Archive for the tag 'iptables'

SBDavid
Jun 10th, 2009

How to redirect port using IPTABLES

How to redirect port using IPTABLES

You can redirect the port in IPTABLES using the prerouting parameter.

Following is the command you can use to redirect the traffic of the SMTP server port 587 to port 25.
This is very useful when your ISP may have the SMTP port 25 blocked so you need an additional SMTP port to connect to send emails.

iptables -t nat -I PREROUTING -p tcp –dport 587 -j REDIRECT –to-port 25

Then Run iptables save

/etc/init.d/iptables save

Restart Iptables

/etc/init.d/iptables restart
SBDavid
Jun 8th, 2009

How to enable IPTABLES support in Linux Kernel

How to enable IPTABLES support in Linux Kernel

You need to recompile kernel to enable IPTABLES support.

Get into the kernel source directory:

# cd /usr/local/src/kernel [download kernel source from kernel.org]
# Copy your current running kernel config.
# make menuconfig

Networking >> Networking options >> Network packet filtering (replaces ipchains) >> IP: Net Filter configurationS >> IP Tables support

# make
# make modules
# make modules_install
# make install

Move to /boot/grub and then modify your current grub config to load the new kernel.

SBDavid
Jun 4th, 2009

Iptables Command Switch

Iptables Command Switch

Each line of an iptables script not only has a jump, but they also have a number of command line options that are used to append rules to chains that match your defined packet characteristics, such the source IP address and TCP port.

-t ‘table.
If you don’t specify a table, then the filter table is assumed. The possible built-in tables include: filter, nat, mangle

-j ‘target’
Jump to the specified target chain when the packet matches the current rule.

-A
Append rule to end of a chain

-F
Flush. Deletes all the rules in the selected table

-p ‘protocol-type’
Match protocol. Types include, icmp, tcp, udp, and all

-s ‘ip-address’
Match source IP address

-d ‘ip-address’
Match destination IP address

-i ‘interface-name’
Match “input” interface on which the packet enters.

-o ‘interface-name’
Match “output” interface on which the packet exits

SBDavid
Jun 4th, 2009

Protect portmap With iptables

Protect portmap With iptables

The portmap service is a dynamic port assignment daemon for RPC services such as NIS and NFS. It has weak authentication mechanisms and has the ability to assign a wide range of ports for the services it controls. For these reasons, it is difficult to secure.

Securing portmap only affects NFSv2 and NFSv3 implementations, since NFSv4 no longer requires it. If you plan to implement an NFSv2 or NFSv3 server, then portmap is required, and the following section applies.

Below are two example iptables commands. The first allows TCP connections to the port 111 (used by the portmap service) from the 192.168.0.0/24 network. The second allows TCP connections to the same port from the localhost.

Example:

iptables -A INPUT -p tcp -s! 192.168.0.0/24 –dport 111 -j DROP
iptables -A INPUT -p tcp -s 127.0.0.1 –dport 111 -j ACCEPT

To similarly limit UDP traffic, use the following command.

iptables -A INPUT -p udp -s! 192.168.0.0/24 –dport 111 -j DROP
SBDavid
May 11th, 2009

APF - Advanced Policy Firewall

Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Internet deployed servers and the unique needs of custom deployed Linux installations.

The offical home page for APF is located at:

http://www.rfxnetworks.com/apf.php

If you are configuring iptables in your own custom kernel then you
should be sure that the following modules are compiled with the kernel for
modular support:

ip_tables
iptable_filter
iptable_mangle
ip_conntrack
ip_conntrack_irc
ip_conntrack_ftp
ipt_state
ipt_multiport
ipt_limit
ipt_recent
ipt_LOG
ipt_REJECT
ipt_ecn
ipt_length
ipt_mac
ipt_multiport
ipt_owner
ipt_state
ipt_ttl
ipt_TOS
ipt_TCPMSS
ipt_ULOG

If you would like to make sure you support these modules then you can take a look inside of /lib/modules/kernelver/kernel/net/ipv4/netfilter/ directory.

Installation

The installation setup of APF is very straight forward, there is an included
install.sh script that will perform all the tasks of installing APF for you.

Install

# sh install.sh

If one so desires they may customize the setup of APF by editing the variables inside the install.sh script followed by also editing the path variables in the conf.apf and internals.conf files. This is however not recommends and the default paths should meet all user needs, they are:

Install Path: /etc/apf
Bin Path: /usr/local/sbin/apf

The first is to setup APF in the init system with chkconfig (done by
default during install), as detailed below:

chkconfig –add apf
chkconfig –level 345 apf on

General Usage:

The /usr/local/sbin/apf command has a number of options that will ease the
day-to-day use of your firewall. Here is a quick snap-shot of the options:

usage /usr/local/sbin/apf [OPTION]
-s|–start ……………………. load the firewall rules
-r|–restart ………………….. stop (flush) & reload firewall rules
-f|–stop …………………….. stop (flush) all firewall rules
-l|–list …………………….. list chain rules
-t|–status …………………… firewall status
-e|–refresh ………………….. refresh & resolve dns names in trust rules
-a HOST CMT|–allow HOST COMMENT … add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST CMT|–deny HOST COMMENT …. add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall
-u|–remove HOST ………………. remove host from [glob_]deny_hosts.rules
and immediately remove rule from firewall
-o|–ovars ……………………. output all configuration options

Trust an address:
apf -a ryanm.dynip.org “my home dynamic-ip”
Deny an address:
apf -d 192.168.3.111 “keeps trying to bruteforce”
Remove an address:
apf -u ryanm.dynip.org

« Prev - Next »