Setup firewall with iptables in Ubuntu (Part 4)

Creating and installing firewall scripts

I assume that you’ve already familiar with runlevels process. If you still don’t know about runlevels, you can go my tutorial about ‘Runlevels in Ubuntu‘ first.

If you are ready then let’s start a practice with creating our iptables script.

 

There 4 steps for you to follow.

• Create your executable-scripts

• Put the scripts into /etc/init.d directory.

• Set up links for your scripts in each rc?.d directories that point to /etc/init.d/your_scripts.

• Reboot the system.

 

Step 1. Create directory for the script (optional) and create the script.

taufanlubis@zyrex:~$ sudo mkdir /opt/my_firewall

taufanlubis@zyrex:~$ cd /opt/my_firewall/

taufanlubis@zyrex:/opt/my_firewall$

I like to put my firewall scripts collection in one directory. So, next time you need it for your working requirements then it will be easier for you to find.

 

Let’s make the script. You can use any text editor you want.

taufanlubis@zyrex:/opt/my_firewall$ sudo gedit myfirewall_scripts

Put your script in ‘gedit’ words editor, don’t forget to put ‘#!/bin/bash’ on the top of the scripts.

For example, my script is:

 

#!/bin/bash

#Remove all previous chain rules

iptables -F

 

#Accept packet data (tcp) through ethernet card no.1

#via port 80 (http), port 443 (https), port 110(pop3), port 25(smtp)

iptables -A INPUT -p tcp -i eth0 –dport http -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport https -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport pop3 -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport smtp -j ACCEPT

 

#Drop all data that forwarded or output from your machine

#except the ports that we’ve set to be allowed.

iptables -A FORWARD -o eth0 -j DROP

iptables -A OUTPUT -o eth0 -j DROP

iptables -A INPUT -p tcp -i eth0 -j DROP

 

Then, save the file.

 

Check the content

taufanlubis@zyrex:/opt/my_firewall$ cat myfirewall_scripts

#!/bin/bash

#Remove all previous chain rules

iptables -F

 

#Accept packet data (tcp) through ethernet card no.1

#via port 80 (http), port 443 (https), port 110(pop3), port 25(smtp)

iptables -A INPUT -p tcp -i eth0 –dport http -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport https -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport pop3 -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport smtp -j ACCEPT

 

#Drop all data that forwarded or output from your machine

#except the ports that we’ve set to be allowed.

iptables -A FORWARD -o eth0 -j DROP

iptables -A OUTPUT -o eth0 -j DROP

iptables -A INPUT -p tcp -i eth0 -j DROP

taufanlubis@zyrex:/opt/my_firewall$

 

Check the security level access

taufanlubis@zyrex:/opt/my_firewall$ ls -l

total 4

-rw-r–r– 1 root root 582 2007-09-29 10:55 myfirewall_scripts

taufanlubis@zyrex:/opt/my_firewall$

 

Change the security level access

taufanlubis@zyrex:/opt/my_firewall$ sudo chmod uog+x myfirewall_scripts

taufanlubis@zyrex:/opt/my_firewall$ ls -l

total 4

-rwxr-xr-x 1 root root 582 2007-09-29 10:55 myfirewall_scripts

taufanlubis@zyrex:/opt/my_firewall$

 

Now, your script is ready to run.

 

Test the script

taufanlubis@zyrex:/opt/my_firewall$ sudo ./myfirewall_scripts

taufanlubis@zyrex:/opt/my_firewall$

 

taufanlubis@zyrex:/opt/my_firewall$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp — anywhere anywhere tcp dpt:www

ACCEPT tcp — anywhere anywhere tcp dpt:https

ACCEPT tcp — anywhere anywhere tcp dpt:pop3

ACCEPT tcp — anywhere anywhere tcp dpt:smtp

DROP tcp — anywhere anywhere

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

DROP 0 — anywhere anywhere

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

DROP 0 — anywhere anywhere

taufanlubis@zyrex:/opt/my_firewall$

 

Now, everything is running smoothly. You can put the script into the particular runlevels.

 

Step 2. Copy your script to /etc/init.d/ directory.

 

taufanlubis@zyrex:/opt/my_firewall$ sudo cp myfirewall_scripts /etc/init.d/

 

Check the availability

taufanlubis@zyrex:/etc/init.d$ ls myfirewall_scripts

myfirewall_scripts

 

Step 3. Setup Links

 

To setup links for your script in each rc?.d you don’t have to it manually one by one. You can use Ubuntu command update-rc.d.

 

Manual for update-rc.d in Ubuntu

update-rc.d updates the System V style init script links /etc/rcrun‐level.d/NNname whose target is the script /etc/init.d/name. These links are run by init when it changes runlevels; they are generally used to start and stop system services such as daemons. runlevel is one of the runlevels supported by init, namely, 0123456789S, and NN is the two-digit sequence number that determines where in the sequence init will run the scripts. the two-digit sequence number that determines where in the sequence

init will run the scripts.

EXAMPLES

Insert links using the defaults:

update-rc.d foobar defaults

Equivalent command using explicit argument sets:

update-rc.d foobar start 20 2 3 4 5 . stop 20 0 1 6 .

Insert links for a service that should be running during multi-user

mode, but that does not need to be explicitly stopped on shutdown:

update-rc.d foobar multiuser

Equivalent command using explicit argument sets:

update-rc.d foobar start 20 2 3 4 5 . stop 20 1 .

More typical command using explicit argument sets:

update-rc.d foobar start 30 2 3 4 5 . stop 70 0 1 6 .

Remove all links for a script (assuming foobar has been deleted

already):

update-rc.d foobar remove

Example of disabling a service:

update-rc.d -f foobar remove

update-rc.d foobar stop 20 2 3 4 5 .

Example of a command for installing a system initialization-and-shut‐

down script:

update-rc.d foobar start 45 S . start 31 0 6 .

Example of a command for disabling a system initialization-and-shutdown

script:

script:

update-rc.d -f foobar remove

update-rc.d foobar stop 45 S .

 

Setup links for myfirewall_scripts

taufanlubis@zyrex:~$ sudo update-rc.d myfirewall_scripts defaults

Adding system startup for /etc/init.d/myfirewall_scripts …

/etc/rc0.d/K20myfirewall_scripts -> ../init.d/myfirewall_scripts

/etc/rc1.d/K20myfirewall_scripts -> ../init.d/myfirewall_scripts

/etc/rc6.d/K20myfirewall_scripts -> ../init.d/myfirewall_scripts

/etc/rc2.d/S20myfirewall_scripts -> ../init.d/myfirewall_scripts

/etc/rc3.d/S20myfirewall_scripts -> ../init.d/myfirewall_scripts

/etc/rc4.d/S20myfirewall_scripts -> ../init.d/myfirewall_scripts

/etc/rc5.d/S20myfirewall_scripts -> ../init.d/myfirewall_scripts

taufanlubis@zyrex:~$

 

K20 in rc0.d, rc1.d and rc6.d = myfirewall_scripts will be executed when leaving runlevel N.

S20 in rc2.d, rc3.d, rc4.d and rc5.d = myfirewall_scripts will be executed when enter runlevel N.

 

Step 4. Reboot the system

 

Check the iptables status. If everything is running well then you will see your iptables chain rules.

taufanlubis@zyrex:~$ sudo iptables -L

Password:

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp — anywhere anywhere tcp dpt:www

ACCEPT tcp — anywhere anywhere tcp dpt:https

ACCEPT tcp — anywhere anywhere tcp dpt:pop3

ACCEPT tcp — anywhere anywhere tcp dpt:smtp

DROP tcp — anywhere anywhere

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

DROP 0 — anywhere anywhere

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

DROP 0 — anywhere anywhere

taufanlubis@zyrex:~$

 

 

Removing a service

taufanlubis@zyrex:~$ sudo update-rc.d myfirewall_scripts remove

update-rc.d: /etc/init.d/myfirewall_scripts exists during rc.d purge (use -f to force)

taufanlubis@zyrex:~$

 

If the script has already run you have to use ‘-f (force)’ to remove the script.

 

taufanlubis@zyrex:~$ sudo update-rc.d -f myfirewall_scripts remove

Removing any system startup links for /etc/init.d/myfirewall_scripts …

/etc/rc0.d/K20myfirewall_scripts

/etc/rc1.d/K20myfirewall_scripts

/etc/rc2.d/S20myfirewall_scripts

/etc/rc3.d/S20myfirewall_scripts

/etc/rc4.d/S20myfirewall_scripts

/etc/rc5.d/S20myfirewall_scripts

/etc/rc6.d/K20myfirewall_scripts

taufanlubis@zyrex:~$

 

Is my myfirewall_scripts also removed?

No, your myfirewall_scripts is still in /etc/init.d/ directory.

update-rc.d only remove the links in each rc?.d directory.

 

You can check it.

taufanlubis@zyrex:~$ ls /etc/init.d/myfirewall_scripts

/etc/init.d/myfirewall_scripts

taufanlubis@zyrex:~$

 

Note:

One might, for example, cause the script myfirewall_scripts to execute at boot-up.

 

Happy trying……..

 

Read Full Post »

Runlevels in Ubuntu

If you have a script and you it run automatically during loading process then you have to know to runlevels process in Ubuntu. At first time you learn about runlevels, you may find yourself in a bit hard time to figure out how it work. There are so many articles explain about runlevels in the internet. I’ll try to explain the runlevels process in a easy way.

Hopefully, the way I describe the process will be clear enough for you to get a picture about runlevels.

Introduction

Runlevel is a mode of operation or level of run in a computer that uses Unix/Linux System V-style.

There 7 runlevels in Ubuntu, start from 0 to 6.

 

The following table summarizes it:

• runlevel 0 = System Halt

• runlevel 1 = Single User

• runlevel 2 = Multi-user with GUI

• runlevel 3 = Multi-user with GUI

• runlevel 4 = Multi-user with GUI

• runlevel 5 = runlevel 3 + X windows system

• runlevel 6 = Reboot

 

Runlevel 1 is a single user mode. In this level, there are no daemons (services) are started. You can do rescue or trouble-shooting in this mode. Runlevel 0 for shutdown and runlevel 6 for reboot. The rest are used for running the system.

 

Like other Linux systems, run levels are defined by files in the file system.

All run level files are found in the /etc directory.

 

/etc/rc0.d/ runlevel 0

/etc/rc1.d/ runlevel 1

/etc/rc2.d/ runlevel 2

/etc/rc3.d/ runlevel 3

/etc/rc4.d/ runlevel 4

/etc/rc5.d/ runlevel 5

/etc/rc6.d/ runlevel 6

 

The contents of each directory determines what happens at that run level.

 

Check your current runlevel

taufanlubis@zyrex:~$ runlevel

N 2

taufanlubis@zyrex:~$

Ubuntu system come with id=2, which indicates that the default runlevel will be ‘2’ when the multi-user state is entered, and the scripts in /etc/rc2.d/ will be run.

 

taufanlubis@zyrex:~$ who -r

run-level 2 2007-09-25 03:53 last=

taufanlubis@zyrex:~$

 

Note, taken from update-rc.d manual:

/etc/init.d/

The directory containing the actual init scripts.

 

/etc/rc?.d/

The directories containing the links used by init and managed by update-rc.d.

 

 

There is also another runlevel named runlevel ‘S’.

For more details, you can read the manual.

taufanlubis@zyrex:~$ man rcS

……..

……..

 

 

The configuration of rcS are placed in /etc/default/rcS or /usr/share/initscripts/default.rcS

 

To see the content just type:

taufanlubis@zyrex:/etc/init.d$ cat /usr/share/initscripts/default.rcS

#

# /etc/default/rcS

#

# Default settings for the scripts in /etc/rcS.d/

#

# For information about these variables see the rcS(5) manual page.

#

# This file belongs to the “initscripts” package.

 

TMPTIME=0

SULOGIN=no

DELAYLOGIN=no

UTC=yes

VERBOSE=no

FSCKFIX=no

 

 

Booting Process

 

Ubuntu boots up by executing the program init. The step of scripts to be executed are

• /etc/init.d/rcS

• /etc/rc.boot

• all scripts in a directory specified by the default runlevel

• /etc/rc0.d

• /etc/rc1.d

• /etc/rc2.d

• /etc/rc3.d

• /etc/rc4.d

• /etc/rc5.d

• /etc/rc6.d

 

Let’s check the content of /etc/init.d/rcS.

taufanlubis@zyrex:~$ cat /etc/init.d/rcS

#! /bin/sh

#

# rcS

#

# Call all S??* scripts in /etc/rcS.d/ in numerical/alphabetical order

#

exec /etc/init.d/rc S

 

taufanlubis@zyrex:/etc/init.d$

Mean that this script will run all of the scripts in /etc/rcS.d/.

 

Let’s check the content.

taufanlubis@zyrex:~$ ls -l /etc/rcS.d

total 4

-rw-r–r– 1 root root 785 2007-04-11 04:45 README

lrwxrwxrwx 1 root root 24 2007-07-31 11:15 S01mountkernfs.sh -> ../init.d/mountkernfs.sh

lrwxrwxrwx 1 root root 19 2007-07-31 11:15 S01readahead -> ../init.d/readahead

lrwxrwxrwx 1 root root 21 2007-07-31 11:15 S02hostname.sh -> ../init.d/hostname.sh

…..

…..

lrwxrwxrwx 1 root root 27 2007-07-31 11:15 S90console-screen.sh -> ../init.d/console-screen.sh

taufanlubis@zyrex:/etc/rcS.d$

How about rc1.d, rc2.d, rc3.d, rc4.d, rc5.d ando rc6.d?

 

taufanlubis@zyrex:~$ ls -l /etc/rc1.d

total 4

lrwxrwxrwx 1 root root 13 2007-07-31 11:15 K01gdm -> ../init.d/gdm

……

……

lrwxrwxrwx 1 root root 16 2007-07-31 11:15 S90single -> ../init.d/single

 

taufanlubis@zyrex:~$ ls -l /etc/rc2.d

total 4

-rw-r–r– 1 root root 556 2007-04-11 04:46 README

lrwxrwxrwx 1 root root 16 2007-08-07 12:29 S01lokkit -> ../init.d/lokkit

….

….

lrwxrwxrwx 1 root root 24 2007-07-31 11:15 S99stop-readahead -> ../init.d/stop-readahead

 

taufanlubis@zyrex:~$ ls -l /etc/rc3.d

total 4

-rw-r–r– 1 root root 556 2007-04-11 04:46 README

lrwxrwxrwx 1 root root 16 2007-08-07 12:29 S01lokkit -> ../init.d/lokkit

…..

…..

lrwxrwxrwx 1 root root 19 2007-07-31 11:15 S99rmnologin -> ../init.d/rmnologin

 

taufanlubis@zyrex:~$ ls -l /etc/rc4.d

total 4

-rw-r–r– 1 root root 556 2007-04-11 04:46 README

lrwxrwxrwx 1 root root 16 2007-08-07 12:29 S01lokkit -> ../init.d/lokkit

……

……

lrwxrwxrwx 1 root root 19 2007-07-31 11:15 S99rmnologin -> ../init.d/rmnologin

taufanlubis@zyrex:~$

 

taufanlubis@zyrex:~$ ls -l /etc/rc5.d

total 4

-rw-r–r– 1 root root 556 2007-04-11 04:46 README

lrwxrwxrwx 1 root root 16 2007-08-07 12:29 S01lokkit -> ../init.d/lokkit

…..

…..

lrwxrwxrwx 1 root root 19 2007-07-31 11:15 S99rmnologin -> ../init.d/rmnologin

 

taufanlubis@zyrex:~$ ls -l /etc/rc6.d

total 4

lrwxrwxrwx 1 root root 13 2007-07-31 11:15 K01gdm -> ../init.d/gdm

……

……

lrwxrwxrwx 1 root root 18 2007-07-31 11:15 S40umountfs -> ../init.d/umountfs

lrwxrwxrwx 1 root root 20 2007-07-31 11:15 S60umountroot -> ../init.d/umountroot

lrwxrwxrwx 1 root root 16 2007-07-31 11:15 S90reboot -> ../init.d/reboot

 

taufanlubis@zyrex:~$ ls -l /etc/init.d/

total 460

….

….

-rwxr-xr-x 1 root root 864 2007-04-14 02:51 stop-readahead

….

….

-rwxr-xr-x 1 root root 3477 2007-04-11 04:45 umountfs

-rwxr-xr-x 1 root root 1833 2007-04-11 04:45 umountnfs.sh

-rwxr-xr-x 1 root root 1105 2007-04-11 04:45 umountroot

….

….

Now you see that, actually, all the scripts above are just symbolic links back to to scripts in /etc/init.d/.

 

These scripts are used to perform initialization such as to check and to mount file systems, to load modules, to start network services, to set the clock and to perform other initialization.

 

Specifically, before entering any runlevel, all the scripts beginning with ‘K’ are run; these scripts kill services. Then all the scripts beginning with ‘S’ are run; these scripts start services.

The two-digit number following the ‘K’ or ‘S’ indicates the order in which the script is run. Lower numbered scripts are executed first.

 

The scripts in /etc/init.d/ can be either:

• start

• stop

• reload

• restart

• force-reload

These scripts can be used even after a system has been booted, to control various processes.

 

Now, let’s try with restart with the networking.

taufanlubis@zyrex:~$ sudo /etc/init.d/networking restart

Password:

* Reconfiguring network interfaces… RTNETLINK answers: No such process

There is already a pid file /var/run/dhclient.eth0.pid with pid 5659

killed old client process, removed PID file

Internet Systems Consortium DHCP Client V3.0.4

Copyright 2004-2006 Internet Systems Consortium.

All rights reserved.

For info, please visit http://www.isc.org/sw/dhcp/

 

Listening on LPF/eth0/00:90:f5:36:9a:eb

Sending on LPF/eth0/00:90:f5:36:9a:eb

……

……

 

Argument ‘restart‘ at “taufanlubis@zyrex:~$ sudo /etc/init.d/networking restart” will send networking daemon a signal to reread its configuration file.

Read Full Post »

Setup firewall with iptables in Ubuntu (Part 3)

Masquerading (Many to One NAT)
NAT = Network Address Translation

Mean that all traffics from your networks behind the firewall will be appear on the internet as if as it is only originated form a single ip address.

The masquerade IP address always defaults to the IP address of the firewall’s main interface. It will be easier for you to configure iptables NAT with DHCP because you don’t have to specify the NAT IP address.

 

Masquerade needs iptables_nat module and IP forwarding = enabled to run.

 

 

Step 1. Load the iptables_nat module

taufanlubis@zyrex:~$ sudo modprobe -a iptable_nat

or

put at /etc/rc.local

modprobe -a iptable_nat

 

Check if it’s already uploaded.

root@zyrex:/home/taufanlubis# sudo modprobe -l | grep iptable_nat

/lib/modules/2.6.20-16-generic/kernel/net/ipv4/netfilter/iptable_nat.ko

root@zyrex:/home/taufanlubis#

 

 

Step 2. Enable routing by modifying the ip_forward at /proc/sys/net/ipv4 from value ‘0’ to ‘1’.

0 = disable/ 1=enable

taufanlubis@zyrex:~$ su root

Password:

root@zyrex:/home/taufanlubis# echo 1 > /proc/sys/net/ipv4/ip_forward

Check the value.

root@zyrex:/home/taufanlubis# cat /proc/sys/net/ipv4/ip_forward

1

root@zyrex:/home/taufanlubis#

 

 

Step 3. Allow masquerading

Let’s try a case.

You have 2 interface in your router.

eth0 is the internet interface

eth1 is the private network interface

If you configure your firewall to do masquerading, you should use the ip address from eth1 as a default gateway for all your severs on the network.

 

taufanlubis@zyrex:~$ sudo iptables -A POSTROUTING -t nat -s 192.168.0.1/24 -o et

h0 -d 0/0 -j MASQUERADE

 

taufanlubis@zyrex:~$ sudo iptables -A FORWARD -o eth0 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

taufanlubis@zyrex:~$ sudo iptables -A FORWARD -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

After ‘network address translation table‘ from ‘ip 192.168.0.1-192.168.0.254 destined to any ip address‘ are masqueraded, the packets then are routed via the filter table’s FORWARD chain.

Allowed outbound: New, established and related connections

Allowed inbound: Established and related connections

 

Check the iptables’ rules again.

taufanlubis@zyrex:~$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

ACCEPT 0 — anywhere anywhere state NEW,RELATED,ESTABLISHED

ACCEPT 0 — anywhere anywhere state RELATED,ESTABLISHED

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

taufanlubis@zyrex:~$

You will not see the POSTROUTING chain rule because the ‘iptables rules‘ displays INPUT, FORWARD and OUTPUT information only.

 

 

 

Read Full Post »

Setup firewall with iptables in Ubuntu (Part 2)

Samples of iptables’ rules.

 

# Accept TCP packets for routing from eth0 (any IP) and destined for IP 192.168.1.58

# that is reachable via eth1.

# -A : Append rule to end of a chain

# FORWARD : Filters packets to server accessible by another NIC on the firewall

# -s : Source IP address

# 0/0 : Any ip address

# -i : Input Interface name (eth0, eth1 etc)

# -d : Destination IP address

# -o : Output Interface name (eth0, eth1 etc)

# -p tcp –sport : TCP source port (can be single or range value)

# -d tcp –dport : TCP destination port (can be single or range value)

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p tcp –sport 1024:65535 –dport 80 -j ACCEPT

 

# Accept TCP packets coming in from eth0 (any IP) and destined for IP 192.168.1.1

# INPUT : Filter packets destined to the firewall.

iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p tcp -j ACCEPT

# Flush all chains

iptables -F

 

# YOUR LOCAL NETWORK FIREWALL

# Accept all connection from ip source 192.168.0.1-192.168.0.254 to any ip address from any ports to any ports

iptables -I FORWARD -s 192.168.0.1/24 -d 0/0 -j ACCEPT

# Accept anything on localhost

iptables -A INPUT -i lo -j ACCEPT

 

# COMMON ICMP (ping)

# ALLOWING Sending “PING” (Echo request) AND

# Incoming “PONG” (Echo reply)

# Allow the firewall to send ICMP echo-request (pings)

iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT

# Allow the firewall to accept the expected ICMP echo-replies (pongs)

iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT

# Can do ‘pings’ 1 in a second. (3 pings per seconds = 3/s)

iptables -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1/s -i eth0 -j ACCEPT

# Defense for SYN (–syn = new tcp connection)flood attacks was created by limiting the acceptance of TCP segments

# with the SYN bit set to no more than five Ping per second.

iptables -A INPUT -p tcp –syn -m limit –limit 5/s -i eth0 -j ACCEPT

 

# ALLOWING INCOMING TRAFFIC

# ON SPECIFIC PORT

# HTTP (port 80)

sudo iptables -A INPUT -p tcp -i eth0 –dport http -j ACCEPT

# HTTPS (port 443)

sudo iptables -A INPUT -p tcp -i eth0 –dport https -j ACCEPT

# POP3 (port 110)

sudo iptables -A INPUT -p tcp -i eth0 –dport pop3 -j ACCEPT

# SMTP (port 25)

sudo iptables -A INPUT -p tcp -i eth0 –dport smtp -j ACCEPT

# FTP (port 20 21)

sudo iptables -A INPUT -p tcp -i eth0 –dport ftp -j ACCEPT

# IMAP (port 143)

sudo iptables -A INPUT -p tcp -i eth0 –dport imap -j ACCEPT

# NFS (port 111 2049)

sudo iptables -A INPUT -p tcp -i eth0 –dport nfs -j ACCEPT

# NNTP (port 119)

sudo iptables -A INPUT -p tcp -i eth0 –dport nntp -j ACCEPT

# Telnet (port 23)

sudo iptables -A INPUT -p tcp -i eth0 –dport telnet -j ACCEPT

# SSH (port 22)

sudo iptables -A INPUT -p tcp -i eth0 –dport ssh -j ACCEPT

# DNS (port 53)

sudo iptables -A INPUT -p tcp -i eth0 –dport 53 -j ACCEPT

# Samba (port 137-139)

sudo iptables -A INPUT -p tcp -i eth0 –dport 137:139 -j ACCEPT

 

# ALLOWING DNS to Access to your firewall

# It’s used by Ubuntu to get update from Repository Server

iptables -A OUTPUT -p udp -o eth0 –dport 53 –sport 1024:65535 -j ACCEPT

iptables -A INPUT -p udp -i eth0 –sport 53 –dport 1025:65535 -j ACCEPT

 

# ALLOWING WWW and SSH to Access to your firewall

# It’s used when you want to manage you web server

# managed remotely via secure shell (ssh) sessions.

# Allow previously established connections

iptables -A OUTPUT -o eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

# Allow port 80 (http) and 22 (ssh) connections to firewall

iptables -A INPUT -p tcp -i eth0 –dport 22 –sport 1024:65535 -m state –state NEW -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport 80 –sport 1024:65535 -m state –state NEW -j ACCEPT

 

# ALLOWING FIREWALL to access The Internet

# Enable a user on the firewall to surf the internet using Web Browser HTTP (port 80) and HTTPs (port 443)

iptables -A OUTPUT -o eth0 -p tcp -m state –state NEW,ESTABLISHED,RELATED -m multiport –sport 1024:65535 -m multiport –dport 80,443 -j ACCEPT

# Allowing all TCP traffic originating from firewall

iptables -A OUTPUT -o eth0 -p tcp -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

 

# BLOCK VIRUSES

# Use you can use this 4 rules:

# iptables -I FORWARD -s 0/0 -p tcp -d 0/0 –dport 136 -j DROP

# iptables -I FORWARD -s 0/0 -p tcp -d 0/0 –dport 137 -j DROP

# iptables -I FORWARD -s 0/0 -p tcp -d 0/0 –dport 138 -j DROP

# iptables -I FORWARD -s 0/0 -p tcp -d 0/0 –dport 139 -j DROP

# or this 1 rule

iptables -A FORWARD -p tcp –dport 136:139 -j DROP

 

# Use you can use this 4 rules:

# iptables -I FORWARD -s 0/0 -p udp -d 0/0 –dport 136 -j DROP

# iptables -I FORWARD -s 0/0 -p udp -d 0/0 –dport 137 -j DROP

# iptables -I FORWARD -s 0/0 -p udp -d 0/0 –dport 138 -j DROP

# iptables -I FORWARD -s 0/0 -p udp -d 0/0 –dport 139 -j DROP

# or this 1 rule

iptables -A FORWARD -p udp –dport 136:139 -j DROP

 

# ROUTING

# Allow firewall to accept tcp packets for routing

# Enter via eth0 (any ip) via range port 1024 to 65535

# Destined to eth1 (ip 192.168.0.2 ) port 80 (www/http)

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.0.2 -o eth1 -p tcp –sport 1024:65535 –dport 80 -j ACCEPT

 

# -m multiport –dport

# A variety of tcp/udp destination ports separated by commas.

# -m multiport –sport

# A variety of tcp/udp destination ports separated by commas.

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.0.2 -o eth1 -p tcp -m multiport –sport 1024:65535 -m multiport –dport 80,443 -j ACCEPT

 

# Loading Kernel Modules

# Any type NAT required, this module have to be loaded.

modprobe -a iptable_nat

# For tcp connection

modprobe -a ip_conntrack

# For FTP support

modprobe -a ip_conntrack_ftp

# For FTP server behind NAT firewall

modprobe -a ip_nat_ftp

 

modprobe -a ip_queue

modprobe -a iptable_filter

modprobe -a iptable_mangle

modprobe -a ip_tables

modprobe -a ipt_LOG

modprobe -a ipt_MASQUERADE

modprobe -a ipt_owner

modprobe -a ipt_REDIRECT

modprobe -a ipt_TOS

modprobe -a ipt_ttl

modprobe -a ipt_ULOG

modprobe -a ipt_ecn

modprobe -a ipt_ECN

 

Read Full Post »

Setup firewall with IPTABLES in Ubuntu (part 1)

Playing with iptables in Ubuntu Terminal

I’ve been trying to figure out how to explain the iptables in a easy way. I’ve read so many articles about iptables but none of it mention to run iptables chain rules through command lines in Ubuntu console terminal.

I know the reason, because chain rules will be temporary. But, it’s not good for a begginer.

So, I try to discribe it in another way.

Hopefull, it will make you easier to understand the iptables’ chain rules.

 

Actually, the most popular firewall and NAT (Network Address Translation) in Linux was Ipchains.

After that, Netfilter Organization created a new product called Iptables and gave more features in it.

 

Compare to Ipchains, Iptables is better integration with the linux, Stateful packet inspection, Filtering packets based on MAC address and the values of the flags in packets, better network address translation, integration with Squid and block DoS (Denial of service) attacks.

I’ll divide my explanation into 4 parts.

