Feeds:
Posts
Comments

Archive for the ‘Network Security’ Category

What is chkrootkit?

It’s a program to check your system for signs of a rootkit. And what is rootkit?

Rootkit is a program or combination of programs which is used for someone to create a back-door into your system and act as a root privileges.

There are 5 output messages for chkrootkit.

  • INFECTED

  • not infected

  • not tested

  • not found

  • Vulnerable but disabled.

Installation

taufanlubis@toshiba:~$ sudo apt-get install chkrootkit

Reading package lists… Done

Building dependency tree

Reading state information… Done

The following NEW packages will be installed:

chkrootkit

0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.

Need to get 271kB of archives.

After unpacking 758kB of additional disk space will be used.

Get:1 http://archive.ubuntu.com gutsy/main chkrootkit 0.47-1.1 [271kB]

Fetched 271kB in 25s (10.5kB/s)

Preconfiguring packages …

Selecting previously deselected package chkrootkit.

(Reading database … 125405 files and directories currently installed.)

Unpacking chkrootkit (from …/chkrootkit_0.47-1.1_i386.deb) …

Setting up chkrootkit (0.47-1.1) …

taufanlubis@toshiba:~$


Run the program

taufanlubis@toshiba:~$ sudo chkrootkit

ROOTDIR is `/’

Checking `amd’… not found

Checking `basename’… not infected

Checking `biff’… not found

Checking `chfn’… not infected

Checking `chsh’… not infected

Checking `cron’… not infected

Checking `crontab’… not infected

Checking `date’… not infected

Checking `du’… not infected

Checking `dirname’… not infected

Checking `echo’… not infected

Checking `egrep’… not infected

Checking `env’… not infected

Checking `find’… not infected

Checking `fingerd’… not found

Checking `gpm’… not found

Checking `grep’… not infected

Checking `hdparm’… not infected

Checking `su’… not infected

Checking `ifconfig’… not infected

Checking `inetd’… not infected

Checking `inetdconf’… not infected

Checking `identd’… not found

Checking `init’… not infected

Checking `killall’… not infected

Checking `ldsopreload’… not infected

Checking `login’… not infected

Checking `ls’… not infected

Checking `lsof’… not infected

Checking `mail’… not found

Checking `mingetty’… not found

Checking `netstat’… not infected

Checking `named’… not found

Checking `passwd’… not infected

Checking `pidof’… not infected

Checking `pop2’… not found

Checking `pop3’… not found

Checking `ps’… not infected

Checking `pstree’… not infected

Checking `rpcinfo’… not infected

Checking `rlogind’… not found

Checking `rshd’… not found

Checking `slogin’… not infected

Checking `sendmail’… not found

Checking `sshd’… not found

Checking `syslogd’… not infected

Checking `tar’… not infected

Checking `tcpd’… not infected

Checking `tcpdump’… not infected

Checking `top’… not infected

Checking `telnetd’… not found

Checking `timed’… not found

Checking `traceroute’… not infected

Checking `vdir’… not infected

Checking `w’… not infected

Checking `write’… not infected

Checking `aliens’… no suspect files

Searching for sniffer’s logs, it may take a while… nothing found

Searching for HiDrootkit’s default dir… nothing found

Searching for t0rn’s default files and dirs… nothing found

Searching for t0rn’s v8 defaults… nothing found

Searching for Lion Worm default files and dirs… nothing found

Searching for RSHA’s default files and dir… nothing found

Searching for RH-Sharpe’s default files… nothing found

Searching for Ambient’s rootkit (ark) default files and dirs… nothing found

Searching for suspicious files and dirs, it may take a while…

/usr/lib/firefox/.autoreg

/usr/lib/jvm/.java-7-icedtea.jinfo

/usr/lib/blender/.Blanguages

/usr/lib/blender/.bfont.ttf

/lib/modules/2.6.22-14-generic/volatile/.mounted

 

Searching for LPD Worm files and dirs… nothing found

Searching for Ramen Worm files and dirs… nothing found

Searching for Maniac files and dirs… nothing found

Searching for RK17 files and dirs… nothing found

Searching for Ducoci rootkit… nothing found

Searching for Adore Worm… nothing found

Searching for ShitC Worm… nothing found

Searching for Omega Worm… nothing found

Searching for Sadmind/IIS Worm… nothing found

Searching for MonKit… nothing found

Searching for Showtee… nothing found

Searching for OpticKit… nothing found

Searching for T.R.K… nothing found

Searching for Mithra… nothing found

Searching for OBSD rk v1… /usr/lib/security

/usr/lib/security/classpath.security

Searching for LOC rootkit… nothing found

Searching for Romanian rootkit… nothing found

Searching for Suckit rootkit… nothing found

Searching for Volc rootkit… nothing found

Searching for Gold2 rootkit… nothing found

Searching for TC2 Worm default files and dirs… nothing found

Searching for Anonoying rootkit default files and dirs… nothing found

Searching for ZK rootkit default files and dirs… nothing found

Searching for ShKit rootkit default files and dirs… nothing found

Searching for AjaKit rootkit default files and dirs… nothing found

Searching for zaRwT rootkit default files and dirs… nothing found

Searching for Madalin rootkit default files… nothing found

Searching for Fu rootkit default files… nothing found

Searching for ESRK rootkit default files… nothing found

Searching for rootedoor… nothing found

Searching for ENYELKM rootkit default files… nothing found

Searching for anomalies in shell history files… nothing found

Checking `asp’… not infected

Checking `bindshell’… not infected

Checking `lkm’… chkproc: nothing detected

Checking `rexedcs’… not found

Checking `sniffer’… lo: not promisc and no packet sniffer sockets

eth0: PACKET SNIFFER(/sbin/dhclient3[6036], /usr/sbin/avahi-autoipd[5879])

Checking `w55808’… not infected

Checking `wted’… chkwtmp: nothing deleted

Checking `scalper’… not infected

Checking `slapper’… not infected

Checking `z2’… user taufanlubis deleted or never logged from lastlog!

taufanlubis@toshiba:~$

Read Full Post »

What is NmapFE?

It is a graphical front end for nmap security scanner. Because the limited help available from the nmapfe help menu, better you read from nmap manual page first. NmapFE was originally written by Zach Smith (key@aye.net). It’s now maintained by Fyodor (fyodor@insecure.org). The newest version of nmap can be obtained from www.insecure.org/nmap/.

If you are not get used to with nmap options, it will be a good alternative.

How to install NmapFE?

taufanlubis@toshiba:~$ sudo apt-get install nmapfe

[sudo] password for taufanlubis:

Reading package lists… Done

Building dependency tree

Reading state information… Done

The following NEW packages will be installed:

nmapfe

0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.

Need to get 108kB of archives.

After unpacking 246kB of additional disk space will be used.

WARNING: The following packages cannot be authenticated!

nmapfe

Install these packages without verification [y/N]? y

Get:1 http://archive.ubuntu.com gutsy/universe nmapfe 4.20-2 [108kB]

Fetched 108kB in 16s (6716B/s)

Selecting previously deselected package nmapfe.

(Reading database … 123307 files and directories currently installed.)

Unpacking nmapfe (from …/nmapfe_4.20-2_i386.deb) …

Setting up nmapfe (4.20-2) …

taufanlubis@toshiba:~$

nmapfe.png

 

Read Full Post »

Creating and installing firewall scripts

I assume that you’ve already familiar with runlevels process. If you still don’t know about runlevels, you can go my tutorial about ‘Runlevels in Ubuntu‘ first.

If you are ready then let’s start a practice with creating our iptables script.

 

There 4 steps for you to follow.

  • Create your executable-scripts

  • Put the scripts into /etc/init.d directory.

  • Set up links for your scripts in each rc?.d directories that point to /etc/init.d/your_scripts.

  • Reboot the system.

 

Step 1. Create directory for the script (optional) and create the script.

taufanlubis@zyrex:~$ sudo mkdir /opt/my_firewall

taufanlubis@zyrex:~$ cd /opt/my_firewall/

taufanlubis@zyrex:/opt/my_firewall$

I like to put my firewall scripts collection in one directory. So, next time you need it for your working requirements then it will be easier for you to find.

 

Let’s make the script. You can use any text editor you want.

taufanlubis@zyrex:/opt/my_firewall$ sudo gedit myfirewall_scripts

Put your script in ‘gedit’ words editor, don’t forget to put ‘#!/bin/bash’ on the top of the scripts.

For example, my script is:

 

#!/bin/bash

#Remove all previous chain rules

iptables -F

 

#Accept packet data (tcp) through ethernet card no.1

#via port 80 (http), port 443 (https), port 110(pop3), port 25(smtp)

iptables -A INPUT -p tcp -i eth0 –dport http -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport https -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport pop3 -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport smtp -j ACCEPT

 

#Drop all data that forwarded or output from your machine

#except the ports that we’ve set to be allowed.

iptables -A FORWARD -o eth0 -j DROP

iptables -A OUTPUT -o eth0 -j DROP

iptables -A INPUT -p tcp -i eth0 -j DROP

 

Then, save the file.

 

Check the content

taufanlubis@zyrex:/opt/my_firewall$ cat myfirewall_scripts

#!/bin/bash

#Remove all previous chain rules

iptables -F

 

#Accept packet data (tcp) through ethernet card no.1

#via port 80 (http), port 443 (https), port 110(pop3), port 25(smtp)

iptables -A INPUT -p tcp -i eth0 –dport http -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport https -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport pop3 -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport smtp -j ACCEPT

 

#Drop all data that forwarded or output from your machine

#except the ports that we’ve set to be allowed.

iptables -A FORWARD -o eth0 -j DROP

iptables -A OUTPUT -o eth0 -j DROP

iptables -A INPUT -p tcp -i eth0 -j DROP

taufanlubis@zyrex:/opt/my_firewall$

 

Check the security level access

taufanlubis@zyrex:/opt/my_firewall$ ls -l

total 4

-rw-r–r– 1 root root 582 2007-09-29 10:55 myfirewall_scripts

taufanlubis@zyrex:/opt/my_firewall$

 

Change the security level access

taufanlubis@zyrex:/opt/my_firewall$ sudo chmod uog+x myfirewall_scripts

taufanlubis@zyrex:/opt/my_firewall$ ls -l

total 4

-rwxr-xr-x 1 root root 582 2007-09-29 10:55 myfirewall_scripts

taufanlubis@zyrex:/opt/my_firewall$

 

Now, your script is ready to run.

 

Test the script

taufanlubis@zyrex:/opt/my_firewall$ sudo ./myfirewall_scripts

taufanlubis@zyrex:/opt/my_firewall$

 

taufanlubis@zyrex:/opt/my_firewall$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp — anywhere anywhere tcp dpt:www

ACCEPT tcp — anywhere anywhere tcp dpt:https

ACCEPT tcp — anywhere anywhere tcp dpt:pop3

ACCEPT tcp — anywhere anywhere tcp dpt:smtp

DROP tcp — anywhere anywhere

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

DROP 0 — anywhere anywhere

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

DROP 0 — anywhere anywhere

taufanlubis@zyrex:/opt/my_firewall$

 

Now, everything is running smoothly. You can put the script into the particular runlevels.

 

Step 2. Copy your script to /etc/init.d/ directory.

 

taufanlubis@zyrex:/opt/my_firewall$ sudo cp myfirewall_scripts /etc/init.d/

 

Check the availability

taufanlubis@zyrex:/etc/init.d$ ls myfirewall_scripts

myfirewall_scripts

 

Step 3. Setup Links

 

To setup links for your script in each rc?.d you don’t have to it manually one by one. You can use Ubuntu command update-rc.d.

 

Manual for update-rc.d in Ubuntu

update-rc.d updates the System V style init script links /etc/rcrun‐level.d/NNname whose target is the script /etc/init.d/name. These links are run by init when it changes runlevels; they are generally used to start and stop system services such as daemons. runlevel is one of the runlevels supported by init, namely, 0123456789S, and NN is the two-digit sequence number that determines where in the sequence init will run the scripts. the two-digit sequence number that determines where in the sequence

init will run the scripts.

EXAMPLES

Insert links using the defaults:

update-rc.d foobar defaults

Equivalent command using explicit argument sets:

update-rc.d foobar start 20 2 3 4 5 . stop 20 0 1 6 .

Insert links for a service that should be running during multi-user

mode, but that does not need to be explicitly stopped on shutdown:

update-rc.d foobar multiuser

Equivalent command using explicit argument sets:

update-rc.d foobar start 20 2 3 4 5 . stop 20 1 .

More typical command using explicit argument sets:

update-rc.d foobar start 30 2 3 4 5 . stop 70 0 1 6 .

Remove all links for a script (assuming foobar has been deleted

already):

update-rc.d foobar remove

Example of disabling a service:

update-rc.d -f foobar remove

update-rc.d foobar stop 20 2 3 4 5 .

Example of a command for installing a system initialization-and-shut‐

down script:

update-rc.d foobar start 45 S . start 31 0 6 .

Example of a command for disabling a system initialization-and-shutdown

script:

script:

update-rc.d -f foobar remove

update-rc.d foobar stop 45 S .

 

Setup links for myfirewall_scripts

taufanlubis@zyrex:~$ sudo update-rc.d myfirewall_scripts defaults

Adding system startup for /etc/init.d/myfirewall_scripts …

/etc/rc0.d/K20myfirewall_scripts -> ../init.d/myfirewall_scripts

/etc/rc1.d/K20myfirewall_scripts -> ../init.d/myfirewall_scripts

/etc/rc6.d/K20myfirewall_scripts -> ../init.d/myfirewall_scripts

/etc/rc2.d/S20myfirewall_scripts -> ../init.d/myfirewall_scripts

/etc/rc3.d/S20myfirewall_scripts -> ../init.d/myfirewall_scripts

/etc/rc4.d/S20myfirewall_scripts -> ../init.d/myfirewall_scripts

/etc/rc5.d/S20myfirewall_scripts -> ../init.d/myfirewall_scripts

taufanlubis@zyrex:~$

 

K20 in rc0.d, rc1.d and rc6.d = myfirewall_scripts will be executed when leaving runlevel N.

S20 in rc2.d, rc3.d, rc4.d and rc5.d = myfirewall_scripts will be executed when enter runlevel N.

 

Step 4. Reboot the system

 

Check the iptables status. If everything is running well then you will see your iptables chain rules.

taufanlubis@zyrex:~$ sudo iptables -L

Password:

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp — anywhere anywhere tcp dpt:www

ACCEPT tcp — anywhere anywhere tcp dpt:https

ACCEPT tcp — anywhere anywhere tcp dpt:pop3

ACCEPT tcp — anywhere anywhere tcp dpt:smtp

DROP tcp — anywhere anywhere

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

DROP 0 — anywhere anywhere

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

DROP 0 — anywhere anywhere

taufanlubis@zyrex:~$

 

 

Removing a service

taufanlubis@zyrex:~$ sudo update-rc.d myfirewall_scripts remove

update-rc.d: /etc/init.d/myfirewall_scripts exists during rc.d purge (use -f to force)

taufanlubis@zyrex:~$

 

If the script has already run you have to use ‘-f (force)’ to remove the script.

 

taufanlubis@zyrex:~$ sudo update-rc.d -f myfirewall_scripts remove

Removing any system startup links for /etc/init.d/myfirewall_scripts …

/etc/rc0.d/K20myfirewall_scripts

/etc/rc1.d/K20myfirewall_scripts

/etc/rc2.d/S20myfirewall_scripts

/etc/rc3.d/S20myfirewall_scripts

/etc/rc4.d/S20myfirewall_scripts

/etc/rc5.d/S20myfirewall_scripts

/etc/rc6.d/K20myfirewall_scripts

taufanlubis@zyrex:~$

 

Is my myfirewall_scripts also removed?

No, your myfirewall_scripts is still in /etc/init.d/ directory.

update-rc.d only remove the links in each rc?.d directory.

 

You can check it.

taufanlubis@zyrex:~$ ls /etc/init.d/myfirewall_scripts

/etc/init.d/myfirewall_scripts

taufanlubis@zyrex:~$

 

Note:

One might, for example, cause the script myfirewall_scripts to execute at boot-up.

 

Happy trying……..

 

Read Full Post »

Masquerading (Many to One NAT)
NAT = Network Address Translation

Mean that all traffics from your networks behind the firewall will be appear on the internet as if as it is only originated form a single ip address.

The masquerade IP address always defaults to the IP address of the firewall’s main interface. It will be easier for you to configure iptables NAT with DHCP because you don’t have to specify the NAT IP address.

 

Masquerade needs iptables_nat module and IP forwarding = enabled to run.

 

 

Step 1. Load the iptables_nat module

taufanlubis@zyrex:~$ sudo modprobe -a iptable_nat

or

put at /etc/rc.local

modprobe -a iptable_nat

 

Check if it’s already uploaded.

root@zyrex:/home/taufanlubis# sudo modprobe -l | grep iptable_nat

/lib/modules/2.6.20-16-generic/kernel/net/ipv4/netfilter/iptable_nat.ko

root@zyrex:/home/taufanlubis#

 

 

Step 2. Enable routing by modifying the ip_forward at /proc/sys/net/ipv4 from value ‘0’ to ‘1’.

0 = disable/ 1=enable

taufanlubis@zyrex:~$ su root

Password:

root@zyrex:/home/taufanlubis# echo 1 > /proc/sys/net/ipv4/ip_forward

Check the value.

root@zyrex:/home/taufanlubis# cat /proc/sys/net/ipv4/ip_forward

1

root@zyrex:/home/taufanlubis#

 

 

Step 3. Allow masquerading

Let’s try a case.

You have 2 interface in your router.

eth0 is the internet interface

eth1 is the private network interface

If you configure your firewall to do masquerading, you should use the ip address from eth1 as a default gateway for all your severs on the network.

 

taufanlubis@zyrex:~$ sudo iptables -A POSTROUTING -t nat -s 192.168.0.1/24 -o et

h0 -d 0/0 -j MASQUERADE

 

taufanlubis@zyrex:~$ sudo iptables -A FORWARD -o eth0 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

taufanlubis@zyrex:~$ sudo iptables -A FORWARD -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

After ‘network address translation table‘ from ‘ip 192.168.0.1-192.168.0.254 destined to any ip address‘ are masqueraded, the packets then are routed via the filter table’s FORWARD chain.

Allowed outbound: New, established and related connections

Allowed inbound: Established and related connections

 

Check the iptables’ rules again.

taufanlubis@zyrex:~$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

ACCEPT 0 — anywhere anywhere state NEW,RELATED,ESTABLISHED

ACCEPT 0 — anywhere anywhere state RELATED,ESTABLISHED

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

taufanlubis@zyrex:~$

You will not see the POSTROUTING chain rule because the ‘iptables rules‘ displays INPUT, FORWARD and OUTPUT information only.

 

 

 

Read Full Post »

Samples of iptables’ rules.

 

# Accept TCP packets for routing from eth0 (any IP) and destined for IP 192.168.1.58

# that is reachable via eth1.

# -A : Append rule to end of a chain

# FORWARD : Filters packets to server accessible by another NIC on the firewall

# -s : Source IP address

# 0/0 : Any ip address

# -i : Input Interface name (eth0, eth1 etc)

# -d : Destination IP address

# -o : Output Interface name (eth0, eth1 etc)

# -p tcp –sport : TCP source port (can be single or range value)

# -d tcp –dport : TCP destination port (can be single or range value)

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p tcp –sport 1024:65535 –dport 80 -j ACCEPT

 

# Accept TCP packets coming in from eth0 (any IP) and destined for IP 192.168.1.1

# INPUT : Filter packets destined to the firewall.

iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p tcp -j ACCEPT

# Flush all chains

iptables -F

 

# YOUR LOCAL NETWORK FIREWALL

# Accept all connection from ip source 192.168.0.1-192.168.0.254 to any ip address from any ports to any ports

iptables -I FORWARD -s 192.168.0.1/24 -d 0/0 -j ACCEPT

# Accept anything on localhost

iptables -A INPUT -i lo -j ACCEPT

 

# COMMON ICMP (ping)

# ALLOWING Sending “PING” (Echo request) AND

# Incoming “PONG” (Echo reply)

# Allow the firewall to send ICMP echo-request (pings)

iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT

# Allow the firewall to accept the expected ICMP echo-replies (pongs)

iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT

# Can do ‘pings’ 1 in a second. (3 pings per seconds = 3/s)

iptables -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1/s -i eth0 -j ACCEPT

# Defense for SYN (–syn = new tcp connection)flood attacks was created by limiting the acceptance of TCP segments

# with the SYN bit set to no more than five Ping per second.

iptables -A INPUT -p tcp –syn -m limit –limit 5/s -i eth0 -j ACCEPT

 

# ALLOWING INCOMING TRAFFIC

# ON SPECIFIC PORT

# HTTP (port 80)

sudo iptables -A INPUT -p tcp -i eth0 –dport http -j ACCEPT

# HTTPS (port 443)

sudo iptables -A INPUT -p tcp -i eth0 –dport https -j ACCEPT

# POP3 (port 110)

sudo iptables -A INPUT -p tcp -i eth0 –dport pop3 -j ACCEPT

# SMTP (port 25)

sudo iptables -A INPUT -p tcp -i eth0 –dport smtp -j ACCEPT

# FTP (port 20 21)

sudo iptables -A INPUT -p tcp -i eth0 –dport ftp -j ACCEPT

# IMAP (port 143)

sudo iptables -A INPUT -p tcp -i eth0 –dport imap -j ACCEPT

# NFS (port 111 2049)

sudo iptables -A INPUT -p tcp -i eth0 –dport nfs -j ACCEPT

# NNTP (port 119)

sudo iptables -A INPUT -p tcp -i eth0 –dport nntp -j ACCEPT

# Telnet (port 23)

sudo iptables -A INPUT -p tcp -i eth0 –dport telnet -j ACCEPT

# SSH (port 22)

sudo iptables -A INPUT -p tcp -i eth0 –dport ssh -j ACCEPT

# DNS (port 53)

sudo iptables -A INPUT -p tcp -i eth0 –dport 53 -j ACCEPT

# Samba (port 137-139)

sudo iptables -A INPUT -p tcp -i eth0 –dport 137:139 -j ACCEPT

 

# ALLOWING DNS to Access to your firewall

# It’s used by Ubuntu to get update from Repository Server

iptables -A OUTPUT -p udp -o eth0 –dport 53 –sport 1024:65535 -j ACCEPT

iptables -A INPUT -p udp -i eth0 –sport 53 –dport 1025:65535 -j ACCEPT

 

# ALLOWING WWW and SSH to Access to your firewall

# It’s used when you want to manage you web server

# managed remotely via secure shell (ssh) sessions.

# Allow previously established connections

iptables -A OUTPUT -o eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

# Allow port 80 (http) and 22 (ssh) connections to firewall

iptables -A INPUT -p tcp -i eth0 –dport 22 –sport 1024:65535 -m state –state NEW -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport 80 –sport 1024:65535 -m state –state NEW -j ACCEPT

 

# ALLOWING FIREWALL to access The Internet

# Enable a user on the firewall to surf the internet using Web Browser HTTP (port 80) and HTTPs (port 443)

iptables -A OUTPUT -o eth0 -p tcp -m state –state NEW,ESTABLISHED,RELATED -m multiport –sport 1024:65535 -m multiport –dport 80,443 -j ACCEPT

# Allowing all TCP traffic originating from firewall

iptables -A OUTPUT -o eth0 -p tcp -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

 

# BLOCK VIRUSES

# Use you can use this 4 rules:

# iptables -I FORWARD -s 0/0 -p tcp -d 0/0 –dport 136 -j DROP

# iptables -I FORWARD -s 0/0 -p tcp -d 0/0 –dport 137 -j DROP

# iptables -I FORWARD -s 0/0 -p tcp -d 0/0 –dport 138 -j DROP

# iptables -I FORWARD -s 0/0 -p tcp -d 0/0 –dport 139 -j DROP

# or this 1 rule

iptables -A FORWARD -p tcp –dport 136:139 -j DROP

 

# Use you can use this 4 rules:

# iptables -I FORWARD -s 0/0 -p udp -d 0/0 –dport 136 -j DROP

# iptables -I FORWARD -s 0/0 -p udp -d 0/0 –dport 137 -j DROP

# iptables -I FORWARD -s 0/0 -p udp -d 0/0 –dport 138 -j DROP

# iptables -I FORWARD -s 0/0 -p udp -d 0/0 –dport 139 -j DROP

# or this 1 rule

iptables -A FORWARD -p udp –dport 136:139 -j DROP

 

# ROUTING

# Allow firewall to accept tcp packets for routing

# Enter via eth0 (any ip) via range port 1024 to 65535

# Destined to eth1 (ip 192.168.0.2 ) port 80 (www/http)

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.0.2 -o eth1 -p tcp –sport 1024:65535 –dport 80 -j ACCEPT

 

# -m multiport –dport

# A variety of tcp/udp destination ports separated by commas.

# -m multiport –sport

# A variety of tcp/udp destination ports separated by commas.

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.0.2 -o eth1 -p tcp -m multiport –sport 1024:65535 -m multiport –dport 80,443 -j ACCEPT

 

# Loading Kernel Modules

# Any type NAT required, this module have to be loaded.

modprobe -a iptable_nat

# For tcp connection

modprobe -a ip_conntrack

# For FTP support

modprobe -a ip_conntrack_ftp

# For FTP server behind NAT firewall

modprobe -a ip_nat_ftp

 

modprobe -a ip_queue

modprobe -a iptable_filter

modprobe -a iptable_mangle

modprobe -a ip_tables

modprobe -a ipt_LOG

modprobe -a ipt_MASQUERADE

modprobe -a ipt_owner

modprobe -a ipt_REDIRECT

modprobe -a ipt_TOS

modprobe -a ipt_ttl

modprobe -a ipt_ULOG

modprobe -a ipt_ecn

modprobe -a ipt_ECN

 

Read Full Post »

Playing with iptables in Ubuntu Terminal

I’ve been trying to figure out how to explain the iptables in a easy way. I’ve read so many articles about iptables but none of it mention to run iptables chain rules through command lines in Ubuntu console terminal.

I know the reason, because chain rules will be temporary. But, it’s not good for a begginer.

So, I try to discribe it in another way.

Hopefull, it will make you easier to understand the iptables’ chain rules.

 

Actually, the most popular firewall and NAT (Network Address Translation) in Linux was Ipchains.

After that, Netfilter Organization created a new product called Iptables and gave more features in it.

 

Compare to Ipchains, Iptables is better integration with the linux, Stateful packet inspection, Filtering packets based on MAC address and the values of the flags in packets, better network address translation, integration with Squid and block DoS (Denial of service) attacks.

I’ll divide my explanation into 4 parts.

  • practice with command line in Ubuntu terminal

  • sample rules which you can use for router, webserver, server etc.

  • masquerading (many to one NAT)

  • run iptables automatically (create a script and put it in runlevel mode).

I’ve just finished the first part (this posting). Hopefull, it will make you easier to understand the iptables.

 

 

Determining the status of iptables

You can check your current iptables rules with:

taufanlubis@zyrex:~$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

taufanlubis@zyrex:~$

 

option -L:

List all rules in the selected chain. If no chain is selected, all chains are listed. As every other iptables command, it applies to the specified table (filter is the default), so NAT rules get listed by iptables -t nat -n -L

 

Packet Processing in iptables

All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet transformation/filtering chain.

 

There are three tables in total:

  • Responsible for packet filtering.

  • Forward chain (filters packet to servers)

  • Input chain (filters packet destined to the firewall)

  • Output chain (filters packets originating from the firewall)

  • Responsible for the alteration of quality of service bits in the TCP header (Mangle).

  • Responsible for NAT (network address translation).

  • Pre-routing chain

  • Post-routing chain

 

I like to use Iptables because I can set my firewall to be what I want. I can set which packet of data that can go in to my machine, forwarded or go out from my machine. I can set which ports are opened or closed. But, need days, for me to understand how it works.

 

In this practice we will do all the setup from linux console.

First, open your linux console.

Applications>Accessories>Terminal or press Alt-F2 and type ‘xterm’.

 

Now, let’s try for practice. Check your iptables’s rules.

taufanlubis@zyrex:~$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

taufanlubis@zyrex:~$

If you see the rules as mentioned above, it means that there are no rules in your iptables firewall.

 

Task1 : Accept packet data (tcp) through ethernet card no.1 via port 80 (http)

taufanlubis@zyrex:~$ sudo iptables -A INPUT -p tcp -i eth0 –dport http -j ACCEPT

taufanlubis@zyrex:~$

Check again, our setting.

taufanlubis@zyrex:~$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp — anywhere anywhere tcp dpt:www

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

taufanlubis@zyrex:~$

Well, you got your first rule in your iptables. It says that accept only tcp packet data via http(port 80) from any ip address to any ip address.

 

Task 2: Do same rules as Task1 for ‘https'(port 443), ‘pop3′(port 110) and ‘smtp'(port 25)

Type again in your console.

taufanlubis@zyrex:~$ sudo iptables -A INPUT -p tcp -i eth0 –dport https -j ACCEPT

taufanlubis@zyrex:~$ sudo iptables -A INPUT -p tcp -i eth0 –dport pop3 -j ACCEPT

taufanlubis@zyrex:~$ sudo iptables -A INPUT -p tcp -i eth0 –dport smtp -j ACCEPT

 

Check again the rules.

taufanlubis@zyrex:~$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp — anywhere anywhere tcp dpt:www

ACCEPT tcp — anywhere anywhere tcp dpt:https

ACCEPT tcp — anywhere anywhere tcp dpt:pop3

ACCEPT tcp — anywhere anywhere tcp dpt:smtp

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

taufanlubis@zyrex:~$

Now, you’ve already setup the rules for ACCEPTed access.

