Allow dns
    iptables -A TRUSTED -o eth0 -p udp -m udp --dport 53 -j ACCEPT
    iptables -A TRUSTED -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT

    # Allow http
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT
    iptables -A TRUSTED -o eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

    # Allow https
    iptables -A TRUSTED -i eth0 -p udp -m udp --sport 443 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 443 -j ACCEPT
    iptables -A TRUSTED -o eth0 -p udp -m udp --dport 443 -j ACCEPT
    iptables -A TRUSTED -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT

    # Allow FTP
    iptables -A INPUT -i eth0 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp -m tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

    # End message
    echo " [End iptables rules setting]"


    I got a connection to my server, only with the following configuration
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 20:65535 -j ACCEPT
    iptables -A TRUSTED -o eth0 -p tcp -m tcp --dport 20:65535 -j ACCEPT

    Can you please explain me, why a specific port/service configuration does not work?

    Kind regards
    Last edited by duesentriebchen; July 28th, 2012 at 07:28 PM. Reason: Got the CONNECTION

  6. #56
    Join Date
    Jul 2012
    Beans
    30

    Lightbulb Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    Dear Frodon

    I got my iptables working on a ubuntu 12.04LTS server.
    Thank you very much for your inspiration on this topic

    I finally do some kind of understand basic iptable configuration
    I want to share this knowledge in the script down below.

    My server is running the following services
    FTP 20/21
    SSH 22
    DNS 53
    HTTP 80
    HTTPS 443

    For the portscan and ssh brute force defense i added the module
    Code:
    ipt_recent
    I did not restrict the outbound traffic, due to the use of acting as a relay for TOR and i2p

    Code:
    #!/bin/bash
    
    # ftp.service.1
    # No spoofing !!!
    if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
    then
    for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
    do
    echo 1 > $filtre
    done
    fi 
    
    # No icmp
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    
    modprobe ip_tables
    modprobe ip_nat_ftp
    modprobe ip_nat_irc
    modprobe ip_conntrack_irc
    modprobe ip_conntrack_ftp
    modprobe iptable_filter
    modprobe iptable_nat
    modprobe ipt_recent
    
    # Remove all rules
    iptables -F
    iptables -X
    
    # first set the default behaviour => accept connections
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    
    # New chains
    iptables -N FIREWALL
    iptables -N TRUSTED
    iptables -N BADGUY
    
    # Log chain
    iptables -N LOG_DROP
    iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
    iptables -A LOG_DROP -j DROP
    
    # Block any packet from IP-addresses that are present in the badguys list for one hour - port scan
    #iptables -A FIREWALL -i $OUTS -m recent --name badguys --update --seconds 3600 -j LOG_DROP
    # Allow NEW, ESTABLISHED and RELATED incoming connection
    iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Allow self communication
    iptables -A FIREWALL -i lo -j ACCEPT
    iptables -A FIREWALL -o lo -j ACCEPT
    # Send all package to the TRUSTED chain
    iptables -A FIREWALL -j TRUSTED
    # Send all DROP package from FIREWALL chain to the badguys list - port scan
    #iptables -A FIREWALL -t filter -i $OUTS -j LOG_DROP -m recent --set --name badguys
    # DROP all other packets
    iptables -A FIREWALL -j LOG_DROP
    
    # Send all through the FIREWALL chain
    iptables -A INPUT -j FIREWALL
    iptables -A FORWARD -j LOG_DROP
    iptables -A OUTPUT -j FIREWALL
    
    # SSH brute force attacks - verify in /proc/net/ipt_recent files badguys and ssh
    #iptables -t filter -I BADGUY -m recent --set --name badguys
    #iptables -A FIREWALL -i $OUTS -p tcp --syn --dport 22 -m recent --name ssh --set
    #iptables -A FIREWALL -i $OUTS -p tcp --syn --dport 22 -m recent --name ssh --rcheck --seconds 300 --hitcount 6 -j BADGUY
    #iptables -A FIREWALL -i $OUTS -p tcp --syn --dport 22 -m recent --name ssh --rcheck --seconds 30 --hitcount 2 -j LOG_DROP
    
    # Block inbound and outbound icmp traffic
    iptables -A TRUSTED -i eth0 -p icmp -j LOG_DROP
    iptables -A TRUSTED -o eth0 -p icmp -j LOG_DROP
    
    # Allow inbound ssh traffic
    iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A TRUSTED -i eth0 -p udp -m multiport --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    # Allow ftp inbound and outbound traffic
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 1024:65535 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    
    # Allow inbound http,https traffic
    iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A TRUSTED -i eth0 -p udp -m multiport --dport 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    # Allow outbound tcp and udp traffic
    iptables -A TRUSTED -o eth0 -p tcp -m tcp -m state --state ESTABLISHED -j ACCEPT
    iptables -A TRUSTED -o eth0 -p udp -m udp -m state --state ESTABLISHED -j ACCEPT
    
    # End message
    echo " [End iptables rules setting]"
    Last edited by duesentriebchen; July 30th, 2012 at 08:32 PM. Reason: i have to patch ipt_recent first

  7. #57
    Join Date
    Sep 2007
    Location
    Oklahoma, USA
    Beans
    2,343
    Distro
    Xubuntu 16.04 Xenial Xerus

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    Your ssh rules for the FIREWALL chain won't have any effect, because you're adding them after the unconditional jump to DROP that's seven lines above them. You need to move them to come before that "-j DROP" line. Better yet would be to just remove that "drop all other packets" rule, and set the policy for INPUT to DROP instead of ACCEPT, by means of another line that could be made the final line of the script.

    Keep in mind that the "-A" action adds the rule after all that are already in the table, and they are executed in strict first-to-last sequence. Having an unconditional "-j DROP" makes any rules added after it unreachable.

    Other than that it looks pretty doggone good!
    --
    Jim Kyle in Oklahoma, USA
    Linux Counter #259718
    Howto mark thread: https://wiki.ubuntu.com/UnansweredPo.../SolvedThreads

  8. #58
    Join Date
    Jul 2012
    Beans
    30

    Question Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    Hy JKyleOKC

    Thank´s i´m flattered

    To the ssh line.
    In my pimped Script i use

    Code:
    # Allow inbound ssh traffic 
    iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -i eth0 -p udp -m multiport --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
    if i change it to
    Code:
    # Allow inbound ssh traffic 
    iptables -A TRUSTED -i eth0 -p tcp -m multiport --dport 22 -m state --state ESTABLISHED -j ACCEPT 
    iptables -A TRUSTED -i eth0 -p udp -m multiport --dport 22 -m state --state ESTABLISHED -j ACCEPT
    i am blocked out of my server with any connection i try to make.
    So in some kind it has to work...

  9. #59
    Join Date
    Sep 2007
    Location
    Oklahoma, USA
    Beans
    2,343
    Distro
    Xubuntu 16.04 Xenial Xerus

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    When you removed "NEW," from the two rules, that told it to prohibit any new connections. Thus it's doing exactly what you told it to.

    If you know the IP address from which you will be initiating the ssh connection, you can add "-s x.x.x.x" (where the "x"s are replaced by that IP address) to the original two lines. This will accept only connections from the specified address, leaving all other addresses rejected. The 'NEW," though is essential.

    Unfortunately this won't work if your IP address varies from time to time. That's when hardening the ssh server itself, to use RSA authentication instead of passwords, comes in handy.
    --
    Jim Kyle in Oklahoma, USA
    Linux Counter #259718
    Howto mark thread: https://wiki.ubuntu.com/UnansweredPo.../SolvedThreads

  10. #60
    Join Date
    Jul 2012
    Beans
    30

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    Hy JKyleOKC
    1. Yes, due to the DHCP protocol it is rather difficult for me to define the access via an IP Address. But like you pointed out, i am using autenthication via RSA so the direct issue for brutforcing or the need of a defence should be stable.
    2. No i understand what you meant with the ssh Rules for the Firewall!!!
      Sorry for my missunderstanding!!!
      So if i change it to this, the Rules should work, what do you think?

      Code:
      # Block any packet from IP-addresses that are present in the badguys list for one hour - port scan
      #iptables -A FIREWALL -i $OUTS -m recent --name badguys --update --seconds 3600 -j LOG_DROP
      # Allow NEW, ESTABLISHED and RELATED incoming connection
      iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
      # Allow self communication
      iptables -A FIREWALL -i lo -j ACCEPT
      iptables -A FIREWALL -o lo -j ACCEPT
      # Send all package to the TRUSTED chain
      iptables -A FIREWALL -j TRUSTED
      # Send all DROP package from FIREWALL chain to the badguys list - port scan
      #iptables -A FIREWALL -t filter -i $OUTS -j LOG_DROP -m recent --set --name badguys
      
      # SSH brute force attacks - verify in /proc/net/ipt_recent files badguys and ssh
      #iptables -t filter -I BADGUY -m recent --set --name badguys
      #iptables -A FIREWALL -i $OUTS -p tcp --syn --dport 22 -m recent --name ssh --set
      #iptables -A FIREWALL -i $OUTS -p tcp --syn --dport 22 -m recent --name ssh --rcheck --seconds 300 --hitcount 6 -j BADGUY
      #iptables -A FIREWALL -i $OUTS -p tcp --syn --dport 22 -m recent --name ssh --rcheck --seconds 30 --hitcount 2 -j LOG_DROP
      
      # DROP all other packets
      iptables -A FIREWALL -j LOG_DROP
      
      # Send all through the FIREWALL chain
      iptables -A INPUT -j FIREWALL
      iptables -A FORWARD -j LOG_DROP
      iptables -A OUTPUT -j FIREWALL
    3. Could you be so kind to explain me two things.
      Firstly: I can not find, or i am not able to define the search key, how to patch IPTABLES wit the ipt_recent patch in the commandline without using a GUI. Could you give me a link or point out an explanation how to do this? I do not want to mess up anything that touches the KERNEL!!!

      Secondly: What is the meaning of
      Code:
      $OUTS
      in this lines.
      Code:
      iptables -A FIREWALL -i $OUTS -m recent --name badguys --update --seconds 3600 -j LOG_DROP
      iptables -A FIREWALL -t filter -i $OUTS -j LOG_DROP -m recent --set --name badguys
      iptables -A FIREWALL -i $OUTS -p tcp --syn --dport 22 -m recent --name ssh --set
      iptables -A FIREWALL -i $OUTS -p tcp --syn --dport 22 -m recent --name ssh --rcheck --seconds 300 --hitcount 6 -j BADGUY
      iptables -A FIREWALL -i $OUTS -p tcp --syn --dport 22 -m recent --name ssh --rcheck --seconds 30 --hitcount 2 -j LOG_DROP
      As far as i did check some other scripts, the
      Code:
      $
      is used for symlinks to directories or scripts.
      Can i use
      Code:
      eth0
      without the
      Code:
      $
      instead?


    Thank you very much in advance!!!
    Last edited by duesentriebchen; July 31st, 2012 at 09:56 AM.

Page 6 of 7 FirstFirst ... 4567 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •