Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
|
12-12-2005, 12:20 PM
|
#16
|
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
|
Originally Posted by kriggo15
How do I block everything from 192.168.1.*? I know that iptables doesn't accept that wildcard and I don't want to have to type in the command in 255 times to block all of the addresses. thanks
|
specify the entire subnet as a source... like: but still, remember that limiting SYN packets with the general limit rules you posted is gonna affect them all, including the ones that aren't part of the flood...
Last edited by win32sux; 12-12-2005 at 12:25 PM.
|
|
|
|
|
12-12-2005, 12:53 PM
|
#17
|
|
LQ Newbie
Registered: Dec 2005
Posts: 18
Original Poster
Rep: 
|
I used the
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
command.
I'm am just so lost and confused right now. Here is my setup. I have one computer that has the iptables running on it along with a server and a few test pages. I have another computer that is running the syn flood attack. I have a third computer that is accessing the server and trying to get access to the webpages. All of the computers are hooked up through a router.
Does anyone have any advice?
Also, can someone tell me where I can view the configuration file for iptables in red hat?
Thanks everyone...
|
|
|
|
|
12-12-2005, 01:05 PM
|
#18
|
|
LQ Newbie
Registered: Dec 2005
Posts: 18
Original Poster
Rep:
|
I just viewed my configuration file and this is what it looks like:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT- [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
can someone please help me configure this thing.
|
|
|
|
|
12-12-2005, 01:09 PM
|
#19
|
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
|
Originally Posted by kriggo15
I used the
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
command.
|
AFAIK if you use that command along with the general SYN packet limit rules, then you'd still be limiting SYN packets for non-flood connections - so the server would still appear sluggish to the clients trying to establish normal connections... try using the tcp_syncookies without using the limiting SYN packet rules...
Quote:
|
Also, can someone tell me where I can view the configuration file for iptables in red hat?
|
i'm not sure where it's stored in redhat (just google it), but you can store them wherever you want when you run the iptables-save command... and you can then pick-them-up with the iptables-restore command... if you want to look at your *current* configuration just run a command like: |
|
|
|
|
12-12-2005, 01:13 PM
|
#20
|
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
BTW: if the "syn flood generator" and the web server are on the same LAN then it really doesn't matter what you do on the router/firewall... you need to have the two boxes on separate networks for the simulation to work (if you are doing this on the router)...
also, why is your INPUT policy set to ACCEPT?? same question for the FORWARD chain... 
Last edited by win32sux; 12-12-2005 at 01:15 PM.
|
|
|
|
|
12-12-2005, 01:15 PM
|
#21
|
|
LQ Newbie
Registered: Dec 2005
Posts: 18
Original Poster
Rep:
|
Quote:
|
Originally Posted by win32sux
BTW: if the syn-flood-generator and the web server are on the same LAN then it really doesn't matter what you do on the router/firewall... you need to have the two boxes on separate networks for the simulation to work...
|
could you explain why this is? It's obvious that you know more than I do so I would like to understand. thanks... |
|
|
|
|
12-12-2005, 01:37 PM
|
#22
|
|
LQ Newbie
Registered: Dec 2005
Posts: 18
Original Poster
Rep:
|
I'm not sure why the input and forward chains are set to accept. This is the initial setup configuration on this computer. What should it be set to?
|
|
|
|
|
12-12-2005, 02:20 PM
|
#23
|
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
|
Originally Posted by kriggo15
could you explain why this is?
|
because by nature a firewall/router can only filter traffic BETWEEN networks... machines on the same LAN do not need to send packets through a router in order to communicate, they can do so directly... in practical terms, boxes on a lan only rely on the switch/hub for communication (and on their local firewall rules)... the router is only needed to deal with traffic between the LAN and another network, such as another LAN or the Internet...
Quote:
|
Originally Posted by kriggo15
I'm not sure why the input and forward chains are set to accept. This is the initial setup configuration on this computer. What should it be set to?
|
it should be set to DROP...
Code:
iptables -P INPUT DROP
iptables -P FORWARD DROP
having the policy set to DROP, then you only need to add rules for the packets you actually want to ACCEPT... anything that doesn't get ACCEPTed will hit the default policy of DROP...
Last edited by win32sux; 12-12-2005 at 02:21 PM.
|
|
|
|
|
12-12-2005, 05:05 PM
|
#24
|
|
LQ Newbie
Registered: Dec 2005
Posts: 18
Original Poster
Rep:
|
Quote:
|
Originally Posted by kriggo15
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT- [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
|
so should my configuration look like this? |
|
|
|
|
12-12-2005, 07:14 PM
|
#25
|
|
LQ Newbie
Registered: Dec 2005
Posts: 18
Original Poster
Rep:
|
I asked my teacher about the connection between the computers and this is what he said:
"This talks about the firewall on the router. In your case, the firewall
is on the end server, for example, IPtables, which manages every packet
in or out the server. This kind of firewall still works even when
attackers are in the same LAN."
What kind of packets do I need to accept? Thanks for all of the help by the way
|
|
|
|
|
12-12-2005, 07:30 PM
|
#26
|
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
|
Originally Posted by kriggo15
I asked my teacher about the connection between the computers and this is what he said:
"This talks about the firewall on the router. In your case, the firewall
is on the end server, for example, IPtables, which manages every packet
in or out the server. This kind of firewall still works even when
attackers are in the same LAN."
|
yup, your teacher is right... but this was stated here before, in post #23:
Quote:
|
Originally Posted by win32sux
boxes on a lan only rely on the switch/hub for communication (and on their local firewall rules)...
|
|
|
|
|
|
12-12-2005, 07:48 PM
|
#27
|
|
LQ Newbie
Registered: Dec 2005
Posts: 18
Original Poster
Rep:
|
what packets do I need to let through and do i need give them any specific permissions?
|
|
|
|
|
12-12-2005, 08:39 PM
|
#28
|
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
if it's strictly an HTTP server then basically you just need to allow TCP packets destined to port 80... if it's also HTTPS then add a rule for TCP port 443... sorry i can't be more specific right now, i'm kinda in the middle of something... i'm sure someone else will jump in...
|
|
|
|
|
12-14-2005, 09:39 PM
|
#29
|
|
LQ Newbie
Registered: Dec 2005
Posts: 18
Original Poster
Rep:
|
If I wanted to accept the address 192.168.1.20, how would I write the rule? Also, if I write this at the very top of my rules, would it be executed first?
Also, if I wanted to block all ip addresses other than the 192.168.1.20 address (192.168.1.1-19,21-255) how would I write that rule?
Thanks in advance
|
|
|
|
|
12-14-2005, 11:15 PM
|
#30
|
|
LQ Newbie
Registered: Dec 2005
Distribution: Slackware, Mandrake
Posts: 15
Rep:
|
AFAIK you can specify a mask in iptables,
say
Code:
192.168.10.0/255.255.255.0
this will solve your problem of giving a range/same address 255 times! |
|
|
|
All times are GMT -5. The time now is 11:39 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
