LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-22-2013, 06:52 PM   #16
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,469
Blog Entries: 54

Rep: Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900

If you changed the -J to -j at line 19 then it can only be your "x.y.0.0/16"-like ranges, at least that's what running '/sbin/iptables-restore --verbose --test < /tmp/iptablesNEW.txt' should show.
 
Old 04-22-2013, 07:16 PM   #17
marciano
Member
 
Registered: Oct 2005
Location: Uruguay
Distribution: CentOS 5.10 Ubuntu 12.4 MacOS 10.9
Posts: 113

Original Poster
Rep: Reputation: 17
unSpawn, I've edited my last post, probably while you posted the last one.
This is what I get
# /sbin/iptables-restore --verbose --test < /tmp/iptablesNEW2.txt
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
#
# UNrestricted access: TCP FTP,FTP,SSH,MTA,DNS,HTTP,HTTPS,DNS,IMAPS,POP3S
#
# UNrestricted access: UDP FTP(?),FTP(?),DNS
#
# Restricted access: NTP,MySQL,AppMan(?),WebMin,UserMin
# Restricted access: UDP NTP
#
# Chain holding allowed IP ranges
#
# ICMP
#
# Log and REJECT the rest:
#
# Log and REJECT some outbound problems: telnet,IRC,IRC,IRCS,IRC,IRC,IRC,IRC,proxy,proxy,proxy

Thank you
Attached Files
File Type: txt iptablesNEW2.txt (1.8 KB, 9 views)

Last edited by marciano; 04-22-2013 at 07:19 PM.
 
Old 04-22-2013, 07:26 PM   #18
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,469
Blog Entries: 54

Rep: Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900
No errors in the output means you should be able to load it now. Do take the usual precautions though.
 
Old 04-22-2013, 07:33 PM   #19
marciano
Member
 
Registered: Oct 2005
Location: Uruguay
Distribution: CentOS 5.10 Ubuntu 12.4 MacOS 10.9
Posts: 113

Original Poster
Rep: Reputation: 17
But it was in --test mode.
I still get the error at the last line "COMMIT"
# echo "/etc/rc.d/init.d/iptables stop" | /usr/bin/at now +5 minutes
# /sbin/iptables-restore --verbose < /tmp/iptablesNEW2.txt
iptables-restore: line 45 failed

Thanks

# echo "/etc/rc.d/init.d/iptables stop" | /usr/bin/at now +5 minutes
job 8 at 2013-04-22 22:45
# /sbin/iptables-restore --verbose < /tmp/iptablesNEW2.txt
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
#
# UNrestricted access: TCP FTP,FTP,SSH,MTA,DNS,HTTP,HTTPS,DNS,IMAPS,POP3S
#
# UNrestricted access: UDP FTP(?),FTP(?),DNS
#
# Restricted access: NTP,MySQL,AppMan(?),WebMin,UserMin
# Restricted access: UDP NTP
#
# Chain holding allowed IP ranges
#
# ICMP
#
# Log and REJECT the rest:
#
# Log and REJECT some outbound problems: telnet,IRC,IRC,IRCS,IRC,IRC,IRC,IRC,proxy,proxy,proxy
#
iptables-restore: line 45 failed

Last edited by marciano; 04-22-2013 at 08:42 PM.
 
Old 04-23-2013, 01:33 AM   #20
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,469
Blog Entries: 54

Rep: Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900
Quote:
Originally Posted by marciano View Post
iptables-restore: line 45 failed
Fixed:
Code:
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RESTRICT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 20,21,22,25,53,80,443,953,993,995 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp -m multiport --dports 20,21,53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 123,3306,3312,10000,20000 -j RESTRICT
-A INPUT -p udp -m state --state NEW -m udp --dport 123 -j RESTRICT
-A RESTRICT -s 186.8.0.0/16 -j ACCEPT
-A RESTRICT -s 186.48.0.0/16 -j ACCEPT
-A RESTRICT -s 186.52.0.0/16 -j ACCEPT
-A RESTRICT -s 190.0.0.0/8 -j ACCEPT
-A RESTRICT -s 200.0.0.0/8 -j ACCEPT
-A RESTRICT -s 201.217.0.0/16 -j ACCEPT
-A RESTRICT -s 201.219.224.0/24 -j ACCEPT
-A RESTRICT -s 201.221.0.0/16 -j ACCEPT
-A RESTRICT -s 186.52.10.124 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -m state --state NEW -m limit --limit 1/sec -j LOG --log-prefix "IN_denied "
-A INPUT -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 23,194,994,6660:6669,6697,7000,7666,8080,8123,8443 -m limit --limit 1/s -j REJECT
COMMIT
 
Old 04-23-2013, 08:03 AM   #21
marciano
Member
 
Registered: Oct 2005
Location: Uruguay
Distribution: CentOS 5.10 Ubuntu 12.4 MacOS 10.9
Posts: 113

Original Poster
Rep: Reputation: 17
Hello unSpawn, I added *filter and it went good. I'll also add comments
How can I check these rules in the 5 minutes I have?
# echo "/etc/rc.d/init.d/iptables stop" | /usr/bin/at now +5 minutes
# /sbin/iptables-restore < /tmp/iptablesNEW3.txt

Thank you very much
 
Old 04-23-2013, 12:33 PM   #22
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,469
Blog Entries: 54

Rep: Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900
Quote:
Originally Posted by marciano View Post
How can I check these rules in the 5 minutes I have?
Code:
# Log in, activate firewall, watch logs:
tail -f /var/log/{messages,secure} /var/log/httpd/*_log

#...and from another machine:

# use a browser and access a web page:
curl http://some.do.main/page

# lookup a domain using your name server:
dig other.do.main @some.do.main

# try to access via FTP:
lftp ftp://username@some.do.main

# maybe run a port scan:
nmap -P0 -sV some.do.main
Just be creative.
 
Old 04-24-2013, 08:35 AM   #23
marciano
Member
 
Registered: Oct 2005
Location: Uruguay
Distribution: CentOS 5.10 Ubuntu 12.4 MacOS 10.9
Posts: 113

Original Poster
Rep: Reputation: 17
Hello unSpawn,

I'm not sure how to handle the chain RESTRICT you've created.
If I not misunderstand,
RESTRICT --dports 123,3306,3312,10000,20000 drops those ports, NTP, MYSQL, Webmin, Usermin to ALL and
-A RESTRICT -s 186.8.0.0/16 -j ACCEPT is accepted to access those ports. Is that so?
-A INPUT -p tcp -m state -m tcp -m multiport --state NEW -j ACCEPT --dports 20,21,22,25,53,80,443,953,993,995
Those ports allow access to anyone?

I am making some tests: here I have two different internet connections so I can check drop behavior using one of them.
I tried to block xxx.xxx.xxx.xxx access to all ports.
I did that from Webmin CP and "Apply Changes".
The first part of iptables is:
Code:
*filter
:RESTRICT - [0:0]
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
#
-A INPUT -s xxx.xxx.xxx.xxx -j DROP
#
# Limit HTTP,HTTPS,DNS,IMAPS,POP3S requests:
-A INPUT -p tcp -m state -m tcp -m multiport --state NEW -j ACCEPT --dports 20,21,22,25,53,80,443,953,993,995
# UNrestricted access: UDP FTP(?),FTP(?),DNS
-A INPUT -p udp -m state -m udp -m multiport --state NEW -j ACCEPT --dports 20,21,53
# Restricted access: NTP,MySQL,AppMan(?),WebMin,UserMin
-A INPUT -p tcp -m state -m tcp -m multiport --state NEW -j RESTRICT --dports 123,3306,3312,10000,20000
# Restricted access: UDP NTP
-A INPUT -p udp -m state -m udp --dport 123 --state NEW -j RESTRICT
-A RESTRICT -s 186.8.0.0/16 -j ACCEPT
-A RESTRICT -s 186.48.0.0/16 -j ACCEPT
-A RESTRICT -s xxx.xxx.0.0/16 -j ACCEPT
From xxx.xxx.xxx.xxx I am able to http, https, ftp, webmin and ssh

What I am missing?

Thank you.

Last edited by marciano; 04-24-2013 at 08:40 AM.
 
Old 04-24-2013, 10:03 AM   #24
marciano
Member
 
Registered: Oct 2005
Location: Uruguay
Distribution: CentOS 5.10 Ubuntu 12.4 MacOS 10.9
Posts: 113

Original Poster
Rep: Reputation: 17
After iptables -L I guess that 'I did that from Webmin CP and "Apply Changes".' was not enough to apply changes. I service iptables restart and iptables -L gave the correct status. I'll check again some rules. Anyway I keep the other questions from my previous post.
Thank you

PS: well, there's something I don't understand with iptables service. I restarted it but the rules are replaced by the old ones. atq displays nothing.
After restart iptables -L ->

...
Chain RESTRICT (2 references)
target prot opt source destination
ACCEPT all -- 186.8.0.0/16 anywhere
ACCEPT all -- r186-48-0-0.dialup.adsl.anteldata.net.uy/16 anywhere
ACCEPT all -- r186-52-0-0.dialup.adsl.anteldata.net.uy/16 anywhere
ACCEPT all -- 190.0.0.0/8 anywhere
ACCEPT all -- 200.0.0.0/8 anywhere
ACCEPT all -- 201.217.0.0/16 anywhere
ACCEPT all -- 201.219.224.0/24 anywhere
ACCEPT all -- 0.0.221.201.static.dedicado.com.uy/16 anywhere


After a while
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination



PS2:

It seems apf was 'disturbing'. I stopped it and its related cron jobs and no changes to iptables

Last edited by marciano; 04-24-2013 at 11:47 AM.
 
Old 04-24-2013, 04:49 PM   #25
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,469
Blog Entries: 54

Rep: Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900
Quote:
Originally Posted by marciano View Post
I'm not sure how to handle the chain RESTRICT you've created.
If I not misunderstand,
RESTRICT --dports 123,3306,3312,10000,20000 drops those ports, NTP, MYSQL, Webmin, Usermin to ALL and
-A RESTRICT -s 186.8.0.0/16 -j ACCEPT is accepted to access those ports. Is that so?
No. The rule
Code:
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 123,3306,3312,10000,20000 -j RESTRICT
redirects all Ipv4 addresses trying to access TCP ports 123, 3306, 3312, 10000 and 20000 to the chain named "RESTRICT". Because the filter table INPUT chain has a policy of DROP, only those IP addresses or ranges listed in the RESTRICT chain are allowed to create a new connection.


Quote:
Originally Posted by marciano View Post
-A INPUT -p tcp -m state -m tcp -m multiport --state NEW -j ACCEPT --dports 20,21,22,25,53,80,443,953,993,995
Those ports allow access to anyone?
Yes.


Quote:
Originally Posted by marciano View Post
I am making some tests: here I have two different internet connections so I can check drop behavior using one of them.
I tried to block xxx.xxx.xxx.xxx access to all ports.
I did that from Webmin CP and "Apply Changes".
The first part of iptables is:
Code:
*filter
:RESTRICT - [0:0]
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
#
-A INPUT -s xxx.xxx.xxx.xxx -j DROP
#
# Limit HTTP,HTTPS,DNS,IMAPS,POP3S requests:
-A INPUT -p tcp -m state -m tcp -m multiport --state NEW -j ACCEPT --dports 20,21,22,25,53,80,443,953,993,995
# UNrestricted access: UDP FTP(?),FTP(?),DNS
-A INPUT -p udp -m state -m udp -m multiport --state NEW -j ACCEPT --dports 20,21,53
# Restricted access: NTP,MySQL,AppMan(?),WebMin,UserMin
-A INPUT -p tcp -m state -m tcp -m multiport --state NEW -j RESTRICT --dports 123,3306,3312,10000,20000
# Restricted access: UDP NTP
-A INPUT -p udp -m state -m udp --dport 123 --state NEW -j RESTRICT
-A RESTRICT -s 186.8.0.0/16 -j ACCEPT
-A RESTRICT -s 186.48.0.0/16 -j ACCEPT
-A RESTRICT -s xxx.xxx.0.0/16 -j ACCEPT
From xxx.xxx.xxx.xxx I am able to http, https, ftp, webmin and ssh

What I am missing?
Basically what you have to understand is the "Linux Firewall" consists of a kernel part (called "Netfilter") and a user land part. The latter is used for rule management: loading, deletion, modifying, etc. The pivotal and only tool that manages these rules is called 'iptables'. Any other tool like the CLI system-config-firewall tool in RHEL or CentOS, UFW in Ubuntu, the firewall module of Webmin, R-Fx APF or whatever else tool enshrouded in fscked up marketoid language, are what we call front-ends: they essentially only provide an "easy" interface to, and underneath only use, iptables.

The rules you loaded on the command line with the
Code:
/sbin/iptables-restore < /tmp/iptablesNEW.txt
command are activated right there and then. Any front-end that doesn't first check the activated rule set but only navel-stares at its own rule set will be ignorant of any changes and will ignore, overwrite and destroy your current rule set. If you are happy with the rules in /tmp/iptablesNEW.txt then in CentOS you would save them as the default with
Code:
 
# Create a backup first
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.prev

# Now replace the current rule set
iptables-save > /etc/sysconfig/iptables
then when you
Code:
/sbin/service iptables restart
you'll find your rule set is just as you wanted it.
 
