phun with iptables

[epicbard]

ok after two weeks on Slackware 91 w/o firewall i had just about had it. so turns out you can achieve totall stealth-ness with iptables. heres how:

iptables -P INPUT DROP
iptables -F INPUT
iptables -N inbound
iptables -A INPUT -i eth0 -j inbound
iptables -A INPUT -i lo -j ACCEPT
iptables -A inbound -m state --state ESTABLISHED -j ACCEPT
iptables -A inbound -m state --state RELATED -j ACCEPT
iptables -R INPUT 2 -i lo -j inbound
iptables -R INPUT 2 -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --syn -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 0 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 1 -j DROP

now i only have one (well more than one) problem... slack does not load iptables on bootup? second how can i execute this on startup (yes i know a script but how)?

wana test this: http://www.pcflank.com/

[wjm]

#!/bin/sh

# Verify module dependencies
/sbin/depmod -a

# Define iptables binary
IPTABLES=/sbin/iptables

# Enable ip forwarding.
echo "1" > /proc/sys/net/ipv4/ip_forward

# Flush all filters.
iptables -F INPUT

# Set policies.
iptables -P INPUT DROP

# Define new chain.
iptables -N inbound

# Begin rules.
iptables -A INPUT -i eth0 -j inbound
iptables -A INPUT -i lo -j ACCEPT
iptables -A inbound -m state --state ESTABLISHED -j ACCEPT
iptables -A inbound -m state --state RELATED -j ACCEPT
iptables -R INPUT 2 -i lo -j inbound
iptables -R INPUT 2 -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --syn -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 0 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 1 -j DROP

<end rules-file.sh>

*Execute at the prompt:

<prompt#>chmod 750 [rules-file.sh]

*Then execute your rules file at the prompt:

<prompt#>full-path-to-rules-file.sh

*If this works then add the following to /etc/rc.d/rc.local:

if [ -f full-path-to-rules-file.sh ]; then
echo "Loading iptables ruleset."
full-path-to-rules-file.sh
fi

Paths as given as exapmles above may be different per os. The above was done on a red hat machine. There may be a slight difference.

Regards,

wjm

[epicbard]

ahh sweet... i'll give it a go... i also read something about rc.firewall on slackware... i have to look into it. Thanks MAn!

[epicbard]

humm that did not do the trick.... dont know why but this did:

put the rules in /etc/rc.d/rc.modules

as in:

# Flush all filters.
iptables -F INPUT

# Set policies.
iptables -P INPUT DROP

# Define new chain.
iptables -N inbound

# Begin rules.
iptables -A INPUT -i eth0 -j inbound
iptables -A INPUT -i lo -j ACCEPT
iptables -A inbound -m state --state ESTABLISHED -j ACCEPT
iptables -A inbound -m state --state RELATED -j ACCEPT
iptables -R INPUT 2 -i lo -j inbound
iptables -R INPUT 2 -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --syn -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 0 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 1 -j DROP

[epicbard]

anyone else here use iptables? mind shareing your rules?

[pointreyes]

Quote:

Originally posted by isomer
anyone else here use iptables? mind shareing your rules?

Haven't had to yet. But here's a nice link: http://www.netfilter.org/

[wjm]

Quote:

Originally posted by isomer
anyone else here use iptables? mind shareing your rules?

Sure. This is taken from a red-hat box, using a dynamic IP analog modem connection, with NAT enabled. Public IP's have been altered to protect the innocent.



########################################

#!/bin/sh

# Verify module dependencies
/sbin/depmod -a

# Define iptables binary
IPTABLES=/sbin/iptables

# Enable ip forwarding and dynamic addressing
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Flush all filters and NAT tables.
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -F OUTPUT
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD

# Logging Policy
$IPTABLES -A FORWARD -j LOG --log-level 7 --log-prefix FORWARD
$IPTABLES -A INPUT -j LOG --log-level 7 --log-prefix INPUT
$IPTABLES -A OUTPUT -j LOG --log-level 7 --log-prefix OUTPUT
$IPTABLES -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix POSTROUTING
$IPTABLES -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix PREROUTING
$IPTABLES -t nat -A OUTPUT -j LOG --log-level 7 --log-prefix OUTPUT-ROUTING

# Turn NAT on
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Default Policy
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

# Unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# INPUT Filter: Drop fragments & invalid packets
$IPTABLES -A INPUT -f -j DROP
$IPTABLES -A INPUT -m state --state INVALID -j DROP

# Unclean match target (not stable in NETFILTER package)
$IPTABLES -A INPUT -m unclean -j DROP

# Refuse packets claiming to be from a Class A private network.
$IPTABLES -A INPUT -i ppp0 -s 10.0.0.0/8 -j DROP

# Refuse packets claiming to be from a Class B private network.
$IPTABLES -A INPUT -i ppp0 -s 172.16.0.0/12 -j DROP

# Refuse packets claiming to be from a Class C private network.
$IPTABLES -A INPUT -i ppp0 -s 192.168.0.0/16 -j DROP

# Refuse Class D multicast addresses.
$IPTABLES -A INPUT -i ppp0 -s 224.0.0.0/4 -j DROP

# Refuse packets claiming to be to the loopback interface.
$IPTABLES -A INPUT -i ppp0 -d 127.0.0.0/8 -j DROP

############################################################################

# Microsoft Security Bulletin MS03-049 & CERT® CA-2003-23 RPCSS (11-20-03)
$IPTABLES -A INPUT -i ppp0 -d 192.168.0.10 -p udp --dport 135 -j DROP
$IPTABLES -A INPUT -i ppp0 -d 192.168.0.10 -p udp --dport 137 -j DROP
$IPTABLES -A INPUT -i ppp0 -d 192.168.0.10 -p udp --dport 138 -j DROP
$IPTABLES -A INPUT -i ppp0 -d 192.168.0.10 -p udp --dport 139 -j DROP
$IPTABLES -A INPUT -i ppp0 -d 192.168.0.10 -p udp --dport 445 -j DROP
#
$IPTABLES -A INPUT -i ppp0 -d 192.168.0.10 -p tcp --dport 135 -j DROP
$IPTABLES -A INPUT -i ppp0 -d 192.168.0.10 -p tcp --dport 138 -j DROP
$IPTABLES -A INPUT -i ppp0 -d 192.168.0.10 -p tcp --dport 139 -j DROP
$IPTABLES -A INPUT -i ppp0 -d 192.168.0.10 -p tcp --dport 445 -j DROP
$IPTABLES -A INPUT -i ppp0 -d 192.168.0.10 -p tcp --dport 593 -j DROP

# Stop syn-flood, ping-o-death, & fast port scanning
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# ICMP
$IPTABLES -A INPUT -i ppp0 -m limit --limit 1/s -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -m limit --limit 1/s -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -m limit --limit 1/s -p icmp --icmp-type 4 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -m limit --limit 1/s -p icmp --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -m limit --limit 1/s -p icmp --icmp-type 11 -j ACCEPT

# Internal lan is wide open on eth0
$IPTABLES -A INPUT -i eth0 -s 192.168.0.2 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -s 192.168.0.3 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -s 192.168.0.5 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -s 192.168.0.10 -j ACCEPT

# Allowing existing connections
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p ICMP -j ACCEPT

# Allow ftp-data from ftp.io.com
$IPTABLES -A INPUT -i ppp0 -s 199.170.22.105 -p tcp --sport 20 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -s 199.170.22.105 -p tcp --sport 21 -j ACCEPT

# Allow ftp from webunited
$IPTABLES -A INPUT -i ppp0 -s 216.243.1.199 -p tcp --dport 21 -j ACCEPT

# Allow HTTPS queries on ppp0
$IPTABLES -A INPUT -i ppp0 -s 216.243.1.199 -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -s 216.243.1.199 -p udp --dport 443 -j ACCEPT

# Allow DNS queries on ppp0
$IPTABLES -A INPUT -i ppp0 -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -p udp --dport 53 -j ACCEPT

# Allow SMTP connections from everywhere
$IPTABLES -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -p udp --dport 25 -j ACCEPT

# Allow POP3 connections from everywhere
$IPTABLES -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -p udp --dport 110 -j ACCEPT

# Allow SSH connections from select networks
$IPTABLES -A INPUT -i ppp0 -s 216.243.2.198 -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -s 216.243.2.198 -p udp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -s 216.243.2.199 -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -s 216.243.2.199 -p udp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -s 199.170.65.0/24 -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -s 199.170.65.0/24 -p udp --dport 22 -j ACCEPT

## CERT® Advisory CA-2003-23 RPCSS (Blaster Worm Variant) ###############
# RPC port 135 (tcp/udp)
$IPTABLES -A INPUT -p tcp -d 192.168.0.10 --dport 135 -j DROP
$IPTABLES -A INPUT -p udp -d 192.168.0.10 --dport 135 -j DROP
$IPTABLES -A OUTPUT -p tcp -s 192.168.0.10 --sport 135 -j DROP
$IPTABLES -A OUTPUT -p udp -s 192.168.0.10 --sport 135 -j DROP

# RPC port 137 (udp)
$IPTABLES -A INPUT -p udp -d 192.168.0.10 --dport 137 -j DROP
$IPTABLES -A OUTPUT -p udp -s 192.168.0.10 --sport 137 -j DROP

# RPC port 138 (udp)
$IPTABLES -A INPUT -p udp -d 192.168.0.10 --dport 138 -j DROP
$IPTABLES -A OUTPUT -p udp -s 192.168.0.10 --sport 138 -j DROP

# RPC port 139 (tcp)
$IPTABLES -A INPUT -p tcp -d 192.168.0.10 --dport 139 -j DROP
$IPTABLES -A OUTPUT -p tcp -s 192.168.0.10 --sport 139 -j DROP

# RPC port 445 (tcp/upd)
$IPTABLES -A INPUT -p tcp -d 192.168.0.10 --dport 445 -j DROP
$IPTABLES -A INPUT -p udp -d 192.168.0.10 --dport 445 -j DROP
$IPTABLES -A OUTPUT -p tcp -s 192.168.0.10 --sport 445 -j DROP
$IPTABLES -A OUTPUT -p udp -s 192.168.0.10 --sport 445 -j DROP

# RPC port 593 (tcp)
$IPTABLES -A INPUT -p tcp -d 192.168.0.10 --dport 593 -j DROP
$IPTABLES -A OUTPUT -p tcp -s 192.168.0.10 --sport 593 -j DROP

###################################################################

# Log all input
$IPTABLES -A INPUT -j LOG --log-prefix="VIOLATION: "

[epicbard]

Quote:

Originally posted by wjm
Sure. This is taken from a red-hat box, using a dynamic IP analog modem connection, with NAT enabled. Public IP's have been altered to protect the innocent.

wow nice... i give it a run... ps i have a static IP

[epicbard]

Quote:

Originally posted by pointreyes
Haven't had to yet. But here's a nice link: http://www.netfilter.org/

well to mee it seems like a pretty cool and ez way to get security up... since slack does not come with a firewall tool or app... i decided to give iptables a try just by command line... dont have to worry about configuring an app

[epicbard]

with recent news from PCB i am kinda woried if i have set up my iptables to the max...

what i did on top is i stealthed all the ports... it works nice and all but is it good enough... what else can i do?

[Gorganzola]

A stealthed port doesn't respond to a port scan. Port scanners are typically setup to look for an open port on a system. In my case I had someone, somehow, walk in from over in eastern Europe (I traced his IP) to my FTP. It was the anonymous account so I didn't care since all I had in there was a distro of Slackware at the time. I did close the account and kick the person out though.

I use a hardware firewall and that has kept me seperated from the outside. I can control what ports get mapped where. Plus in combination with the software firewall to control what goes out I have a nicely secured setup.

I can also control out going traffic with my firewall, but it is a true firewall, not just a regular unit that people can buy that gets its firewalling ability from the use of NAT.

Thing is though, you control outgoing traffic with the software firewall and incoming with the gateway / router (commonly referred to as a firewall because of the natural firewalling that NAT provides but is actually rather misleading). But with this combination and a good virus checker you shouldn't have any worries. Well, so long as you keep everything updated. This includes the firmware on the gateway / router, the software firewall and your AntiVirus software.

Edit:

And don't forget a good spyware scanner, keep that up to date and scan every so often with it.

[epicbard]

Quote:

Originally posted by Gorganzola

And don't forget a good spyware scanner, keep that up to date and scan every so often with it.

true... but is there a prog for linux?