Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hmmm...looks pretty nailed down to me. Question: could I use this for a basic server? Like say I just run ssh,http,https would I just edit the following section to allow access to port 22,80 and 443?
Quote:
Originally posted by markus1982 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# SSH (2nd SSH only available from inside of company network)
$IPTABLES -A EXTERNAL_SERVICES_INPUT -s $COMPANY_FIREWALL_IP \
-p tcp --dport 49150 -j ACCEPT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also, I use MySQL for Apache to connect to as well as Sendmail. What changes would I have to make to allow these services to work?
As you can tell I have little experience with iptables.
#!/bin/sh
# /------------------------------------------------------------------\
# | netfilter firewall for Linux 2.4+ built by Markus Welsch |
# | |
# | |
# | This firewall is not intended to be used by newbies. I give no |
# | warranty of any kind that using it protects your box. |
# | Personally I suggest using a OpenBSD box as firewall |
# | |
# | If you agree to all of the above and also dislike M$ you may |
# | continue reading. Have fun |
# \------------------------------------------------------------------/
# --------------------------------------------------------------------
# 1. definitions
# --------------------------------------------------------------------
COMPANY_FIREWALL_IP="192.168.0.84/32"
IPTABLES="/sbin/iptables"
LOG_LEVEL="info"
LOOPBACK_IF="lo"
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# 2. removing current rulesets
# --------------------------------------------------------------------
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -X
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# 3. enforcing default policy as drop
# --------------------------------------------------------------------
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# 4. setting up user-defined chains
# --------------------------------------------------------------------
# 4.1 - LOG_DROP
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N LOG_DROP
$IPTABLES -F LOG_DROP
# rate limit to prevent log partition fill up
# ----------------------------------------------------
$IPTABLES -A LOG_DROP -m limit --limit 12/minute \
-j LOG --log-level $LOG_LEVEL
$IPTABLES -A LOG_DROP -j DROP
# ----------------------------------------------------
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 4.2 - CHECK_DENIED_PORTS
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N CHECK_DENIED_PORTS
$IPTABLES -F CHECK_DENIED_PORTS
# authentication tap ident
# ----------------------------------------------------
$IPTABLES -A CHECK_DENIED_PORTS -p tcp --dport 113 \
-j REJECT --reject-with tcp-reset
# ----------------------------------------------------
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 4.3 - CHECK_DESTINATION_IP
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N CHECK_DESTINATION_IP
$IPTABLES -F CHECK_DESTINATION_IP
# Class A reserved
# ----------------------------------------------------
$IPTABLES -A CHECK_DESTINATION_IP \
-d 10.0.0.0/8 -j DROP
# ----------------------------------------------------
# Class B reserved
# ----------------------------------------------------
$IPTABLES -A CHECK_DESTINATION_IP \
-d 172.16.0.0/12 -j DROP
# ----------------------------------------------------
# Class C reserved
# ----------------------------------------------------
$IPTABLES -A CHECK_DESTINATION_IP \
-d 192.168.0.0/16 -j DROP
# ----------------------------------------------------
# Class D reserved
# ----------------------------------------------------
$IPTABLES -A CHECK_DESTINATION_IP \
-d 224.0.0.0/4 -j DROP
# ----------------------------------------------------
# Class E reserved
# ----------------------------------------------------
$IPTABLES -A CHECK_DESTINATION_IP \
-d 240.0.0.0/5 -j DROP
# ----------------------------------------------------
# Class A broadcast
# ----------------------------------------------------
$IPTABLES -A CHECK_DESTINATION_IP \
-d 255.255.255.255/32 -j DROP
# ----------------------------------------------------
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 4.4 - CHECK_ICMP_ACCESS
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N CHECK_ICMP_ACCESS
$IPTABLES -F CHECK_ICMP_ACCESS
# ICMP TYPE 0 (echo-reply)
# ----------------------------------------------------
$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
--icmp-type 0 -j ACCEPT
# ----------------------------------------------------
# ICMP TYPE 3 (destination-unreachable)
# ----------------------------------------------------
$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
--icmp-type 3 -j ACCEPT
# ----------------------------------------------------
# ICMP TYPE 11 (time-exceeded)
# ----------------------------------------------------
$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
--icmp-type 11 -j ACCEPT
# ----------------------------------------------------
# ICMP TYPE 30 (traceroute)
# ----------------------------------------------------
$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
--icmp-type 30 -j ACCEPT
# ----------------------------------------------------
$IPTABLES -A CHECK_ICMP_ACCESS -j LOG_DROP
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 4.5 - CHECK_TCP_FLAGS
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N CHECK_TCP_FLAGS
$IPTABLES -F CHECK_TCP_FLAGS
# stealth FIN scan
# ----------------------------------------------------
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags ALL FIN -j LOG_DROP
