Iptables tutorial

Thảo luận trong 'Góc Bảo Mật' bắt đầu bởi hautp, Thg 12 19, 2012.

  1. hautp

    hautp Well-Known Member

    GIT – Bài viết hướng dẫn một số tips về iptables tutorial basic dành cho các bạn quản trị server linux dùng firewall iptables

    #1: Displaying the Status of Your Firewall
    Type the following command as root:
    # iptables -L -n -v

    Sample outputs:
    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    Above output indicates that the firewall is not active. The following sample shows an active firewall:
    # iptables -L -n -v

    Sample outputs:
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    394 43586 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    93 17292 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
    1 142 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 wanin all -- vlan2 * 0.0.0.0/0 0.0.0.0/0
    0 0 wanout all -- * vlan2 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
    Chain OUTPUT (policy ACCEPT 425 packets, 113K bytes)
    pkts bytes target prot opt in out source destination
    Chain wanin (1 references)
    pkts bytes target prot opt in out source destination
    Chain wanout (1 references)
    pkts bytes target prot opt in out source destination
    Where,
    • -L : List rules.
    • -v : Display detailed information. This option makes the list command show the interface name, the rule options, and the TOS masks. The packet and byte counters are also listed, with the suffix ‘K’, ‘M’ or ‘G’ for 1000, 1,000,000 and 1,000,000,000 multipliers respectively.
    • -n : Display IP address and port in numeric format. Do not use DNS to resolve names. This will speed up listing.
    #1.1: To inspect firewall with line numbers, enter:
    # iptables -n -L -v --line-numbers

    Sample outputs:
    Chain INPUT (policy DROP)
    num target prot opt source destination
    1 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
    2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    Chain FORWARD (policy DROP)
    num target prot opt source destination
    1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    2 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
    3 TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    5 wanin all -- 0.0.0.0/0 0.0.0.0/0
    6 wanout all -- 0.0.0.0/0 0.0.0.0/0
    7 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    Chain OUTPUT (policy ACCEPT)
    num target prot opt source destination
    Chain wanin (1 references)
    num target prot opt source destination
    Chain wanout (1 references)
    num target prot opt source destination
    You can use line numbers to delete or insert new rules into the firewall.
    #1.2: To display INPUT or OUTPUT chain rules, enter:
    # iptables -L INPUT -n -v
    # iptables -L OUTPUT -n -v --line-numbers
    #2: Stop / Start / Restart the Firewall
    If you are using CentOS / RHEL / Fedora Linux, enter:
    # service iptables stop
    # service iptables start
    # service iptables restart

    You can use the iptables command itself to stop the firewall and delete all rules:
    # iptables -F
    # iptables -X
    # iptables -t nat -F
    # iptables -t nat -X
    # iptables -t mangle -F
    # iptables -t mangle -X
    # iptables -P INPUT ACCEPT
    # iptables -P OUTPUT ACCEPT
    # iptables -P FORWARD ACCEPT

    Where,
    • -F : Deleting (flushing) all the rules.
    • -X : Delete chain.
    • -t table_name : Select table (called nat or mangle) and delete/flush rules.
    • -P : Set the default policy (such as DROP, REJECT, or ACCEPT).
    #3: Delete Firewall Rules
    To display line number along with other information for existing rules, enter:
    # iptables -L INPUT -n --line-numbers
    # iptables -L OUTPUT -n --line-numbers
    # iptables -L OUTPUT -n --line-numbers | less
    # iptables -L OUTPUT -n --line-numbers | grep 202.54.1.1

    You will get the list of IP. Look at the number on the left, then use number to delete it. For example delete line number 4, enter:
    # iptables -D INPUT 4

    OR find source IP 202.54.1.1 and delete from rule:
    # iptables -D INPUT -s 202.54.1.1 -j DROP

    Where,
    • -D : Delete one or more rules from the selected chain
    #4: Insert Firewall Rules
    To insert one or more rules in the selected chain as the given rule number use the following syntax. First find out line numbers, enter:
    # iptables -L INPUT -n –line-numbers
    Sample outputs:
    Chain INPUT (policy DROP)
    num target prot opt source destination
    1 DROP all -- 202.54.1.1 0.0.0.0/0
    2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
    To insert rule between 1 and 2, enter:
    # iptables -I INPUT 2 -s 202.54.1.2 -j DROP

    To view updated rules, enter:
    # iptables -L INPUT -n --line-numbers

    Sample outputs:
    Chain INPUT (policy DROP)
    num target prot opt source destination
    1 DROP all -- 202.54.1.1 0.0.0.0/0
    2 DROP all -- 202.54.1.2 0.0.0.0/0
    3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
    #5: Save Firewall Rules
    To save firewall rules under CentOS / RHEL / Fedora Linux, enter:
    # service iptables save

