Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
mychl, just wanted to say thanks. One of your example iptables scripts that you posted a year ago really helped this linux newbie learn basic iptables firewalling and masquerading when the how-to's were difficult to understand.
mychl:
Is there any particular reason you don't log anything?
Some things I'd recommend....
#Log spoofed packets, source routed packets, redirect packets
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
# do not accept ICMP redirects
echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
# do not accept source routed packets
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
Just add those after your ip_forward
As for the rest of the rules. I'd suggest some logging. I log all <1024 packets. I personally keep port 22 and 80 open also. But I allow 80 on a IP by IP basis. And it's logged differently. I see your rule there for it but I'd suggest uncommenting it ;-)
Also do you have any way of blocking specific hosts? Like a possible hacker or just someone that you don't want accessing your IP? I included the following in my script for just that purpose...
or i in `grep -v "^#" /etc/sysconfig/blocked_ips`
do
$IPTABLES -A INPUT -i eth0 -s ${i} -j DROP
$IPTABLES -A OUTPUT -o eth0 -d ${i} -j DROP
done
Then just start the file with a # and add your IPs (after you add an IP just restart your script). If anyone knows a better way then please let me know.
Anothing thing I'd add
#TCP Flags Chain
$IPTABLES -N tcpflags
$IPTABLES -A tcpflags -m limit --limit 10/s -j LOG --log-level info --log-prefix "TCPflags"
$IPTABLES -A tcpflags -j DROP
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
Thanks for the input seabass55, I got fed up with worm logs so I stopped them.... never thought about it until recently.....
I was searching for info on tcpflags on google, but didn't get anything tangible.... what are they, if you care to explain.....
I also wrote a script that greps out cmd.exe from /var/log/httpd/access_log into a temp file, then I cut the ipaddresses from the temp file and append them to /etc/sysconfig/blockips so that I can include your blocking method... thanks...
Now I need to figure out how to parse out only one line of each IP so I don't have multiple entries in /etc/sysconfig/blockips.....
# do not accept ICMP redirects
echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
Also, should this be 1 or 0? Should accept_redirects be set to 0 to be off?
Also trying to get a handle on source routed packets... but I'm still looking for that one....
Opps...that redirect thing was a typo. Should be a "0"
For handling cmd.exe I use fwlogwatch to view my iptables logs. Since I log allowed IP's seperatly from all other IP's I simply see more than 1 hit on port 80 from "Blocked TCP" chain I add their IP to my blocked list.
If I were running a webserver to the general public I'd probably do this a different way. IMHO the best way would be to use iptables -string. This can be enabled in a kernel compile I think and I know there's a patch-o-matic for it as I've done it before on a test system. Don't know what else could do it other than using a script to parse thru /var/log/httpd/access_log since iptables is only a layer 3 packet filter. Patch should be here (it's one of those use at your own risk things) http://www.netfilter.org/documentati...pom-extra.html
Source routed packets are a bad idea because there's no use for them. Here's a sippet I found....
"When source routed packets are allowed, an attacker can forge the source IP address of connections by explicitly saying how a packet should be routed across the Internet. This could enable them to abuse trust relationships or get around TCP Wrapper-style access lists."
As for the tcp-flags find a good book on tcp/ip and read it. There's no real "easy" way to explain it. Basically it's information in the TCP header and the combinations listed above should not happen unless someone is miliciously doing it. Prevents some port scans and hacks. Here's one I have bookmarked.. http://yenigul.net/tcpip/
Then I added the following to my iptables script.....
BLOCKLIST=`cat /etc/sysconfig/ip_block_list`
that initializes $BLOCKLIST
and then....
#--------------------------------------------------------------------
#Block worm infested machines picked up by Apache logs |
#--------------------------------------------------------------------
echo " Dropping logged attackers..."
for ip in $BLOCKLIST
do
iptables -A INPUT -i $EXTINT -s ${ip} -j DROP
echo " "${ip}" Dropped"
done
echo " Block IP List Applied..."
#
You can also add your own IP's to /etc/sysconfig/ip_block_list, since it gets appended, then sorted again....
I ran my script and tested my rules.... works great!
Now here's a question I still have. Every time you add new IP's to ip_block_list you have to re-run the script. Is there anyway to do it where when I add new ip's to be blocked I don't have to restart my whole iptables script? I tried a few different idea's tonight and none of them worked. Anyone?
I've tried that and it didn't work (since it was basically running after the script was already run). I need it to run towards the top. I payed around with inserting it lastnight but couldn't get it to work (thought I did once..but I was wrong). I even downloaded jay's filrewall on another machine because it does do it seperatly. You just have to restart the blocked ip list and not the whole script. But it's quite a bit of script and I have an exam today so I went to bed.
Because iptables just does the rule work for netfilter, all you need to do is make sure the block-list is a separate chain and then you can dynamically add addresses while netfilter is running.
Some of the portsentry programmes have command line options to add rules to both netfilter and a text script, eg iptables -A bad_ip -s xxx.xxx.xxx.xxx -j DROP adds a rule dynamically echo "iptables -A bad_ip -s xxx.xxx.xxx.xxx -j DROP" >> /etc/sysconfig/iptables.bad_ip adds the line to the end of that file...
Depends on how you pick up your addresses, but it comes down to scripting...
Last edited by peter_robb; 09-20-2003 at 05:44 PM.
hey mychl nice script, Im going to try it on my slack box but, what are your sources /etc/init.d/functions and /etc/sysconfig/network like what r they used for?? Im sorry im a newbie to iptables i wanna play around with them but ur script is the only script that isent to complicated and also when i try to start iptables i get this:
i tired to find line 20 but i cant seem to find it it doesnt make sense to me hehe anyways
i would like to try out ur script but i cant cuz its not working. Thanx
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
