Archive for the 'Security' Category

SBDavid

iptables and Connection Tracking

iptables includes a module that allows administrators to inspect and restrict connections to services available on an internal network using a method called connection tracking.

NEW - A packet requesting a new connection, such as an HTTP request.

ESTABLISHED - A packet that is part of an existing connection.

RELATED - A packet that is requesting a new connection but is part of an existing connection, such as passive FTP connections where the connection port is 20, but the transfer port can be any unused port 1024 or higher.

INVALID - A packet that is not part of any connections in the connection tracking table.

iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

The following above example shows a rule that uses connection tracking to forward only the packets that are associated with an established connection.

There are some trojans that scan networks for services on ports from 31337 to 31340.

Since there are no legitimate services that communicate via these non-standard ports, blocking it can effectively diminish the chances that potentially infected nodes on your network independently communicate with their remote master servers.

iptables -A OUTPUT -o eth0 -p tcp –dport 31337 –sport 31337 -j DROP
iptables -A FORWARD -o eth0 -p tcp –dport 31337 –sport 31337 -j DROP

You can also block outside connections that attempt to spoof private IP address ranges to infiltrate your LAN. For example, if your LAN uses the 192.168.1.0/24 range, a rule can set the Internet facing network device (for example, eth0) to drop any packets to that device with an address in your LAN IP range. Because it is recommended to reject forwarded packets as a default policy, any other spoofed IP address to the external-facing device (eth0) is rejected automatically.

iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROP

The REJECT target denies access and returns a connection refused error to users who attempt to connect to the service. The DROP target, as the name implies, drops the packet without any warning.

iptables rule for routing outside the range of the LAN.

LAN range - 192.168.1.0/24
Outside LAN IP - 10.0.4.2

To set a rule for routing incoming HTTP requests to a dedicated HTTP server at 10.0.4.2 (outside of the 192.168.1.0/24 range of the LAN), NAT calls a PREROUTING table to forward the packets to their proper destination:

iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to-destination 10.0.4.2:80

iptables rules can be set to route traffic to certain machines, such as a dedicated HTTP or FTP server, in a demilitarized zone (DMZ) — a special local subnetwork dedicated to providing services on a public carrier such as the Internet.

With this command, all HTTP connections to port 80 from the outside of the LAN are routed to the HTTP server on a separate network from the rest of the internal network. This form of net work segmentation can prove safer than allowing HTTP connections to a machine on the network. If the HTTP server is configured to accept secure connections, then port 443 must be forwarded as well.

FORWARD and NAT Rules for nodes behind the firewall/gateway.

iptables provides routing and forwarding policies. The FORWARD policy allows an administrator to control where packets can be routed within a LAN. For example, to allow forwarding for the entire LAN (assuming the firewall/gateway is assigned an internal IP address on eth1), the following rules can be set:

iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT

This rule gives systems behind the firewall/gateway access to the internal network. The gateway routes packets from one LAN node to its intended destination node, passing all packets through its eth1 device.

To enable IP forwarding, run the following command:

sysctl -w net.ipv4.ip_forward=1

You can permanently set forwarding by editing the /etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Execute the following command to enable the change to the sysctl.conf file:

sysctl -p /etc/sysctl.conf

To allow LAN nodes with private IP addresses to communicate with external public networks, configure the firewall for IP masquerading, which masks requests from LAN nodes with the IP address of the firewall’s external device (in this case, eth0):

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The rule uses the NAT packet matching table (-t nat) and specifies the built-in POSTROUTING chain for NAT (-A POSTROUTING) on the firewall’s external networking device (-o eth0).

POSTROUTING allows packets to be altered as they are leaving the firewall’s external device. The -j MASQUERADE target is specified to mask the private IP address of a node with the external IP address of the firewall/gateway.

If you wanted to forward incoming HTTP requests to your dedicated Apache HTTP Server server system at 192.168.0.10, run the following command:

iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to 192.168.0.10:80

This rule specifies that the NAT table use the built-in PREROUTING chain to forward incoming HTTP requests exclusively to the listed destination IP address of 192.168.0.10

This rule allows forwarding of incoming HTTP requests from the firewall to its intended destination of the Apache HTTP Server server behind the firewall.

iptables -A FORWARD -i eth0 -p tcp –dport 80 -d 192.168.0.10 -j ACCEPT
SBDavid

Common iptables Filtering

Common iptables Filtering

Default policy set to block all incoming, outgoing, and forwarded packets, it is impossible for the firewall/gateway and internal LAN users to communicate with each other or with external resources. To allow users to perform network-related functions and use networking applications, administrators must open certain ports for communication.

To allow access to port 80 on the firewall, append the following rule:

iptables -A INPUT -p tcp -m tcp –sport 80 -j ACCEPT

This allows regular Web browsing from websites that communicate via port 80. To allow access to secure websites (such as https://www.serverbuddies.com/), you must open port 443, as well.

iptables -A INPUT -p tcp -m tcp –sport 443 -j ACCEPT

You must set a rule to allow first, and then set a drop rule on the subnet.

To arbitrarily insert a rule in an existing chain of rules, use -I, followed by the chain in which to insert the rule, and a rule number (1,2,3,…,n) for where the rule should reside. For example:

iptables -I INPUT 1 -i lo -p all -j ACCEPT

The rule is inserted as the first rule in the INPUT chain to allow local loopback device traffic.

$ sudo iptables -L -n -v

Chain INPUT (policy ACCEPT 235 packets, 45229 bytes)
pkts bytes target prot opt in out source destination
2 158 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0
169 36782 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80

To allow remote SSH access, the following rules may be used:

iptables -A INPUT -p tcp –dport 22 -j ACCEPT
iptables -A OUTPUT -p udp –sport 22 -j ACCEPT

« Prev - Next »