    In this example, drop an IP and save firewall rules:
    # iptables -A INPUT -s 202.5.4.1 -j DROP
    # service iptables save

    For all other distros use the iptables-save command:
    # iptables-save > /root/my.active.firewall.rules
    # cat /root/my.active.firewall.rules

    #6: Restore Firewall Rules
    To restore firewall rules form a file called /root/my.active.firewall.rules, enter:
    # iptables-restore < /root/my.active.firewall.rules

    To restore firewall rules under CentOS / RHEL / Fedora Linux, enter:
    # service iptables restart

    #7: Set the Default Firewall Policies
    To drop all traffic:
    # iptables -P INPUT DROP
    # iptables -P OUTPUT DROP
    # iptables -P FORWARD DROP
    # iptables -L -v -n
    #### you will not able to connect anywhere as all traffic is dropped ###
    # ping www.gocit.vn

    #7.1: Only Block Incoming Traffic
    To drop all incoming / forwarded packets, but allow outgoing traffic, enter:
    # iptables -P INPUT DROP
    # iptables -P FORWARD DROP
    # iptables -P OUTPUT ACCEPT
    # iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
    # iptables -L -v -n
    ### *** now ping and wget should work *** ###
    # ping www.gocit.vn

    #8:Drop Private Network Address On Public Interface
    IP spoofing is nothing but to stop the following IPv4 address ranges for private networks on your public interfaces. Packets with non-routable source addresses should be rejected using the following syntax:
    # iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP
    # iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
    #8.1: IPv4 Address Ranges For Private Networks (make sure you block them on public interface)
    • 10.0.0.0/8 -j (A)
    • 172.16.0.0/12 (B)
    • 192.168.0.0/16 (C)
    • 224.0.0.0/4 (MULTICAST D)
    • 240.0.0.0/5 (E)
    • 127.0.0.0/8 (LOOPBACK)
    #9: Blocking an IP Address (BLOCK IP)
    To block an attackers ip address called 1.2.3.4, enter:
    # iptables -A INPUT -s 1.2.3.4 -j DROP
    # iptables -A INPUT -s 192.168.0.0/24 -j DROP
    #10: Block Incoming Port Requests (BLOCK PORT)
    To block all service requests on port 80, enter:
    # iptables -A INPUT -p tcp --dport 80 -j DROP
    # iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP
    To block port 80 only for an ip address 1.2.3.4, enter:
    # iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP
    # iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP
    #11: Block Outgoing IP Address
    To block outgoing traffic to a particular host or domain such as cyberciti.biz, enter:
    # host -t a gocit.vn
    Sample outputs:
    gocit.vn has address 75.126.153.206
    Note down its ip address and type the following to block all outgoing traffic to 75.126.153.206:
    # iptables -A OUTPUT -d 75.126.153.206 -j DROP

    You can use a subnet as follows:
    # iptables -A OUTPUT -d 192.168.1.0/24 -j DROP
    # iptables -A OUTPUT -o eth1 -d 192.168.1.0/24 -j DROP
    #11.1: Example – Block Facebook.com Domain
    First, find out all ip address of facebook.com, enter:
    # host -t a www.facebook.com

    Sample outputs:
    www.facebook.com has address 69.171.228.40
    Find CIDR for 69.171.228.40, enter:
    # whois 69.171.228.40 | grep CIDR

    Sample outputs:

    CIDR: 69.171.224.0/19
    To prevent outgoing access to www.facebook.com, enter:
    # iptables -A OUTPUT -p tcp -d 69.171.224.0/19 -j DROP

    You can also use domain name, enter:
    # iptables -A OUTPUT -p tcp -d www.facebook.com -j DROP
    # iptables -A OUTPUT -p tcp -d facebook.com -j DROP
    From the iptables man page:
    … specifying any name to be resolved with a remote query such as DNS (e.g., facebook.com is a really bad idea), a network IP address (with /mask), or a plain IP address …
    #12: Log and Drop Packets
    Type the following to log and block IP spoofing on public interface called eth1
    # iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A: "
    # iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

    By default everything is logged to /var/log/messages file.
    # tail -f /var/log/messages
    # grep --color 'IP SPOOF' /var/log/messages
    #13: Log and Drop Packets with Limited Number of Log Entries
    The -m limit module can limit the number of log entries created per time. This is used to prevent flooding your log file. To log and drop spoofing per 5 minutes, in bursts of at most 7 entries .
    # iptables -A INPUT -i eth1 -s 10.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP_SPOOF A: "
    # iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
    #14: Drop or Accept Traffic From Mac Address
    Use the following syntax:
    # iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
    ## *only accept traffic for TCP port # 8080 from mac 00:0F:EA:91:04:07 * ##
    # iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT
    #15: Block or Allow ICMP Ping Request
    Type the following command to block ICMP ping requests:
    # iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
    # iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP

    Ping responses can also be limited to certain networks or hosts:
    # iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT

    The following only accepts limited type of ICMP requests:
    ### ** assumed that default INPUT policy set to DROP ** #############
    iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
    ## ** all our server to respond to pings ** ##
    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    #16: Open Range of Ports
    Use the following syntax to open a range of ports:
    iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT
    #17: Open Range of IP Addresses
    Use the following syntax to open a range of IP address:
    ## only accept connection to tcp port 80 (Apache) if ip is between 192.168.1.100 and 192.168.1.200 ##
    iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT
    ## nat example ##
    iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.20-192.168.1.25
    #18: Established Connections and Restaring The Firewall
    When you restart the iptables service it will drop established connections as it unload modules from the system under RHEL / Fedora / CentOS Linux. Edit, /etc/sysconfig/iptables-config and set IPTABLES_MODULES_UNLOAD as follows:
    IPTABLES_MODULES_UNLOAD = no
    #19: Help Iptables Flooding My Server Screen
    Use the crit log level to send messages to a log file instead of console:
    iptables -A INPUT -s 1.2.3.4 -p tcp --destination-port 80 -j LOG --log-level crit
    #20: Block or Open Common Ports
    The following shows syntax for opening and closing common TCP and UDP ports:

    Replace ACCEPT with DROP to block port:
    ## open port ssh tcp port 22 ##
    iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT

    ## open cups (printing service) udp/tcp port 631 for LAN users ##
    iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT
    iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT

    ## allow time sync via NTP for lan users (open udp port 123) ##
    iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT

    ## open tcp port 25 (smtp) for all ##
    iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT

    # open dns server ports for all ##
    iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
    iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

    ## open http/https (Apache) server port to all ##
    iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

    ## open tcp port 110 (pop3) for all ##
    iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT

    ## open tcp port 143 (imap) for all ##
    iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT

    ## open access to Samba file server for lan users only ##
    iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
    iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
    iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
    iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

    ## open access to proxy server for lan users only ##
    iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT

    ## open access to mysql server for lan users only ##
    iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
    #21: Restrict the Number of Parallel Connections To a Server Per Client IP
    You can use connlimit module to put such restrictions. To allow 3 ssh connections per client host, enter:
    # iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
    Set HTTP requests to 20:
    # iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP

    Where,
    1. –connlimit-above 3 : Match if the number of existing connections is above 3.
    2. –connlimit-mask 24 : Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32.
    #22: HowTO: Use iptables Like a Pro
    For more information about iptables, please see the manual page by typing man iptables from the command line:
    $ man iptables

    You can see the help using the following syntax too:
    # iptables -h

    To see help with specific commands and targets, enter:
    # iptables -j DROP -h
    #22.1: Testing Your Firewall
    Find out if ports are open or not, enter:
    # netstat -tulpn

    Find out if tcp port 80 open or not, enter:
    # netstat -tulpn | grep :80

    If port 80 is not open, start the Apache, enter:
    # service httpd start

    Make sure iptables allowing access to the port 80:
    # iptables -L INPUT -v -n | grep 80

    Otherwise open port 80 using the iptables for all users:
    # iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
    # service iptables save

    Use the telnet command to see if firewall allows to connect to port 80:
    $ telnet www.gocit.vn 80

    Sample outputs:
    Trying 75.126.153.206...
    Connected to www.gocit.vn.
    Escape character is '^]'.
    ^]
    telnet> quit
    Connection closed.
    You can use nmap to probe your own server using the following syntax:
    $ nmap -sS -p 80 www.gocit.vn

    Sample outputs:
    Starting Nmap 5.00 ( http://nmap.org ) at 2011-12-13 13:19 IST
    Interesting ports on www.gocit.vn (75.126.153.206):
    PORT STATE SERVICE
    80/tcp open http
    Nmap done: 1 IP address (1 host up) scanned in 1.00 seconds
    I also recommend you install and use sniffer such as tcpdupm and ngrep to test your firewall settings.
    Conclusion:

    This post only list basic rules for new Linux users. You can create and build more complex rules. This requires good understanding of TCP/IP, Linux kernel tuning via sysctl.conf, and good knowledge of your own setup. Stay tuned for next topics:
    • Stateful packet inspection.
    • Using connection tracking helpers.
    • Network address translation.
    • Layer 2 filtering.
    • Firewall testing tools.
    • Dealing with VPNs, DNS, Web, Proxy, and other protocols.
     