• practice with command line in Ubuntu terminal

• sample rules which you can use for router, webserver, server etc.

• masquerading (many to one NAT)

• run iptables automatically (create a script and put it in runlevel mode).

I’ve just finished the first part (this posting). Hopefull, it will make you easier to understand the iptables.

 

 

Determining the status of iptables

You can check your current iptables rules with:

taufanlubis@zyrex:~$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

taufanlubis@zyrex:~$

 

option -L:

List all rules in the selected chain. If no chain is selected, all chains are listed. As every other iptables command, it applies to the specified table (filter is the default), so NAT rules get listed by iptables -t nat -n -L

 

Packet Processing in iptables

All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet transformation/filtering chain.

 

There are three tables in total:

• Responsible for packet filtering.

• Forward chain (filters packet to servers)

• Input chain (filters packet destined to the firewall)

• Output chain (filters packets originating from the firewall)

• Responsible for the alteration of quality of service bits in the TCP header (Mangle).

• Responsible for NAT (network address translation).

• Pre-routing chain

• Post-routing chain

 

I like to use Iptables because I can set my firewall to be what I want. I can set which packet of data that can go in to my machine, forwarded or go out from my machine. I can set which ports are opened or closed. But, need days, for me to understand how it works.

 

In this practice we will do all the setup from linux console.

First, open your linux console.

Applications>Accessories>Terminal or press Alt-F2 and type ‘xterm’.

 

Now, let’s try for practice. Check your iptables’s rules.

taufanlubis@zyrex:~$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

taufanlubis@zyrex:~$

If you see the rules as mentioned above, it means that there are no rules in your iptables firewall.

 

Task1 : Accept packet data (tcp) through ethernet card no.1 via port 80 (http)

taufanlubis@zyrex:~$ sudo iptables -A INPUT -p tcp -i eth0 –dport http -j ACCEPT

taufanlubis@zyrex:~$

Check again, our setting.

taufanlubis@zyrex:~$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp — anywhere anywhere tcp dpt:www

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

taufanlubis@zyrex:~$

Well, you got your first rule in your iptables. It says that accept only tcp packet data via http(port 80) from any ip address to any ip address.

 

Task 2: Do same rules as Task1 for ‘https'(port 443), ‘pop3′(port 110) and ‘smtp'(port 25)

Type again in your console.

taufanlubis@zyrex:~$ sudo iptables -A INPUT -p tcp -i eth0 –dport https -j ACCEPT

taufanlubis@zyrex:~$ sudo iptables -A INPUT -p tcp -i eth0 –dport pop3 -j ACCEPT

taufanlubis@zyrex:~$ sudo iptables -A INPUT -p tcp -i eth0 –dport smtp -j ACCEPT

 

Check again the rules.

taufanlubis@zyrex:~$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp — anywhere anywhere tcp dpt:www

ACCEPT tcp — anywhere anywhere tcp dpt:https

ACCEPT tcp — anywhere anywhere tcp dpt:pop3

ACCEPT tcp — anywhere anywhere tcp dpt:smtp

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

taufanlubis@zyrex:~$

Now, you’ve already setup the rules for ACCEPTed access.

 

Let us continue with the task 3.

Task 3: Drop all data that forwarded or output from your machine except the ports that we’ve set to be allowed.

taufanlubis@zyrex:~$ sudo iptables -A FORWARD -o eth0 -j DROP

taufanlubis@zyrex:~$ sudo iptables -A OUTPUT -o eth0 -j DROP

taufanlubis@zyrex:~$ sudo iptables -A INPUT -p tcp -i eth0 -j DROP

 

Check again, your iptables rules.

taufanlubis@zyrex:~$ sudo iptables -L

 

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp — anywhere anywhere tcp dpt:www

ACCEPT tcp — anywhere anywhere tcp dpt:https

ACCEPT tcp — anywhere anywhere tcp dpt:pop3

ACCEPT tcp — anywhere anywhere tcp dpt:smtp

DROP tcp — anywhere anywhere

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

DROP 0 — anywhere anywhere

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

DROP 0 — anywhere anywhere

taufanlubis@zyrex:~$

 

Well, you see the same screen as above, mean you’ve just created iptables’ chain rules.

 

This setup is temporary. Mean, you will lost it after you shutdown or restart.

It’s ok. It’s only a practice. I just want to show how iptables works.

 

Read Full Post »

List setup of CDMA and GSM phones for Ubuntu Wvdial

Default dialer below will be depend on your mobile type. In this setup, I use Nokia 6610 with CA42 cable. List of CDMA and GSM providers below are based in Indonesia only.