# ----------------------------------------------------
# stealth NULL scan
# ----------------------------------------------------
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags ALL NONE -j LOG_DROP
# ----------------------------------------------------
# stealth SYN/FIN (probably)
# ----------------------------------------------------
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags SYN,FIN SYN,FIN -j LOG_DROP
# ----------------------------------------------------
# stealth SYN/RST scan
# ----------------------------------------------------
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags SYN,RST SYN,RST -j LOG_DROP
# ----------------------------------------------------
# stealth xmas-scan
# ----------------------------------------------------
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags ALL FIN,URG,PSH -j LOG_DROP
# ----------------------------------------------------
# stealth xmas-all-scan
# ----------------------------------------------------
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags ALL ALL -j LOG_DROP
# ----------------------------------------------------
# stealth xmas-PSH-scan
# ----------------------------------------------------
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG_DROP
# ----------------------------------------------------
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 4.6 - EXTERNAL_SERVICES_INPUT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N EXTERNAL_SERVICES_INPUT
$IPTABLES -F EXTERNAL_SERVICES_INPUT
# SSH
# ----------------------------------------------------
$IPTABLES -A EXTERNAL_SERVICES_INPUT -p tcp \
--dport 22 -j ACCEPT
# ----------------------------------------------------
# MONIT (HTTP INTERFACE)
# ----------------------------------------------------
$IPTABLES -A EXTERNAL_SERVICES_INPUT \
-s $COMPANY_FIREWALL_IP \
-p tcp --dport 2812 -j ACCEPT
# ----------------------------------------------------
# SSH (2nd SSH)
# ----------------------------------------------------
$IPTABLES -A EXTERNAL_SERVICES_INPUT \
-s $COMPANY_FIREWALL_IP \
-p tcp --dport 49150 -j ACCEPT
# ----------------------------------------------------
# UNIX traceroute
# ----------------------------------------------------
$IPTABLES -A EXTERNAL_SERVICES_INPUT \
-p udp --dport 33434:33600 -j ACCEPT
# ----------------------------------------------------
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# 5. setting up base chains
# --------------------------------------------------------------------
# 5.1 - INPUT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -A INPUT -i $LOOPBACK_IF -j ACCEPT
$IPTABLES -A INPUT -j CHECK_DESTINATION_IP
$IPTABLES -A INPUT -p ! icmp -j CHECK_DENIED_PORTS
$IPTABLES -A INPUT -p icmp -j CHECK_ICMP_ACCESS
$IPTABLES -A INPUT -p tcp -j CHECK_TCP_FLAGS
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -j EXTERNAL_SERVICES_INPUT
$IPTABLES -A INPUT -j LOG_DROP
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 5.2 - FORWARD
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 5.3 - OUTPUT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -A OUTPUT -m state --state ! INVALID -j ACCEPT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# --------------------------------------------------------------------
It will log the denied packets (new attacks). However I decided to limit it to 12/min ... so no log flooding. I suggest daily logrotation and creating a seperate syslog entry (kern.=info -/var/log/kern.info).
For your firewall you would just need to adjust it:
For your mysql I assume it's on the same server? If so it's just a local connect (loopback) thus it's permitted (loopback device has full permissions).
This is the IP of the LAN right? For instance, if I am on a 192.168.0.x LAN mine would be:
COMPANY_FIREWALL_IP="192.168.0.0/32"
right?
Nope. It should be 192.168.0.0/24 then. /32 is just a single host. /24 is a Class C network. It's not the LAN, it's a single IP ... If you need more help on that check out network CIDR stuff:
There are also calculators available: http://logi.cc/nw/NetCalc.php3 (you should check this out since it contains some kind of explanaiton)
Quote:
Also, where is it specified where to log the drop packets. All I see is a LOG variable but I don't see a defintition for it.
Well, LOG_LEVEL="info" so it will log to syslog (kern.info). For instance a syslog configuration could look like that:
Code:
# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.
# --------------------------------------------------------------------
# logging by priority
# --------------------------------------------------------------------
*.=crit /var/log/critical.log
*.=emerg /var/log/emergency.log
*.=err /var/log/error.log
*.=info;\
cron.none;\
kern.none;\
mail.none; /var/log/info.log
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# logging by facility
# --------------------------------------------------------------------
auth,authpriv.* /var/log/auth.log
cron.* -/var/log/cron.log
daemon.* -/var/log/daemon.log
kern.=info -/var/log/kern.info
kern.*;kern.!=info; -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
user.* -/var/log/user.log
uucp.* -/var/log/uucp.log
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# logging to the virtual consoles (= display)
# --------------------------------------------------------------------
daemon,mail.*;\
news.=crit;news.=err;news.=notice;\
*.=debug;*.=info;\
*.=notice;*.=warn /dev/tty8
# --------------------------------------------------------------------
In this example kern.log contains everything except kern.info and kern.info contains the kern.info stuff only - this is some informational stuff and your netfilter log_drops.
Okay got ya. So if the firewalls IP address is 192.168.0.70 then you would do:
COMPANY_FIREWALL_IP="192.168.0.70/32"
Well let me clear this up: Immagine you have a server (= external) and also a company network. In between there is a firewall of course. All traffic that gets to the external server gets through the company firewall ... the source ip is always the company firewall.
So you just need that company firewall stuff if you have some internal network, etc. it could also be 192.168.0.0/16 if you want the whole 192.168.x.x network to be able to connect to the monit port, etc.
If your firewall (not the ip of the external server) has the ip 192.168.0.70 then it would of course be 192.168.0.70/32 like you pointed out (although you don't need CIDR format if you just use a single IP).
Of course I don't mind. That's why I have posted things here ... for the community :-) You should thanks unSpawn, he helped me a lot in securing debian!
Well I have monit running to keep monitoring services (monit is strated through init). Monit has a HTTP server. It's by default configured to listen to port 2812. That's why I limited that at the firewall level to the internal network.
Regarding SSH: I've set it up at a 2nd port which is unassigned ...
If you don't want your machine to be reachable by a traceroute you can kill the traceroute stuff also. It will only work with linux traceroutes (which use UDP packets in the range of port 33434 till 33600). windows' tracert uses ping ...
Okay so here is what my script looks like with the necessary changes:
#!/bin/sh
# /------------------------------------------------------------------\
# | netfilter firewall for Linux 2.4+ built by Markus Welsch |
# | |
# | |
# | This firewall is not intended to be used by newbies. I give no |
# | warranty of any kind that using it protects your box. |
# | Personally I suggest using a OpenBSD box as firewall |
# | |
# | If you agree to all of the above and also dislike M$ you may |
# | continue reading. Have fun |
# \------------------------------------------------------------------/
# --------------------------------------------------------------------
# 3. enforcing default policy as drop
# --------------------------------------------------------------------
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# 4. setting up user-defined chains
# --------------------------------------------------------------------
# Class A reserved
# ----------------------------------------------------
$IPTABLES -A CHECK_DESTINATION_IP \
-d 10.0.0.0/8 -j DROP
# ----------------------------------------------------
# Class B reserved
# ----------------------------------------------------
$IPTABLES -A CHECK_DESTINATION_IP \
-d 172.16.0.0/12 -j DROP
# ----------------------------------------------------
# Class C reserved
# ----------------------------------------------------
#$IPTABLES -A CHECK_DESTINATION_IP \
# -d 192.168.0.0/16 -j DROP
# ----------------------------------------------------
# Class D reserved
# ----------------------------------------------------
$IPTABLES -A CHECK_DESTINATION_IP \
-d 224.0.0.0/4 -j DROP
# ----------------------------------------------------
# Class E reserved
# ----------------------------------------------------
$IPTABLES -A CHECK_DESTINATION_IP \
-d 240.0.0.0/5 -j DROP
# ----------------------------------------------------
# Class A broadcast
# ----------------------------------------------------
$IPTABLES -A CHECK_DESTINATION_IP \
-d 255.255.255.255/32 -j DROP
# ----------------------------------------------------
# stealth FIN scan
# ----------------------------------------------------
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags ALL FIN -j LOG_DROP
# ----------------------------------------------------
# stealth NULL scan
# ----------------------------------------------------
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags ALL NONE -j LOG_DROP
# ----------------------------------------------------
# --------------------------------------------------------------------
# 5. setting up base chains
# --------------------------------------------------------------------
# 5.1 - INPUT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -A INPUT -i $LOOPBACK_IF -j ACCEPT
$IPTABLES -A INPUT -j CHECK_DESTINATION_IP
$IPTABLES -A INPUT -p ! icmp -j CHECK_DENIED_PORTS
$IPTABLES -A INPUT -p icmp -j CHECK_ICMP_ACCESS
$IPTABLES -A INPUT -p tcp -j CHECK_TCP_FLAGS
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -j EXTERNAL_SERVICES_INPUT
$IPTABLES -A INPUT -j LOG_DROP
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 5.3 - OUTPUT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -A OUTPUT -m state --state ! INVALID -j ACCEPT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# --------------------------------------------------------------------
I had to comment out:
# Class C reserved
# ----------------------------------------------------
#$IPTABLES -A CHECK_DESTINATION_IP \
#-d 192.168.0.0/16 -j DROP
# ----------------------------------------------------
or else it won't let me do anything because my firewall is behind a router giving out 192.168.0.x addresses.
Ran the script, checked iptables rules(iptables -L) and started the iptables service.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.