mercredi 21 avril 2010

basics 6 - tutorial firewall iptables

This tutorial deals with the configuration of an iptables firewall.
French version available on the site.

prerequisites

access from server to a directory of the host

We'll need to transfer our results from serveur to the host. Serveur has no graphical interface. so copy-paste is not working.
recall: for this operation, we need VMWareTools on the virtualized OS.

on host:
VM → settings → options → shared folders → enabled until next power off or suspend, add → choisir le répertoire du TP
on serveur:
serveur$ cd ~
serveur$ tar -xvzf /mnt/hgfs/TP3*/regles-filtrage.gz
serveur$ cd firewall
serveur$ sudo chmod 700 ./*

some iptables scripts

We'll uncomment useful lines during this tutorial.
#iptables configuration script

#reset
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X

#default
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#allow an already open connexion to receive traffic
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#2 deny ICMP protocol from localhost
#iptables -A INPUT -p icmp -j DROP
#iptables -A OUTPUT -p icmp -j DROP

#1 accept any packet from and to localhost
#iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT

#3 deny any packet to ftp
#iptables -A INPUT -m state --state NEW -p tcp --dport 20:21 -j DROP

#4 deny any packet out from eth0 which port is under 1024
#iptables -A OUTPUT -o eth0 -p tcp --dport 1:1024 -j DROP
#iptables -A OUTPUT -o eth0 -p udp --dport 1:1024 -j DROP

#5 deny any new TCP connexion on eth0
#iptables -A INPUT -m state --state NEW -p tcp -i eth0 -j DROP
#iptables -A OUTPUT -m state --state NEW -p tcp -o eth0 -j DROP

#6 deny any ping response
#iptables -A INPUT -p icmp -j DROP

#7 deny any connexion on eth0 without a particular mac
#iptables -A INPUT -i eth0 -m mac ! --mac-source 00:0c:29:35:6a:41 -j DROP

#8 deny any packet from internal network, except from the server
#iptables -A INPUT -i eth0 -s 192.168.0.2 -j ACCEPT
#iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP

#9 allow 5 TCP connexion attempts
# with 2 per minuts frequency
#iptables -A INPUT -m state --state NEW -m recent --set
#iptables -A INPUT -m state --state NEW -m recent --update --hitcount 6 -j DROP
#iptables -A INPUT -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP

#10 log any incoming packet
#iptables -A INPUT -j LOG --log-prefix '[FIREWALL-DROP]'

0 test default rules

#reset
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X

#defaut
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#allow an already open connexion to receive traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

serveur$ sudo bash ./monscript
serveur$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
test output:


1 allow packets only from localhost

#reset
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X


#defaut
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP


#1 allow packets only from localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

serveur$ sudo bash ./monscript

2 deny ICMP protocol

# reset
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X

# default
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#2 deny ICMP
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j DROP

#1 allow localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


Result: outgoing pings and to localhost are blocked. But ftp on localhost is allowed.

3 deny ftp

#reset
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X

#default
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#3 deny ftp
iptables -A INPUT -m state --state NEW -p tcp --dport 20:21 -j DROP

4 deny port under 1024

#reset
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X

#default
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#4 deny ports under 1024
iptables -A OUTPUT -o eth0 -p tcp --dport 1:1024 -j DROP
iptables -A OUTPUT -o eth0 -p udp --dport 1:1024 -j DROP


5 deny TCP connexion initialization

#reset
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X

#default
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#5 deny FTP connexion initialization
iptables -A INPUT -m state --state NEW -p tcp -i eth0 -j DROP
iptables -A OUTPUT -m state --state NEW -p tcp -o eth0 -j DROP

6 deny incoming ping

#reset
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X

#default
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#allow an already initialized connexion
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#6 deny incoming ping
iptables -A INPUT -p icmp -j DROP

outcoming ping works. Incoming ping is blocked.

7 deny any MAC address except client's one

#reset
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X

#default
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#7 deny any connexion without mac 00:0c:...
iptables -A INPUT -i eth0 -m mac ! --mac-source 00:0c:29:35:6a:41 -j DROP

8 deny any packet from internal network, except from the server

#reset
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X

#default
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#8 deny any packet from internal network, except from the server
iptables -A INPUT -i eth0 -s 192.168.0.2 -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
From serveur:

From intrus:

9 allow 5 tcp connexions attempts with 2 per minuts frequency

#reset
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X

#default
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#9 allow 5 autoriser 5 TCP connexion attempts
# with 2 per minuts frequency
iptables -A INPUT -m state --state NEW -m recent --set
iptables -A INPUT -m state --state NEW -m recent --update --hitcount 6 -j DROP
iptables -A INPUT -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP


10 log any incoming packet

#reset
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X

#default
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#10 log any incoming packet
iptables -A INPUT -j LOG --log-prefix '[FIREWALL-DROP]'

serveur$ cat /var/log/messages
(...)
Mar 16 11:08:43 serveurlinux kernel: [95470.709194] [FIREWALL-DROP]IN=eth0 OUT= MAC=00:0c:29:35:6a:41:00:50:56:ef:ff:86:08:00 SRC=88.191.250.131 DST=192.168.0.2 LEN=1500 TOS=0x00 PREC=0x00 TTL=128 ID=325 PROTO=TCP SPT=80 DPT=49410 WINDOW=64240 RES=0x00 ACK PSH URGP=0
Mar 16 11:08:43 serveurlinux kernel: [95470.711124] [FIREWALL-DROP]IN=eth0 OUT= MAC=00:0c:29:35:6a:41:00:50:56:ef:ff:86:08:00 SRC=88.191.250.131 DST=192.168.0.2 LEN=1500 TOS=0x00 PREC=0x00 TTL=128 ID=326 PROTO=TCP SPT=80 DPT=49410 WINDOW=64240 RES=0x00 ACK PSH URGP=0
Mar 16 11:08:43 serveurlinux kernel: [95470.713118] [FIREWALL-DROP]IN=eth0 OUT= MAC=00:0c:29:35:6a:41:00:50:56:ef:ff:86:08:00 SRC=88.191.250.131 DST=192.168.0.2 LEN=1500 TOS=0x00 PREC=0x00 TTL=128 ID=327 PROTO=TCP SPT=80 DPT=49410 WINDOW=64240 RES=0x00 ACK PSH URGP=0
Mar 16 11:08:44 serveurlinux kernel: [95470.721431] [FIREWALL-DROP]IN=eth0 OUT= MAC=00:0c:29:35:6a:41:00:50:56:ef:ff:86:08:00 SRC=88.191.250.131 DST=192.168.0.2 LEN=1412 TOS=0x00 PREC=0x00 TTL=128 ID=328 PROTO=TCP SPT=80 DPT=49410 WINDOW=64240 RES=0x00 ACK PSH URGP=0
Mar 16 11:08:44 serveurlinux kernel: [95470.724678] [FIREWALL-DROP]IN=eth0 OUT= MAC=00:0c:29:35:6a:41:00:50:56:ef:ff:86:08:00 SRC=88.191.250.131 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=329 PROTO=TCP SPT=80 DPT=49410 WINDOW=64239 RES=0x00 ACK URGP=0
Mar 16 11:08:44 serveurlinux kernel: [95470.767378] [FIREWALL-DROP]IN=eth0 OUT= MAC=00:0c:29:35:6a:41:00:50:56:ef:ff:86:08:00 SRC=88.191.250.131 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=330 PROTO=TCP SPT=80 DPT=49410 WINDOW=64239 RES=0x00 ACK PSH FIN URGP=0
Mar 16 11:08:55 serveurlinux kernel: [95482.264739] [FIREWALL-DROP]IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:c0:00:08:08:00 SRC=192.168.0.1 DST=255.255.255.255 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=3807 PROTO=UDP SPT=56339 DPT=8612 LEN=24
Mar 16 11:08:55 serveurlinux kernel: [95482.264785] [FIREWALL-DROP]IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:c0:00:08:08:00 SRC=192.168.0.1 DST=255.255.255.255 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=3808 PROTO=UDP SPT=56339 DPT=8612 LEN=24
Mar 16 11:08:57 serveurlinux kernel: [95484.282991] [FIREWALL-DROP]IN=eth0 OUT= MAC=00:0c:29:35:6a:41:00:50:56:c0:00:08:08:00 SRC=192.168.0.1 DST=192.168.0.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=3811 PROTO=UDP SPT=56341 DPT=8612 LEN=24
Mar 16 11:09:26 serveurlinux kernel: [95513.290985] [FIREWALL-DROP]IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:c0:00:08:08:00 SRC=192.168.0.1 DST=255.255.255.255 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=3823 PROTO=UDP SPT=56344 DPT=8612 LEN=24
Mar 16 11:09:26 serveurlinux kernel: [95513.291070] [FIREWALL-DROP]IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:c0:00:08:08:00 SRC=192.168.0.1 DST=255.255.255.255 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=3824 PROTO=UDP SPT=56344 DPT=8612 LEN=24
Mar 16 11:09:28 serveurlinux kernel: [95515.305100] [FIREWALL-DROP]IN=eth0 OUT= MAC=00:0c:29:35:6a:41:00:50:56:c0:00:08:08:00 SRC=192.168.0.1 DST=192.168.0.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=3827 PROTO=UDP SPT=56346 DPT=8612 LEN=24
Libellés : , ,

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)