|
Firewall/iptables
I have just experiance a hack on one of my servers and I am now trying to secure my others before it happens to them.
I am familiar with Linux and expecially RedHat but I have never had to configure the Iptables before. I have to do it all over ssh (the server is hosted) and I basically want to block everything accept the ports I use, such as http, ftp, ssh and a few other for my mail and so on. Could any body give me an idea on how to get started or where I can look for help. |
The simplest way is:
# Accept SSH iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Accept http iptables -A INPUT -p tcp --dport 80 -j ACCEPT # do the above for each port you want to allow. # Allow establised and related conenctions iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Disallow everything else iptables -P INPUT DROP iptables -P OUTPUT DROP |
Thanks could you possible just tell me what my current iptable means?? I do not want to remove anthing if it is needed since some of it might have been setup by cpanel. I have change the actual host to host.com, not cause i don't trust you just i don't want to display my holes all over the net
Chain INPUT (policy ACCEPT) target prot opt source destination acctboth all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination acctboth all -- anywhere anywhere Chain acctboth (2 references) target prot opt source destination tcp -- neo.mugglenet.com anywhere tcp dpt:http tcp -- anywhere host.com tcp spt:http tcp -- neo.mugglenet.com anywhere tcp dpt:smtp tcp -- anywhere host.com tcp spt:smtp tcp -- neo.mugglenet.com anywhere tcp dpt:pop3 tcp -- anywhere host.com tcp spt:pop3 icmp -- neo.mugglenet.com anywhere icmp -- anywhere host.com tcp -- neo.mugglenet.com anywhere tcp -- anywhere host.com udp -- neo.mugglenet.com anywhere udp -- anywhere host.com all -- neo.mugglenet.com anywhere all -- anywhere host.com all -- anywhere anywhere |
It is basically saying that you are accepting connections from the hosts listed. This wouln;t make much difference though since the default policy is accept
|
So then I can safely clear those out and add my own then?
|
I would assume so. You may want to make specific allowances for those hosts if they are there for particular reasons.
|
your best bet is to create a SSH script and have it do all the rules for you
I have attached an example script that allows ALL connections OUT and none IN but this is also used as gateway so you may want to modify some of the MASQUERADE options etc #!/bin/sh # IP Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Blocks External Ping requests echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all # Set an absolute path to IPTABLES and define the interfaces. # OUTSIDE is the outside or untrusted interface that connects to the Internet # and INSIDE is, well that ought to be obvious. IPTABLES="/sbin/iptables" OUTSIDE=eth0 INSIDE=eth1 # Other Definitions # You may want to add in your http server if its on a seperate box # and follow the examples below to configure the firewall to FWD to it EXT_IP="202.xxx.xxx.xx" INT_IP="192.168.1.1" MAILSVR="192.168.1.251" # Test Machine Definitions TEST_PC="192.168.1.250" TEST_HTTP="8080" TEST_HTTPS="8081" # Clear out any existing firewall rules, and any chains that might have # been created. $IPTABLES -F $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -t nat -X $IPTABLES -t mangle -X $IPTABLES -X # Set Default Rules $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT # Begin setting up the rulesets. First define some rule chains to handle # exception conditions. These chains will receive packets that we aren't # willing to pass. Limiters on logging are used so as to not to swamp the # firewall in a DOS scenario. # silent - Just dop the packet # tcpflags - Log packets with bad flags, most likely an attack # firewalled - Log packets that that we refuse, possibly from an attack $IPTABLES -N silent $IPTABLES -A silent -j DROP $IPTABLES -N tcpflags $IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags: $IPTABLES -A tcpflags -j DROP $IPTABLES -N firewalled $IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled: $IPTABLES -A firewalled -j DROP # Use below to enable MASQUERADE eth1 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE # These are all TCP flag combinations that should never, ever, occur in the # wild. All of these are illegal combinations that are used to attack a box # in various ways. $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags # Allow selected ICMP types and drop the rest. $IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT $IPTABLES -A INPUT -p icmp -j firewalled # The loopback interface is inheritly trustworthy $IPTABLES -A INPUT -i lo -j ACCEPT # Inside Machine are trustworthy $IPTABLES -A INPUT -i $INSIDE -d $INT_IP -j ACCEPT # Port forwarding. # Redirect Traffic for Port 80 to Squid Proxy Server:3128 $IPTABLES -t nat -A PREROUTING -i $INSIDE -p tcp --dport 80 -j REDIRECT --to-port 3128 # Redirect External & Internal HTTP on 8080 to Local PC #$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTP -d $EXT_IP -j DNAT --to $TEST_PC:$TEST_HTTP #$IPTABLES -t nat -A PREROUTING -i $INSIDE -p tcp -m tcp --dport $TEST_HTTP -d $EXT_IP -j DNAT --to $TEST_PC:$TEST_HTTP # Redirect External & Internal SSH on 8081 to Local PC #$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTPS -j DNAT --to $TEST_PC:$TEST_HTTPS #$IPTABLES -t nat -A PREROUTING -i $INSIDE -p tcp -m tcp --dport $TEST_HTTPS -j DNAT --to $TEST_PC:$TEST_HTTPS # Redirect External Emails to Mailserver $IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport 110 -j DNAT --to $MAILSVR:110 $IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport 25 -j DNAT --to $MAILSVR:25 # INPUT SETTINGS # Pop3 $IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 110 -j ACCEPT # SMTP $IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 25 -j ACCEPT # SSH #$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT # HTTP #$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 80 -j ACCEPT # HTTPS #$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 443 -j ACCEPT # TEST PC #$IPTABLES -A INPUT -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTP -j ACCEPT #$IPTABLES -A INPUT -i $OUTSIDE -p tcp -m tcp --dport $TEST_HTTPS -j ACCEPT # Allow packets that are part of an established connection to pass # through the firewall. This is required for normal Internet activity # by inside clients. $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Anything that hasn't already matched gets logged and then dropped. $IPTABLES -A INPUT -j firewalled |
I will try to make a script for it. I think I have enough infomation to start.
But just to clarify. All the host.com that I showed in my iptables are the actual host of the machine itself. I actaully see that I did not remove them all. So I think the iptables basically say, if its from anywhere to my server allow it and if its from my server to anywhere allow it. |
Yes - it is probably to allow conections to mysql etc that run on the same host.
|
So then is it safe to remove them or not.
Sorry to be asking what may sound like a stupid question, I just don't want to mess up. Could I make it so that if its from my server to my server allow anything so that I will not have to worry about it connecting to itself?? |
The command to allow anything to the loop back address (used for same computer connections) is
iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT of course, someone could still spoof a packet coming from the loop back address, but the above script posted by chrisfirestar handles both this line, and the anti-spoofing rules as well. |
Alright thanks for all the help. I am going to give it a shot and let you know
Just want to find a way to backup my iptables before I do so that if I really mess up I won't have to remember it all |
Try:
iptables-save |
Thanks for all the help.
I got it all to work with out any problems I just have to review which ports I really need. For now I left open all the ones that were listening but I want to see if I really need them all, I just don't want anything to stop working and for that to be the reason. Thanks again |
Ok I ran into a little problem I thought I might ask about.
I allowed connections to my ftp on port 21 and it works ok except not in passive mode. Since a lot of the users of the server seem to use passive mode, is there any way to allow this without total compremissing my security? I read one article that says to open up all not-priv ports but I mean that just leaves a lot of the server open in my opinion. Got any ideas? |
| All times are GMT -5. The time now is 10:59 PM. |