Old 04-24-2013, 05:26 PM   #26
marciano
Member
 
Registered: Oct 2005
Location: Uruguay
Distribution: CentOS 5.10 Ubuntu 12.4 MacOS 10.9
Posts: 113

Original Poster
Rep: Reputation: 17
unSpanw,

What about SSH several login attempts?

I found something I ask your advice,
Thank you

Quote:
# Create SSH attack chains
:SSH_CHECK - [0:0]
:SSH_ATTACKED - [0:0]
#
# Captures SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j SSH_CHECK
# Define SSH_CHECK chain
-A SSH_CHECK -m recent --set --name SSH
-A SSH_CHECK -m recent --update --seconds 60 --hitcount 6 --name SSH -j SSH_ATTACKED
-A SSH_CHECK -j ACCEPT
# Define SSH_ATTACKED chain
-A SSH_ATTACKED -j LOG --log-prefix "iptables SSH attack: " --log-level 7
-A SSH_ATTACKED -j REJECT
 
Old 04-24-2013, 06:22 PM   #27
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,469
Blog Entries: 54

Rep: Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900
I suggest you stop logging in as root over SSH and use fail2ban instead of these rules.
 
Old 04-24-2013, 06:27 PM   #28
marciano
Member
 
Registered: Oct 2005
Location: Uruguay
Distribution: CentOS 5.10 Ubuntu 12.4 MacOS 10.9
Posts: 113

Original Poster
Rep: Reputation: 17
Okay, I'll follow that.
Is there a reason you have omitted port 110?
Thanks again

PS: I also am having problems with passive transfers in Filezilla MLSD (Mac Transit works ok)
It seems I need to have a wide range 30000:32000 of open ports
What do you suggest?

Last edited by marciano; 04-24-2013 at 08:48 PM.
 
Old 04-25-2013, 01:23 AM   #29
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,469
Blog Entries: 54

Rep: Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900
Quote:
Originally Posted by marciano View Post
Okay, I'll follow that.
Is there a reason you have omitted port 110?
Unless you enable TLS or alike it'll be one of those plain text protocols. Either prefer POP3S and IMAPS or add the ports: the choice is yours. And that goes for the 30000:32000 range as well.
 
Old 04-25-2013, 03:17 PM   #30
marciano
Member
 
Registered: Oct 2005
Location: Uruguay
Distribution: CentOS 5.10 Ubuntu 12.4 MacOS 10.9
Posts: 113

Original Poster
Rep: Reputation: 17
Hello unSpawn,

Trying to avoid a wide range of open ports for passive ftp (iptables does not start because of that) I found a topic with some info.

I replaced a line by
Quote:
-A INPUT -p tcp -m tcp -m multiport -m state --state NEW -j ACCEPT --dports 20,22,25,53,80,110,143,443,465,587,953,993,995
-A INPUT -p tcp -m tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT --dport 21
but it didn't help, Filezilla stops at MLSD step
From lsmod|grep 'ipt' I got these loaded modules
iptable_nat 40517 0
ip_nat 53357 1 iptable_nat
iptable_mangle 36033 0
ip_conntrack 92005 3 iptable_nat,ip_nat,xt_state
iptable_filter 36161 1
ip_tables 55457 3 iptable_nat,iptable_mangle,iptable_filter
ipt_TCPMSS 37313 0
ipt_ULOG 42569 0
ipt_TOS 35265 0
ipt_ttl 34881 0
ipt_ecn 35265 0
ipt_owner 35009 0
ipt_recent 42969 0
ipt_REJECT 38849 2
ipt_LOG 39617 1
x_tables 50377 17 iptable_nat,xt_state,ip_tables,xt_mac,ipt_TCPMSS,xt_length,ipt_ULOG,ipt_TOS,ipt_ttl,ipt_ecn,ipt_owne r,ipt_recent,ipt_REJECT,ipt_LOG,xt_limit,xt_tcpudp,xt_multiport

What can I do to surpass this problem?
Thanks again for your patience.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
apf firewall deepmala8 Linux - Security 1 06-22-2011 07:49 AM
regarding apf firewall deepmala8 Linux - Networking 1 06-21-2011 05:58 AM
APF firewall help deepmala8 Linux - Security 3 06-17-2011 05:46 AM
apf firewall liang3391 Linux - Security 3 05-25-2009 10:22 AM
APF firewall binumvk Linux - Security 2 10-14-2004 05:12 AM


All times are GMT -5. The time now is 02:44 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration