Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Saturday, July 3, 2010

IPtables Primer -Additional tips

Source

Limit network access

by user / group
Use the owner module
This module applies to locally generated packets, not incoming or forwarded packets, and is thus used in the OUTPUT (filter) chain.
You may specify a user/group by name, uid, or gid. In the following examples I use the group "net" to demonstrate restricting access to root and members of the group "net". "net" is a custom group and you will need to create this group and add members to it.
General syntax:
-m owner --uid-owner 0
-m owner --uid-owner root
-m owner --gid-owner net
Example - by user (assuming a user name = bodhi)
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT
iptables -A OUTPUT -o eth0 -m owner --uid-owner bodhi -j ACCEPT
iptables -A OUTPUT -j DROP
Example - by group (assuming a group name = net)
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT
iptables -A OUTPUT -o eth0 -m owner --gid-owner net -j ACCEPT
iptables -A OUTPUT -j DROP
  • When matching by group, only a user's active group is used (see below).
  • You may temporarily change your active group with the newgrp command (this starts a new shell).
  • You may permanently change your active group with the usermod command (see below).
In most Linux distributions, your default active group is the same as your user (login) name.
To view your group memberships use the command "id".
id bodhi
uid=1000(bodhi) gid=1000(bodhi) groups=1000(bodhi),1100(net) ....
As you can see, this command shows your active group [ gid=10000 (bodhi) ]. It is this active group that is used by iptables to grant or block access.
Assuming you are restricting access to a group "net", you may temporarily change your active group to "net" with the command "newgrp".
Example:
# Ping initially fails
id bodhi
uid=1000(bodhi) gid=1000(bodhi) groups=1000(bodhi),1100(net) ....
ping -c 1 google.com
ping: unknown host google.com

# Change active group with "newgrp"
newgrp net
id
uid=1000(bodhi) gid=1100(net) groups=1000(bodhi),1100(net) ....
ping -c 1 google.com
PING google.com (74.125.95.99) 56(84) bytes of data.
64 bytes from iw-in-f99.1e100.net (74.125.95.99): icmp_seq=1 ttl=48 time=83.4 ms

--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 83ms
rtt min/avg/max/mdev = 83.434/83.434/83.434/0.000 ms
You can change your default group with usermod (or your graphical group management tool).
sudo usermod -g net bodhi
You will need to log out and back in (or start a new shell) for changes to take effect

by time / date
Use the time module.
Syntax:
-m time --timestart HH:MM --timestop HH:MM
ex Lunch hour only
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443 -m time --timestart 12:00 --timestop 13:00 -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443 -j DROP
Caveats: The time module works by analyzing the time stamp of locally generated packets. Thus use these rules in OUTPUT specifying either --sport or --dport.

Blacklist / Whitelist

I use small letters for user defined chains.
iptables -N blacklist
iptables -A INPUT -j blacklist
iptables -A OUTPUT -j blacklist
iptables -A blacklist -d -j DROP
iptables -A blacklist -s -j DROP

Use iptables to block failed connections

You will have to adjust these settings for your server. For example settings are very different for ssh, http, and samba servers.
Block Brute Force attempts (SSH or other connections)
iptables -A INPUT -p tcp -m tcp --dport 22 -m tcp -m state --state NEW -m recent --set --name SSH --rsource
iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 600 --hitcount 8 --rttl --name SSH --rsource -j DROP
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
Modified from:
Kevin van Zonneveld - Blog
SAMHAIR LABS

Block Brute Force attempts (http [Apache] or other connections)
# General new connection rate limiting for DOS and Brute Force protection
iptables -I INPUT -p tcp -m state --state NEW -m limit --limit 30/minute --limit-burst 5 -j ACCEPT

Thanks to HermanAB @ Ubuntu Forums

NAT - Network Allocation Table

This section of under development.
Think of NAT as using your firewall as a router (firewall = the computer we are configuring iptables on).
Typically you will use multiple interfaces, although one (or more) interfaces may be a virtual interface such as Virtualbox, VMWare, or KVM.
For a consice overview of how to set up a router see:

Stateful Firewall and Masquerading on Linux - by Werner Puschitz
For a more detailed guide see :
"Novell coolsolutions" - Simple Firewall Configuration Using NetFilter/iptables
Terminology:
DNAT - Destination Network Address Translation. Changes the destination IP of a packet.
SNAT - Source Network Address Translation. Likewise, changes the source IP of a packet.

References

No comments: