Archive for May, 2009

SBDavid

APF - Advanced Policy Firewall

Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Internet deployed servers and the unique needs of custom deployed Linux installations.

The offical home page for APF is located at:

http://www.rfxnetworks.com/apf.php

If you are configuring iptables in your own custom kernel then you
should be sure that the following modules are compiled with the kernel for
modular support:

ip_tables
iptable_filter
iptable_mangle
ip_conntrack
ip_conntrack_irc
ip_conntrack_ftp
ipt_state
ipt_multiport
ipt_limit
ipt_recent
ipt_LOG
ipt_REJECT
ipt_ecn
ipt_length
ipt_mac
ipt_multiport
ipt_owner
ipt_state
ipt_ttl
ipt_TOS
ipt_TCPMSS
ipt_ULOG

If you would like to make sure you support these modules then you can take a look inside of /lib/modules/kernelver/kernel/net/ipv4/netfilter/ directory.

Installation

The installation setup of APF is very straight forward, there is an included
install.sh script that will perform all the tasks of installing APF for you.

Install

# sh install.sh

If one so desires they may customize the setup of APF by editing the variables inside the install.sh script followed by also editing the path variables in the conf.apf and internals.conf files. This is however not recommends and the default paths should meet all user needs, they are:

Install Path: /etc/apf
Bin Path: /usr/local/sbin/apf

The first is to setup APF in the init system with chkconfig (done by
default during install), as detailed below:

chkconfig –add apf
chkconfig –level 345 apf on

General Usage:

The /usr/local/sbin/apf command has a number of options that will ease the
day-to-day use of your firewall. Here is a quick snap-shot of the options:

usage /usr/local/sbin/apf [OPTION]
-s|–start ……………………. load the firewall rules
-r|–restart ………………….. stop (flush) & reload firewall rules
-f|–stop …………………….. stop (flush) all firewall rules
-l|–list …………………….. list chain rules
-t|–status …………………… firewall status
-e|–refresh ………………….. refresh & resolve dns names in trust rules
-a HOST CMT|–allow HOST COMMENT … add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST CMT|–deny HOST COMMENT …. add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall
-u|–remove HOST ………………. remove host from [glob_]deny_hosts.rules
and immediately remove rule from firewall
-o|–ovars ……………………. output all configuration options

Trust an address:
apf -a ryanm.dynip.org “my home dynamic-ip”
Deny an address:
apf -d 192.168.3.111 “keeps trying to bruteforce”
Remove an address:
apf -u ryanm.dynip.org

Restrict the number of parallel connections to a server

connlimit

Allows you to restrict the number of parallel connections to a server per client IP address (or client address block).

[!] –connlimit-above n
Match if the number of existing connections is (not) above n.

–connlimit-mask prefix_length
Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32. For IPv6, between 0 and 128.

Examples:

# allow 2 telnet connections per client host
iptables -A INPUT -p tcp –syn –dport 23 -m connlimit –connlimit-above 2 -j REJECT

# you can also match the other way around:
iptables -A INPUT -p tcp –syn –dport 23 -m connlimit ! –connlimit-above 2 -j ACCEPT

# limit the number of parallel HTTP requests to 16 per class C sized network (24 bit netmask)
iptables -p tcp –syn –dport 80 -m connlimit –connlimit-above 16 –connlimit-mask 24 -j REJECT

# limit the number of parallel HTTP requests to 16 for the link local network (ipv6)
ip6tables -p tcp –syn –dport 80 -s fe80::/64 -m connlimit –connlimit-above 16 –connlimit-mask 64 -j REJECT

SBDavid

Adding comments to iptables.

Adding comments to iptables.

comment

Allows you to add comments (up to 256 characters) to any rule.

–comment comment

Example:

iptables -A INPUT -s 192.168.0.0/16 -m comment –comment “A privatized IP block”

Using iptables to block incomming traffic but not effect outgoing traffic.

Solution:

iptables -F INPUT
iptables -A INPUT -m state –state ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT

The below command permits incomming packets only if they are part of established outgoing connections.

iptables -A INPUT -m state –state ESTABLISHED -j ACCEPT
SBDavid

Using iptables to reject spoofing

Using iptables to reject spoofing.

If you have a Linux machine acting as a firewall for an internal network 192.168.0.* with two network interface.

Solution:

iptables -A -input -i external_interface -s 192.168.0.0/24 -j REJECT

*The Linux firewall can refuse packets in two manager - iptables call them DROP and REJECT.

« Prev - Next »