 

Let us continue with the task 3.

Task 3: Drop all data that forwarded or output from your machine except the ports that we’ve set to be allowed.

taufanlubis@zyrex:~$ sudo iptables -A FORWARD -o eth0 -j DROP

taufanlubis@zyrex:~$ sudo iptables -A OUTPUT -o eth0 -j DROP

taufanlubis@zyrex:~$ sudo iptables -A INPUT -p tcp -i eth0 -j DROP

 

Check again, your iptables rules.

taufanlubis@zyrex:~$ sudo iptables -L

 

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp — anywhere anywhere tcp dpt:www

ACCEPT tcp — anywhere anywhere tcp dpt:https

ACCEPT tcp — anywhere anywhere tcp dpt:pop3

ACCEPT tcp — anywhere anywhere tcp dpt:smtp

DROP tcp — anywhere anywhere

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

DROP 0 — anywhere anywhere

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

DROP 0 — anywhere anywhere

taufanlubis@zyrex:~$

 

Well, you see the same screen as above, mean you’ve just created iptables’ chain rules.

 

This setup is temporary. Mean, you will lost it after you shutdown or restart.

It’s ok. It’s only a practice. I just want to show how iptables works.

 

Read Full Post »

There are a lot of choices you can use to protect your system. Just use standard installation command to install it.

For example, you if want to install Lokkit, just use apt-get install command. Make sure you have the ‘universe‘ componet enabled in your repository.

taufanlubis@zyrex:~$ sudo apt-get install lokkit


Security tools for Ubuntu:

shorewall – Shoreline Firewall (Shorewall), a high-level tool for configuring Netfilter

arno-iptables-firewall – Single- and multi-homed firewall script with DSL/ADSL support

arptables – ARP table administration

ebtables – Ethernet bridge frame table administration

fail2ban – bans IPs that cause multiple authentication errors

ferm – maintain and setup complicated firewall rules

fiaif – An easy to use, yet complex firewall

filtergen – packet filter generator for various firewall systems

firehol – An easy to use but powerful iptables stateful firewall

fprobe-ulog – export captured traffic to remote NetFlow Collector (ULOG version)

fwanalog – firewall log-file report generator (using analog)

fwlogwatch – Firewall log analyzer

gnome-lokkit – basic interactive firewall configuration tool (GNOME interface)

guarddog – firewall configuration utility for KDE

guidedog – NAT/masquerading/port-forwarding configuration tool for KDE

ipac-ng – IP Accounting for iptables (kernel >=2.4)

ipkungfu – iptables-based Linux firewall

ipset – administration tool for kernel IP sets

iptstate – Top-like state for netfilter/iptables

kmyfirewall – iptables based firewall configuration tool for KDE

knetfilter – GUI for configuring the 2.4 kernel IP Tables

libabz0 – Miscellaneous useful routines

libiptables-ipv4-ipqueue-perl – Perl extension for libipq

lokkit – basic interactive firewall configuration tool (console interface)

netscript-2.4 – Linux 2.4.x (and 2.6.x) router/firewall network configuration system

netstat-nat – A tool that display NAT connections

openvpn – Virtual Private Network daemon

p3scan – transparent POP3-proxy with virus- and spam-scanning

psad – The Port Scan Attack Detector

pyroman – Firewall configuration tool for complex networks

reaim – Enable AIM and MSN file transfer on Linux iptables based NAT

shorewall-doc – documentation for Shorewall firewall

shorewall-lite – Shorewall (lite version), a high-level tool for configuring Netfilter

uif – Advanced iptables-firewall script

ulogd – The Netfilter Userspace Logging Daemon

uruk – Very small firewall script, for configuring iptables

wflogs – The modular firewall log analyzer of the WallFire project

fireflier-client-gtk – Interactive firewall rule creation tool – GTK client

fireflier-client-kde – Interactive firewall rule creation tool – QT client

fireflier-client-qt – Interactive firewall rule creation tool – QT client

fireflier-server – Interactive firewall rule creation tool – server

iptables – administration tools for packet filtering and NAT

iptables-dev – development files for iptable’s libipq and libiptc

Read Full Post »

Older Posts »

Follow

Get every new post delivered to your Inbox.

Join 73 other followers