  2. hautp

    hautp Well-Known Member

    Iptables Firewall Configuration Tutorial

    GIT – Iptables Firewall Configuration Tutorial : how do I configure a host-based firewall called Netfilter (iptables) under CentOS / RHEL / Fedora / Redhat Enterprise Linux?
    Netfilter is a host-based firewall for Linux operating systems. It is included as part of the Linux distribution and it is activated by default. This firewall is controlled by the program called iptables. Netfilter filtering take place at the kernel level, before a program can even process the data from the network packet.
    Iptables Config File
    The default config files for RHEL / CentOS / Fedora Linux are:
    • /etc/sysconfig/iptables – The system scripts that activate the firewall by reading this file.
    Task: Display Default Rules: type the following command:
    iptables --line-numbers -n -L
    Sample outputs:
    Chain INPUT (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 3 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 8 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
    Task: Turn On Firewall : ype the following two commands to turn on firewall:
    # chkconfig iptables on # service iptables start # restart the firewall # service iptables restart # stop the firewall # service iptables stop
    Iptables Firewall Configuration Tutorial
    Understanding Firewall
    There are total 4 chains:
    1. INPUT - The default chain is used for packets addressed to the system. Use this to open or close incoming ports (such as 80,25, and 110 etc) and ip addresses / subnet (such as 202.54.1.20/29).
    2. OUTPUT - The default chain is used when packets are generating from the system. Use this open or close outgoing ports and ip addresses / subnets.
    3. FORWARD - The default chains is used when packets send through another interface. Usually used when you setup Linux as router. For example, eth0 connected to ADSL/Cable modem and eth1 is connected to local LAN. Use FORWARD chain to send and receive traffic from LAN to the Internet.
    4. RH-Firewall-1-INPUT - This is a user-defined custom chain. It is used by the INPUT, OUTPUT and FORWARD chains.
    Packet Matching Rules
    1. Each packet starts at the first rule in the chain .
    2. A packet proceeds until it matches a rule.
    3. If a match found, then control will jump to the specified target (such as REJECT, ACCEPT, DROP).
    Target Meanings
    1. The target ACCEPT means allow packet.
    2. The target REJECT means to drop the packet and send an error message to remote host.
    3. The target DROP means drop the packet and do not send an error message to remote host or sending host.
    /etc/sysconfig/iptables
    Edit /etc/sysconfig/iptables, enter:
    # vi /etc/sysconfig/iptables
    You will see default rules as follows:
    *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
    Drop All Traffic
    Find lines:
    *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
    Update as follows to change the default policy to DROP from ACCEPT for the INPUT and FORWARD built-in chains:
    :INPUT DROP [0:0] :FORWARD DROP [0:0]
    Log and Drop Spoofing Source Addresses
    Append the following lines before final COMMIT line:
    -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF " -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF " -A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF " -A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST " -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF " -A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK " -A INPUT -i eth0 -s 169.254.0.0/16 -j LOG --log-prefix "IP DROP MULTICAST " -A INPUT -i eth0 -s 0.0.0.0/8 -j LOG --log-prefix "IP DROP " -A INPUT -i eth0 -s 240.0.0.0/4 -j LOG --log-prefix "IP DROP " -A INPUT -i eth0 -s 255.255.255.255/32 -j LOG --log-prefix "IP DROP " -A INPUT -i eth0 -s 168.254.0.0/16 -j LOG --log-prefix "IP DROP " -A INPUT -i eth0 -s 248.0.0.0/5 -j LOG --log-prefix "IP DROP "
    Log And Drop All Traffic
    Find the lines:
    -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
    Update it as follows:
    -A RH-Firewall-1-INPUT -j LOG -A RH-Firewall-1-INPUT -j DROP COMMIT
    Open Port
    To open port 80 (Http server) add the following before COMMIT line:
    -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT
    To open port 53 (DNS Server) add the following before COMMIT line:
    -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -m udp -p tcp --dport 53 -j ACCEPT
    To open port 443 (Https server) add the following before COMMIT line:
    -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT
    To open port 25 (smtp server) add the following before COMMIT line:
    -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPT
    Only allow SSH traffic From 192.168.1.0/24
    -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
    Enable Printing Access For 192.168.1.0/24
    -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT
    Allow Legitimate NTP Clients to Access the Server
    -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT
    Open FTP Port 21 (FTP)
    -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
    Save and close the file. Edit /etc/sysconfig/iptables-config, enter:
    # vi /etc/sysconfig/iptables-config
    Make sure ftp module is loaded with the space-separated list of modules:
    IPTABLES_MODULES="ip_conntrack_ftp"
    To restart firewall, type the following commands:
    # service iptables restart
    # iptables -vnL --line-numbers
    Edit /etc/sysctl.conf For DoS and Syn Protection
    Edit /etc/sysctl.conf to defend against certain types of attacks and append / update as follows:
    net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 #net.ipv4.icmp_ignore_bogus_error_messages = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1
    Alternate Configuration Option
    You can skip /etc/sysconfig/iptables file and create a shell script from scratch as follows:
    #!/bin/bash # A sample firewall shell script IPT="/sbin/iptables" SPAMLIST="blockedip" SPAMDROPMSG="BLOCKED IP DROP" SYSCTL="/sbin/sysctl" BLOCKEDIPS="/root/scripts/blocked.ips.txt" # Stop certain attacks echo "Setting sysctl IPv4 settings..." $SYSCTL net.ipv4.ip_forward=0 $SYSCTL net.ipv4.conf.all.send_redirects=0 $SYSCTL net.ipv4.conf.default.send_redirects=0 $SYSCTL net.ipv4.conf.all.accept_source_route=0 $SYSCTL net.ipv4.conf.all.accept_redirects=0 $SYSCTL net.ipv4.conf.all.secure_redirects=0 $SYSCTL net.ipv4.conf.all.log_martians=1 $SYSCTL net.ipv4.conf.default.accept_source_route=0 $SYSCTL net.ipv4.conf.default.accept_redirects=0 $SYSCTL net.ipv4.conf.default.secure_redirects=0 $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=1 #$SYSCTL net.ipv4.icmp_ignore_bogus_error_messages=1 $SYSCTL net.ipv4.tcp_syncookies=1 $SYSCTL net.ipv4.conf.all.rp_filter=1 $SYSCTL net.ipv4.conf.default.rp_filter=1 $SYSCTL kernel.exec-shield=1 $SYSCTL kernel.randomize_va_space=1 echo "Starting IPv4 Firewall..." $IPT -F $IPT -X $IPT -t nat -F $IPT -t nat -X $IPT -t mangle -F $IPT -t mangle -X # load modules modprobe ip_conntrack [ -f "$BLOCKEDIPS" ] && BADIPS=$(egrep -v -E "^#|^$" "${BLOCKEDIPS}") # interface connected to the Internet PUB_IF="eth0" #Unlimited traffic for loopback $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # DROP all incomming traffic $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP if [ -f "${BLOCKEDIPS}" ]; then # create a new iptables list $IPT -N $SPAMLIST for ipblock in $BADIPS do $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG " $IPT -A $SPAMLIST -s $ipblock -j DROP done $IPT -I INPUT -j $SPAMLIST $IPT -I OUTPUT -j $SPAMLIST $IPT -I FORWARD -j $SPAMLIST fi # Block sync $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync" $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP # Block Fragments $IPT -A INPUT -i ${PUB_IF} -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets" $IPT -A INPUT -i ${PUB_IF} -f -j DROP # Block bad stuff $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets" $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets" $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan" $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # Allow full outgoing connection but no incomming stuff $IPT -A INPUT -i ${PUB_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -o ${PUB_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Allow ssh $IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 22 -j ACCEPT # Allow http / https (open port 80 / 443) $IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 80 -j ACCEPT #$IPT -A INPUT -o ${PUB_IF} -p tcp --destination-port 443 -j ACCEPT # allow incomming ICMP ping pong stuff $IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow port 53 tcp/udp (DNS Server) $IPT -A INPUT -i ${PUB_IF} -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT # Open port 110 (pop3) / 143 $IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 110 -j ACCEPT $IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 143 -j ACCEPT ##### Add your rules below ###### # # ##### END your rules ############ # Do not log smb/windows sharing packets - too much logging $IPT -A INPUT -p tcp -i ${PUB_IF} --dport 137:139 -j REJECT $IPT -A INPUT -p udp -i ${PUB_IF} --dport 137:139 -j REJECT # log everything else and drop $IPT -A INPUT -j LOG $IPT -A FORWARD -j LOG $IPT -A INPUT -j DROP exit 0
     

Chia sẻ trang này