nailed down firewall

Crashed_Again · 05-27-2003, 05:18 PM

Didn't I do that here:

# HTTP/HTTPS
# ----------------------------------------------------
$IPTABLES -A EXTERNAL_SERVICES_INPUT -p tcp \
--dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL_SERVICES_INPUT -p tcp \
--dport 443 -j ACCEPT
# ----------------------------------------------------

Neomaster · 05-27-2003, 06:37 PM

Nice iptables firewall.But is there away you can block port scan try to find out what OS your running to?

markus1982 · 05-27-2003, 11:38 PM

Quote:

Originally posted by Crashed_Again
Didn't I do that here:

# HTTP/HTTPS
# ----------------------------------------------------
$IPTABLES -A EXTERNAL_SERVICES_INPUT -p tcp \
--dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL_SERVICES_INPUT -p tcp \
--dport 443 -j ACCEPT
# ----------------------------------------------------

That looks okay. Well try again to reach the HTTPS-Site and watch your log. If it doesn't back post your log entry for that HTTPS-stuff.

markus1982 · 05-27-2003, 11:41 PM

Quote:

Originally posted by Neomaster
Nice iptables firewall.But is there away you can block port scan try to find out what OS your running to?

Well that is called OS fingerprinting and is also blocked. Often source IP 0.0.0.0 and port 0 is used for that. Try to find out the OS using my firewall ... you will have problems :-)

Crashed_Again · 05-28-2003, 12:12 AM

See, I still don't understand what gets logged and when it does get logged how to decipher it.

Also, I am able to use nmap against myself and it doesn't seem to log any packets. Is this because I am a trusted IP address?

Sorry for all the noob stuff but I really don't understand iptables and I'm trying to pick your brain.

markus1982 · 05-28-2003, 01:14 AM

Quote:

See, I still don't understand what gets logged and when it does get logged how to decipher it.

Also, I am able to use nmap against myself and it doesn't seem to log any packets. Is this because I am a trusted IP address?

Sorry for all the noob stuff but I really don't understand iptables and I'm trying to pick your brain.

Well did you do a nmap from the SAME host? I did nmap from another host and it does get logged ...

About the decipher things, it's pretty easy:

Quote:

May 26 16:48:40 localhost kernel: IN=eth0 OUT= MAC=00:00:39:15:44:ce:00:40:05:bd:5f:49:08:00 SRC=64.165.8.158 DST=192.168.0.100 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=40041 DF PROTO=TCP SPT=6346 DPT=1865 WINDOW=65535 RES=0x00 ACK SYN URGP=0

IN= incomming interface
OUT= outgoing interface
MAC= MAC-address (last router)
SRC= source IP
DST= destination IP
LEN= length of packet
TTL= time to live
ID= sequence ID
proto= protocol
spt= source port
dpt = destination port
window= window size
flags used: ACK SYN

if you need more help maybe a googling will help you :-)

Crashed_Again · 05-28-2003, 01:20 AM

Yeah I nmap'ed from the SAME host. I figured thats why it didn't get logged but I had to check with the creator of this fine script.

Thanks again and again and again and again...

markus1982 · 05-28-2003, 01:25 AM

Quote:

Yeah I nmap'ed from the SAME host. I figured thats why it didn't get logged but I had to check with the creator of this fine script.

Thanks again and again and again and again...

There is no detection if you scan from the loopback device. But I suggest not to install anything not really required on a server. Like I would NEVER install gcc, nmap or any other tools if there is no require for them. I have a own host where gcc is and I see no reason for gcc, etc on a server. I know that RH installs gcc and a lot of other bullshit ... you have to clean it up.

markus1982 · 05-28-2003, 01:28 AM

I suggest using grsecurity patch. Network protections::

Code:

	x Larger entropy pools
	x Truly random TCP ISN selection
	x Randomized IP IDs
	x Randomized TCP source ports
	x Altered Ping IDS

Check this thread for more information!

Crashed_Again · 05-28-2003, 11:58 PM

After rebooting my machine I get these errors:

May 28 21:14:29 localhost kernel: DROPPED IN= OUT=eth0 SRC=192.168.0.100 DST=192.168.0.1 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=45200 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
May 28 21:14:29 localhost kernel: DROPPED IN= OUT=eth0 SRC=192.168.0.100 DST=192.168.0.1 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=45200 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
May 28 21:14:30 localhost kernel: ABORTED IN=eth0 OUT= MAC=00:00:39:15:44:ce:00:40:05:bd:5f:49:08:00 SRC=68.46.88.190 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=62130 DF PROTO=TCP SPT=2337 DPT=80 SEQ=1597123950 ACK=2611369250 WINDOW=0 RES=0x00 RST URGP=0
May 28 21:14:30 localhost kernel: ABORTED IN=eth0 OUT= MAC=00:00:39:15:44:ce:00:40:05:bd:5f:49:08:00 SRC=68.46.88.190 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=62135 PROTO=TCP SPT=2337 DPT=80 SEQ=1597123950 ACK=1597123950 WINDOW=0 RES=0x00 RST URGP=0
May 28 21:14:30 localhost kernel: DROPPED IN= OUT=eth0 SRC=192.168.0.100 DST=192.168.0.1 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=45265 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
May 28 21:14:30 localhost kernel: DROPPED IN= OUT=eth0 SRC=192.168.0.100 DST=192.168.0.1 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=45265 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
May 28 21:14:31 localhost kernel: ABORTED IN=eth0 OUT= MAC=00:00:39:15:44:ce:00:40:05:bd:5f:49:08:00 SRC=68.46.88.190 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=62219 DF PROTO=TCP SPT=2357 DPT=80 SEQ=1598353495 ACK=0 WINDOW=0 RES=0x00 RST URGP=0
May 28 21:14:31 localhost kernel: ABORTED IN=eth0 OUT= MAC=00:00:39:15:44:ce:00:40:05:bd:5f:49:08:00 SRC=68.46.88.190 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=62221 PROTO=TCP SPT=2357 DPT=80 SEQ=1598353495 ACK=1598353495 WINDOW=0 RES=0x00 RST URGP=0

So 192.168.0.1(which is my router) can not connect through port 53 or 80 to my server(which is 192.168.0.1). After these errors I get no network activity.

What is the problem here?

markus1982 · 05-29-2003, 04:03 AM

ip of your router ?
ip of your server ?
output of iptables -L -v (use the code option please when pasting - this makes it easier for me to help)?

markus1982 · 05-29-2003, 04:34 AM

Quote:

May 28 21:14:29 localhost kernel: DROPPED IN= OUT=eth0 SRC=192.168.0.100 DST=192.168.0.1 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=45200 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
May 28 21:14:29 localhost kernel: DROPPED IN= OUT=eth0 SRC=192.168.0.100 DST=192.168.0.1 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=45200 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
May 28 21:14:30 localhost kernel: DROPPED IN= OUT=eth0 SRC=192.168.0.100 DST=192.168.0.1 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=45265 DF PROTO=UDP SPT=1024 DPT=53 LEN=51
May 28 21:14:30 localhost kernel: DROPPED IN= OUT=eth0 SRC=192.168.0.100 DST=192.168.0.1 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=45265 DF PROTO=UDP SPT=1024 DPT=53 LEN=51

Well it looks like you changed the OUTPUT chain. Anything which is not invalid won't get dropped ... ($IPTABLES -A OUTPUT -m state --state ! INVALID -j ACCEPT).

Quote:

May 28 21:14:30 localhost kernel: ABORTED IN=eth0 OUT= MAC=00:00:39:15:44:ce:00:40:05:bd:5f:49:08:00 SRC=68.46.88.190 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=62130 DF PROTO=TCP SPT=2337 DPT=80 SEQ=1597123950 ACK=2611369250 WINDOW=0 RES=0x00 RST URGP=0
May 28 21:14:30 localhost kernel: ABORTED IN=eth0 OUT= MAC=00:00:39:15:44:ce:00:40:05:bd:5f:49:08:00 SRC=68.46.88.190 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=62135 PROTO=TCP SPT=2337 DPT=80 SEQ=1597123950 ACK=1597123950 WINDOW=0 RES=0x00 RST URGP=0
May 28 21:14:31 localhost kernel: ABORTED IN=eth0 OUT= MAC=00:00:39:15:44:ce:00:40:05:bd:5f:49:08:00 SRC=68.46.88.190 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=62219 DF PROTO=TCP SPT=2357 DPT=80 SEQ=1598353495 ACK=0 WINDOW=0 RES=0x00 RST URGP=0
May 28 21:14:31 localhost kernel: ABORTED IN=eth0 OUT= MAC=00:00:39:15:44:ce:00:40:05:bd:5f:49:08:00 SRC=68.46.88.190 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=62221 PROTO=TCP SPT=2357 DPT=80 SEQ=1598353495 ACK=1598353495 WINDOW=0 RES=0x00 RST URGP=0

You used log-prefix ABORTED for the CHECK_TCP_FLAGS chain ?

shahriars · 06-28-2003, 08:12 AM

Dear Markus

Thanks for the script. seeing it makes me feel that I am beginning to understand the IPTables better now (I am a very very very very newbie)

However, I was wondering whether there should be reference to interfaces for allowing / disallowing connections. For example, if I run a dual-homed box (I guess that is what is known as a box with two eth interfaces, eth0 connected to the INTERNET and eth1 connected to LAN), then I have NAT table too. In cases like that, don't we need to make restrict rules with Interface options? Or does it take both (or all) interfaces by default?

Also, you have used only one IP (I guess that is OK for you), but what do we do for two IPs?

Hope to hear from you soon.

All the best.

markus1982 · 06-28-2003, 09:52 AM

If you do not limit stuff for the interface then by default all interfaces are used (as you can check out using iptables -L -v).

Quote:

Also, you have used only one IP (I guess that is OK for you), but what do we do for two IPs?

What do you exactly want to archieve?

shahriars · 06-28-2003, 10:06 PM

Dear Markus

Well, I was planning for the router-firewall we are running. We have a small LAN (192.168.0.0/24) and is connected to the net with the other interface of our server. The scenerio is very simple

IF_EXTERNAL=eth0
IF_INTERNAL=eth1

services that runs from eth0 (or the world) will be
a. Mail (smtp, smtps, imap, imaps, pop3, pop3s, pop2)
b. DNS (port 53 from/to unpriviledged ports)
c. SSH
d. HTTP(S)
e. FTP(S)
f. Maybe, just maybe, a simple route to another box inside through some unpriviledged port (that might come later too).

And of course, the entire lan will have NAT and proxy for browsing.

I am currently working on your script and another I've found on the net. I'll be very happy if you could please find some time to have a look at my semi-final script and let me know if I've done something wrong. I can mail you off the list, if you wish to and give me your email address. My giveaway address is shamims@hotmail.com

Thanks for your response.