For example, your cureent GSM card is Simpati, then just type:

taufanlubis@zyrex:~$ sudo wvdial SIMPATI

 

 

[Dialer Defaults]

Init1 = ATZ

Init2 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0

Init3 = AT+GMM

Init4 = ATI1

Init5 = ATI2

Init6 = ATI3

Modem Type = USB Modem

ISDN = 0

Modem = /dev/ttyACM0

Baud = 56400

 

 

[Dialer PROXL]

Phone = *99***1#

Username = “xlgprs”

Password = “proxl”

Init7 = ATZ,”202.152.240.50″,”www.xlgrps.net”

 

[Dialer SIMPATI]

Phone = *99***1#

Username = “wap”

Password = “wap123”

Init7 = ATZ,”10.1.89.130″,”telkomsel”

 

[Dialer AS]

Phone = *99***1#

Username = “wap”

Password = “wap123”

Init7 = ATZ,”10.1.89.130″,”telkomsel”

 

[Dialer HALO]

Phone = *99***1#

Username = “wap”

Password = “wap123”

Init7 = ATZ,”10.1.89.130″,”telkomsel”

 

[Dialer IM3]

Phone = *99***1#

Username = “gprs”

Password = “im3”

Init7 = ATZ,”010.019.019.019″,”www.indosat-m3.net”

 

[Dialer MENTARI]

Phone = *99***1#

Username = “indosat”

Password = “indosat”

Init7 = ATZ,”010.019.019.019″,”indosatgrps”

 

[Dialer MATRIX]

Phone = *99***1#

Username = “”

Password = “”

Init7 = ATZ,”202.152.162.250″,”satelindogrps.com”

 

[Dialer FREN]

Phone = #777

Username = “m8”

Password = “m8”

Init7 = ATZ,”10.21.5.201″,””

 

[Dialer FLEXI]

Phone = #777

Username = “telkomnet@flexi”

Password = “telkom”

Init7 = ATZ,”10.177.7.7″,””

 

[Dialer STARONE]

Phone = #777

Username = “Starone”

Password = “indosat”

Init7 = ATZ,”192.168.50.60″,””

 

Read Full Post »

Set Root Password on Ubuntu after first installation

You will not get setting password for Root during installation process in Ubuntu. You have to do it manually.

$sudo passwd root

Enter New Unix password: ________ (enter your root password)

Retype new unix password: _______ (retype your password)

passwd: password updated successfully

$

Read Full Post »

Need proctection for your Ubuntu?

There are a lot of choices you can use to protect your system. Just use standard installation command to install it.

For example, you if want to install Lokkit, just use apt-get install command. Make sure you have the ‘universe‘ componet enabled in your repository.

taufanlubis@zyrex:~$ sudo apt-get install lokkit

Security tools for Ubuntu:

shorewall – Shoreline Firewall (Shorewall), a high-level tool for configuring Netfilter

arno-iptables-firewall – Single- and multi-homed firewall script with DSL/ADSL support

arptables – ARP table administration

ebtables – Ethernet bridge frame table administration

fail2ban – bans IPs that cause multiple authentication errors

ferm – maintain and setup complicated firewall rules

fiaif – An easy to use, yet complex firewall

filtergen – packet filter generator for various firewall systems

firehol – An easy to use but powerful iptables stateful firewall

fprobe-ulog – export captured traffic to remote NetFlow Collector (ULOG version)

fwanalog – firewall log-file report generator (using analog)

fwlogwatch – Firewall log analyzer

gnome-lokkit – basic interactive firewall configuration tool (GNOME interface)

guarddog – firewall configuration utility for KDE

guidedog – NAT/masquerading/port-forwarding configuration tool for KDE

ipac-ng – IP Accounting for iptables (kernel >=2.4)

ipkungfu – iptables-based Linux firewall

ipset – administration tool for kernel IP sets

iptstate – Top-like state for netfilter/iptables

kmyfirewall – iptables based firewall configuration tool for KDE

knetfilter – GUI for configuring the 2.4 kernel IP Tables

libabz0 – Miscellaneous useful routines

libiptables-ipv4-ipqueue-perl – Perl extension for libipq

lokkit – basic interactive firewall configuration tool (console interface)

netscript-2.4 – Linux 2.4.x (and 2.6.x) router/firewall network configuration system

netstat-nat – A tool that display NAT connections

openvpn – Virtual Private Network daemon

p3scan – transparent POP3-proxy with virus- and spam-scanning

psad – The Port Scan Attack Detector

pyroman – Firewall configuration tool for complex networks

reaim – Enable AIM and MSN file transfer on Linux iptables based NAT

shorewall-doc – documentation for Shorewall firewall

shorewall-lite – Shorewall (lite version), a high-level tool for configuring Netfilter

uif – Advanced iptables-firewall script

ulogd – The Netfilter Userspace Logging Daemon

uruk – Very small firewall script, for configuring iptables

wflogs – The modular firewall log analyzer of the WallFire project

fireflier-client-gtk – Interactive firewall rule creation tool – GTK client

fireflier-client-kde – Interactive firewall rule creation tool – QT client

fireflier-client-qt – Interactive firewall rule creation tool – QT client

fireflier-server – Interactive firewall rule creation tool – server

iptables – administration tools for packet filtering and NAT

iptables-dev – development files for iptable’s libipq and libiptc

Read Full Post »