Linux has a firewall built into its kernel: iptables. iptables is a stateful packet filter: the firewall can make decisions based on previous packets. Like: "Drop a response packet if its associated request came from suspicious.company.com". There is also "ipchains" which is a stateless packet filter where each packet reaching the firewall is evaluated against a set of rules. Stateless means that the decision to accept, reject or forward a packet is not influenced by previous packets.
iptables can manage to do the stateful packet filtering this because it can associate requests with responses, unlike ipchains. iptables is significantly more powerful, and can express complex rules in a more simplified manner than ipchains. You can use one or the other, but not both simultaneously.
Enabling source address verification:
You want to prevent remote hosts from spoofing incoming packets as if they had come from a local machine.
Turn on source address verification in the kernel. Place the following code into a system boot file linked into the /etc/rc.d hierarchy that executes before any network devices are enabled:
#!/bin/sh
echo -n "Enabling source address verification..."
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo "Done"
Or we can perform the same task after the network devices are enabled:
#!/bin/sh
CONF_DIR=/proc/sys/net/ipv4/conf
CONF_FILE=rp_filter
if [ -e ${CONF_DIR}/all/${CONF_FILE} ]; then
echo -n "SEtting up IP spoofing protection..."
for file in ${CONF_DIR}/*/${CONF_FILE}; do
echo 1 > $file
done
echo "Done"
fi
OR
# vi /etc/sysctl.conf
...
...
net.ipv4.conf.all.rp_filter = 1
# sysctl -p to reread the configuration immediately.
Blocking spoofed addresses:
You want to prevent remote hosts from pretending to be local to your network.
To prevent a specific machine 10.145.65.33 driven through eth0 from being targeted, do:
# iptables -A INPUT -i eth0 -s 10.145.65.33 -j REJECT
Blocking all network traffic:
You want to block all network traffic by firewall.
# iptables -F
# iptables -A INPUT -j REJECT
# iptables -A OUTPUT -j REJECT
# iptables -A FORWARD -j REJECT
Blocking incoming traffic:
You want to block all incoming traffic, except from your system itself. Do not affect outgoing traffic.
# iptables -F INPUT
# iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
# iptables -A INPUT -j REJECT
Blocking outgoing traffic:
Drop all outgoing traffic. If possible, do not affect incoming traffic.
# iptables -F OUTPUT
# iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -j REJECT
Blocking incoming service requests:
You want to block connections to a particular network service, for example, HTTP.
# iptables -A INPUT -p tcp --dport www -j REJECT
To block incoming HTTP traffic but permit local HTTP traffic.
# iptables -A INPUT -p tcp -i lo --dport www -j ACCEPT
# iptables -A INPUT -p tcp --dport www -j REJECT
Blocking access from a remote host:
You want to block incoming traffic from a specific host.
Let's say the remote host is 192.168.45.23
# iptables -A INPUT -s 192.168.45.23 -j REJECT
To block requests for oneparticular service, say, the SMTP mail service.
# iptables -A INPUT -p tcp -s 192.168.45.23 --dport smtp -j REJECT
To block requests for one particular service, say, the SMTP mail service.
# iptables -A INPUT -p tcp -s 192.168.45.23 --dport smtp -j REJECT
To admit some hosts but block all others.
# iptables -A INPUT -s 10.171.45.5 [ -p <protocol> --dport <service> ] -j ACCEPT
# iptables -A INPUT -s 10.171.45.6 [ -p <protocol> --dport <service> ] -j ACCEPT
# iptables -A INPUT -s 10.171.45.7 [ -p <protocol> --dport <service> ] -j ACCEPT
# iptables -A INPUT [ -p <protocol> --dport <service> ] -j REJECT
Blocking access to a remote host:
You want to block outgoing traffic to a particular host 172.16.73.79 .
# iptables -A OUTPUT -d 172.16.73.79 -j REJECT
To block a specific service, such as a remote web site:
# iptables -A OUTPUT -p tcp -d 172.16.73.79 --dport www -j REJECT
Blocking outgoing access to all web servers on a network:
You want to prevent outgoing access to a network, e.g., all web servers at www.bankofamerica.com which has the IP address 171.161.198.100
and Subnet mask of 255.255.255.0 .
# iptables -A OUTPUT -p tcp -d 171.161.198.100/24 --dport www -j REJECT
OR
# iptables -A OUTPUT -d www.bankofamerica.com -j REJECT
But it is better to use IP addresses rather than hostnames since an attacker could poison your DNS and circumvent the rules defined for hostnames.
Blocking remote access but permitting local:
You want only local users to access a TCP service; remote requests should be denied.
# iptables -A INPUT -p tcp -i lo --dport <service> -j ACCEPT
# iptables -A INPUT -p tcp --dport <service> -j REJECT
Alternatively, you can single out your local IP address specifically.
# iptables -A INPUT -p tcp ! -s <IP-address> --dport <service> -j REJECT
You can permit an unrelated set of machines to access the service but reject everyone else.
# iptables -A INPUT -p tcp -s 172.16.49.54 --dport <service> -j ACCEPT
# iptables -A INPUT -p tcp -s 172.16.49.55 --dport <service> -j ACCEPT
# iptables -A INPUT -p tcp -s 172.16.49.56 --dport <service> -j ACCEPT
# iptables -P INPUT -j REJECT
Controlling access by MAC address:
You want only a particular machine, identified by its MAC address, say 01:BA:3C:49:9B:C4, to access your system.
# iptables -F INPUT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m mac --mac-source 01:ba:3c:49:9b:c4 -j ACCEPT
# iptables -A INPUT -j REJECT
Permitting SSH access only:
You want to permit incoming SSH access but no other incoming access. Allow local connections to all services, however.
# iptables -F INPUT
# iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -j REJECT
A common setup is to permit access to a remote machine only through SSH. If you wan this access limited to certain hosts or networks, list them by IP address as follows:
# iptables -A INPUT -p tcp -s 10.163.97.81 --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp -s 10.163.97.82 --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp -s 10.174.48.0/24 --dport ssh -j ACCEPT
iptables can manage to do the stateful packet filtering this because it can associate requests with responses, unlike ipchains. iptables is significantly more powerful, and can express complex rules in a more simplified manner than ipchains. You can use one or the other, but not both simultaneously.
Enabling source address verification:
You want to prevent remote hosts from spoofing incoming packets as if they had come from a local machine.
Turn on source address verification in the kernel. Place the following code into a system boot file linked into the /etc/rc.d hierarchy that executes before any network devices are enabled:
#!/bin/sh
echo -n "Enabling source address verification..."
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo "Done"
Or we can perform the same task after the network devices are enabled:
#!/bin/sh
CONF_DIR=/proc/sys/net/ipv4/conf
CONF_FILE=rp_filter
if [ -e ${CONF_DIR}/all/${CONF_FILE} ]; then
echo -n "SEtting up IP spoofing protection..."
for file in ${CONF_DIR}/*/${CONF_FILE}; do
echo 1 > $file
done
echo "Done"
fi
OR
# vi /etc/sysctl.conf
...
...
net.ipv4.conf.all.rp_filter = 1
# sysctl -p to reread the configuration immediately.
Blocking spoofed addresses:
You want to prevent remote hosts from pretending to be local to your network.
To prevent a specific machine 10.145.65.33 driven through eth0 from being targeted, do:
# iptables -A INPUT -i eth0 -s 10.145.65.33 -j REJECT
Blocking all network traffic:
You want to block all network traffic by firewall.
# iptables -F
# iptables -A INPUT -j REJECT
# iptables -A OUTPUT -j REJECT
# iptables -A FORWARD -j REJECT
Blocking incoming traffic:
You want to block all incoming traffic, except from your system itself. Do not affect outgoing traffic.
# iptables -F INPUT
# iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
# iptables -A INPUT -j REJECT
Blocking outgoing traffic:
Drop all outgoing traffic. If possible, do not affect incoming traffic.
# iptables -F OUTPUT
# iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -j REJECT
Blocking incoming service requests:
You want to block connections to a particular network service, for example, HTTP.
# iptables -A INPUT -p tcp --dport www -j REJECT
To block incoming HTTP traffic but permit local HTTP traffic.
# iptables -A INPUT -p tcp -i lo --dport www -j ACCEPT
# iptables -A INPUT -p tcp --dport www -j REJECT
Blocking access from a remote host:
You want to block incoming traffic from a specific host.
Let's say the remote host is 192.168.45.23
# iptables -A INPUT -s 192.168.45.23 -j REJECT
To block requests for oneparticular service, say, the SMTP mail service.
# iptables -A INPUT -p tcp -s 192.168.45.23 --dport smtp -j REJECT
To block requests for one particular service, say, the SMTP mail service.
# iptables -A INPUT -p tcp -s 192.168.45.23 --dport smtp -j REJECT
To admit some hosts but block all others.
# iptables -A INPUT -s 10.171.45.5 [ -p <protocol> --dport <service> ] -j ACCEPT
# iptables -A INPUT -s 10.171.45.6 [ -p <protocol> --dport <service> ] -j ACCEPT
# iptables -A INPUT -s 10.171.45.7 [ -p <protocol> --dport <service> ] -j ACCEPT
# iptables -A INPUT [ -p <protocol> --dport <service> ] -j REJECT
Blocking access to a remote host:
You want to block outgoing traffic to a particular host 172.16.73.79 .
# iptables -A OUTPUT -d 172.16.73.79 -j REJECT
To block a specific service, such as a remote web site:
# iptables -A OUTPUT -p tcp -d 172.16.73.79 --dport www -j REJECT
Blocking outgoing access to all web servers on a network:
You want to prevent outgoing access to a network, e.g., all web servers at www.bankofamerica.com which has the IP address 171.161.198.100
and Subnet mask of 255.255.255.0 .
# iptables -A OUTPUT -p tcp -d 171.161.198.100/24 --dport www -j REJECT
OR
# iptables -A OUTPUT -d www.bankofamerica.com -j REJECT
But it is better to use IP addresses rather than hostnames since an attacker could poison your DNS and circumvent the rules defined for hostnames.
Blocking remote access but permitting local:
You want only local users to access a TCP service; remote requests should be denied.
# iptables -A INPUT -p tcp -i lo --dport <service> -j ACCEPT
# iptables -A INPUT -p tcp --dport <service> -j REJECT
Alternatively, you can single out your local IP address specifically.
# iptables -A INPUT -p tcp ! -s <IP-address> --dport <service> -j REJECT
You can permit an unrelated set of machines to access the service but reject everyone else.
# iptables -A INPUT -p tcp -s 172.16.49.54 --dport <service> -j ACCEPT
# iptables -A INPUT -p tcp -s 172.16.49.55 --dport <service> -j ACCEPT
# iptables -A INPUT -p tcp -s 172.16.49.56 --dport <service> -j ACCEPT
# iptables -P INPUT -j REJECT
Controlling access by MAC address:
You want only a particular machine, identified by its MAC address, say 01:BA:3C:49:9B:C4, to access your system.
# iptables -F INPUT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m mac --mac-source 01:ba:3c:49:9b:c4 -j ACCEPT
# iptables -A INPUT -j REJECT
Permitting SSH access only:
You want to permit incoming SSH access but no other incoming access. Allow local connections to all services, however.
# iptables -F INPUT
# iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -j REJECT
A common setup is to permit access to a remote machine only through SSH. If you wan this access limited to certain hosts or networks, list them by IP address as follows:
# iptables -A INPUT -p tcp -s 10.163.97.81 --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp -s 10.163.97.82 --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp -s 10.174.48.0/24 --dport ssh -j ACCEPT
No comments:
Post a Comment