@WikiNewPageEditViewToolsHelp
Create New Page Create New Page from Copy
Create your new wiki
Edit this page Copy from this page Rename
Attach (Upload) File
Edit Menu
Newest Change History Referer Trackback
Page List Tag Cloud RSS1.0 RSS2.0
Search
@Wiki Guide
FAQ/about @wiki FAQ/about Editting FAQ/about Register
Update Infomation Release Plan

iptables(1)

Iptables(8) untuk single atau gateway host

Konfigurasi IPTABLES berikut ini
merupakan template yang dapat diadaptasikan
sesuai dengan kondisi jaringan dimana
host tersebut diletakkan.

Beberapa garis besar alur filtering sbb:

Inisialisasi:
- enable-kan beberapa parameter kernel untuk
DoS, Spoofs dan Redirect.
- default DROP untuk INBOUND dan FORWARDING
(untuk OUTBOUND opsional, tergantung dari
faktor keamanan dan kenyamanan).
- Flush semua rule dan hapus hand-made chains
terlebih dahulu.
- Buat chain baru yang dibutuhkan untuk pengorganisasian
rule filters.

Filtering:
- accept packet from loopback unconditionally
- block fragmented packets
- check packet that was sent for scanning purposes, block them.
- block rfc3330 address space (IANA Special use IPv4 Addresses)
- check packet that comes from our own defined blacklist
(if portsentry is installed, put those blacklist here), every
listed IP addresses will goes to blackhole
- icmp packets goes in another chain (ICMP), allow only few icmp
with rate limiting
- block invalid state, that doesn't belong to any existing
connection
- pass in packets destined to opened services to another chains
- pass in established packets
- pass in packet to few udp port used by traceroute

Chains:
- iana, defined rfc3330 address space that should be blocked
- scan, filters that collected from actual scan performed by nmap
- icmp, allow only:
pong (echo reply) ICMP code = 0,
dest-unreach () ICMP code = 3,
source-quench (path mtu discovery) ICMP code = 4,
ping (echo request) ICMP code = 8,
time-exceeded (TTL expiry used by traceroute) ICMP code = 11,
parameter-problem () ICMP code = 12
- open, contains allowed ports/services, _might_need_a_bit_tweaks_here!
- blog, log to syslog and block
- ipsd and psd, ipsd is empty on startup, new entry _should_ be
jump'ed to psd chain, on psd chain all packets will be logged
to syslog and blocked



Referensi:
[x] Netfilter
http://netfilter.samba.org

[x] FAQ: Firewall Forensics
http://www.robertgraham.com/pubs/firewall-seen.html

[x] Rob Thomas, Documentation Collection
http://www.cymru.com/Documents/index.html

Todo:

======================================================================

#!/bin/sh
#
# $Id: iptables,v 1.1 2004/03/15 10:53:37 oblek Exp $
#
#
# Linux Iptables
# configured specifically for single host
# note: snapshot of 'iptables -L' attached at the end
#
# Tue Nov 19 08:58:16 JAVT 2002 oblek@lug.stikom.edu
# Configured specifically for lug.stikom.edu
#
# Tue Feb 10 15:41:21 WIT 2004 diyan@mitra.net.id
# Modified as template
#
# Thu May 20 12:58:26 WIT 2004 diyan@mitra.net.id
# Modified to support packet forwarding (router)

# HINT! HINT! HINT!
# Unless you know what you are doing, you only
# need to edit OPEN and FORWARD_OPEN chains! trust me.
# if you are doing some NAT, you must add/edit it yourself.

PATH=/bin:/sbin:/usr/bin:/usr/sbin

# Backup current iptables rules to ~/tmp/iptables-date.bak
if [ ! -d ~/tmp ]; then
mkdir ~/tmp
fi
if [ -f /etc/sysconfig/iptables ]; then

cp /etc/sysconfig/iptables ~/tmp/iptables-save-`date +%F-%H_%M`.bak
echo "current /etc/sysconfig/iptables backed up to ~/tmp/iptables-save-`date +%F-%H_%M`.txt"
fi

# Take some network parameters from /etc/sysconfig
# FIXME: at the moment only single interfaces (eth0)
if [ -f /etc/sysconfig/network-scripts/ifcfg-eth0 ]; then
. /etc/sysconfig/network-scripts/ifcfg-eth0
NETWORK=`ipcalc -n $IPADDR/$NETMASK | cut -d= -f2`
BROADCAST=`ipcalc -b $IPADDR/$NETMASK | cut -d= -f2`
else
echo "Woops! network is not configured in this host"
exit 1
fi


###### INIT BEGIN ###############################################

# /usr/src/linux/Documentation/networking/ip-sysctl.txt -- READ IT!
cat <<EOF >>/etc/rc.local
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

for x in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $x
done
EOF

# default deny stances,
# everything that is not explicitly allowed is blocked
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# flush all rules first
iptables -F

# delete hand-made chains
iptables -X

# every packet is interrogated in IANA room
iptables -N IANA

# blacklist tests, hint: portsentry entries
iptables -N IPSD
iptables -N PSD

# SCAN checks chain
iptables -N SCAN

# Allowed services chain
iptables -N OPEN

# block and log
iptables -N BLOG

# icmp packets goes in another chain
iptables -N ICMP

# allowed forwarded packets
iptables -N FORWARD_OPEN

###### INIT END ##################################################

##### BUCKLE UP!!! FASTEN YOUR SEATBELT ##########################
# loopback is good
iptables -A INPUT -i lo -j ACCEPT

# block fragmented packets
iptables -A INPUT -f -j BLOG

# check for crafted scan packets
iptables -A INPUT -j SCAN

# IANA then IPSD
iptables -A INPUT -j IANA
iptables -A INPUT -j IPSD
iptables -A INPUT -p icmp -j ICMP

# where do you think you're going?
iptables -A INPUT -m state --state INVALID -j BLOG

# packet that we initiated and already pass the filters
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

# knock, knock...
iptables -A INPUT -j OPEN

# if you provide forwarding
# basically these jumps'es is similar to INPUT
iptables -A FORWARD -f -j BLOG
iptables -A FORWARD -j SCAN
iptables -A FORWARD -j IANA
iptables -A FORWARD -p icmp -j ICMP
iptables -A FORWARD -m state --state INVALID -j BLOG
iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -j IPSD
iptables -A FORWARD -j FORWARD_OPEN

#### IANA ########################################################

# IANA interrogation chains (rfc3330)
iptables -A IANA -s 10.0.0.0/8 -j BLOG
iptables -A IANA -i ! lo -s 127.0.0.0/8 -j BLOG
#iptables -A IANA -s 172.16.0.0/12 -j BLOG
iptables -A IANA -s 192.168.0.0/16 -j BLOG
#
iptables -A IANA -s 14.0.0.0/8 -j BLOG
iptables -A IANA -s 24.0.0.0/8 -j BLOG
iptables -A IANA -s 39.0.0.0/8 -j BLOG
iptables -A IANA -s 128.0.0.0/16 -j BLOG
iptables -A IANA -s 169.254.0.0/16 -j BLOG
iptables -A IANA -s 191.255.0.0/16 -j BLOG
iptables -A IANA -s 192.0.2.0/24 -j BLOG
iptables -A IANA -s 192.88.99.0/24 -j BLOG
iptables -A IANA -s 192.18.0.0/15 -j BLOG
iptables -A IANA -s 223.255.255.0/24 -j BLOG
iptables -A IANA -s 224.0.0.0/4 -j BLOG
iptables -A IANA -s 240.0.0.0/4 -j BLOG

# smurf, broadcast and network address
iptables -A IANA -s 255.255.255.255 -j BLOG
iptables -A IANA -s ${NETWORK}/32 -j BLOG
iptables -A IANA -s ${BROADCAST}/32 -j BLOG

#### SCAN ########################################################

# block insane/stealthy packet behaviour
iptables -A SCAN -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A SCAN -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 1/s -j BLOG
iptables -A SCAN -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 1/s -j BLOG
iptables -A SCAN -p tcp --tcp-flags SYN,ACK,FIN,RST FIN -m limit --limit 1/s -j BLOG
iptables -A SCAN -p tcp --tcp-flags ALL NONE -m limit --limit 1/s -j BLOG
iptables -A SCAN -p tcp --tcp-flags ALL ALL -m limit --limit 1/s -j BLOG
iptables -A SCAN -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 1/s -j BLOG
iptables -A SCAN -p tcp --tcp-flags ALL FIN,SYN,URG,PSH -m limit --limit 1/s -j BLOG

# lssr, sssr
# http://www.google.com/search?q=loose+source+routing+block
iptables -A SCAN -p tcp --tcp-option 64 -m limit --limit 1/s -j BLOG
iptables -A SCAN -p tcp --tcp-option 128 -m limit --limit 1/s -j BLOG

#### ICMP ########################################################

# these, are considered harmless if not overdozed :)
iptables -A ICMP -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A ICMP -p icmp --icmp-type pong -j ACCEPT
iptables -A ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A ICMP -p icmp --icmp-type source-quench -j ACCEPT
iptables -A ICMP -p icmp --icmp-type ping -j ACCEPT
iptables -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A ICMP -p icmp -m limit --limit 1/sec -j LOG --log-level debug --log-prefix "[ICMP] "
iptables -A ICMP -p icmp -j DROP

#### OPEN ########################################################

# NOC network
# NOC @ Petra
iptables -A OPEN -p tcp --syn -s 202.43.252.0/24 -j ACCEPT
iptables -A OPEN -p udp -s 202.43.252.0/24 -j ACCEPT
# NOC @ Dharmala
iptables -A OPEN -p tcp --syn -s 202.43.249.128/27 -j ACCEPT
iptables -A OPEN -p udp -s 202.43.249.128/27 -j ACCEPT
# NOC ???
iptables -A OPEN -p tcp --syn -s 172.17.0.0/16 -j ACCEPT
iptables -A OPEN -p udp -s 172.17.0.0/16 -j ACCEPT
iptables -A OPEN -p tcp --syn -s 172.27.0.0/16 -j ACCEPT
iptables -A OPEN -p udp -s 172.27.0.0/16 -j ACCEPT

# kids and pets are ok
#iptables -A OPEN -p tcp --syn --dport ftp -j ACCEPT
iptables -A OPEN -p tcp --syn --dport ssh -j ACCEPT
#iptables -A OPEN -p tcp --syn --dport telnet -j ACCEPT
#iptables -A OPEN -p tcp --syn --dport smtp -j ACCEPT
#iptables -A OPEN -p tcp --syn --dport http -j ACCEPT
#iptables -A OPEN -p tcp --syn --dport pop3 -j ACCEPT
#iptables -A OPEN -p tcp --syn --dport auth -j ACCEPT
#iptables -A OPEN -p tcp --syn --dport imap -j ACCEPT
#iptables -A OPEN -p tcp --syn --dport smux -j ACCEPT
#iptables -A OPEN -p tcp --syn --dport https -j ACCEPT
#iptables -A OPEN -p tcp --syn --dport mysql -s ! ${IPADDR} -j BLOG
#iptables -A OPEN -p udp --dport domain -j ACCEPT
#iptables -A OPEN -p udp --dport snmp -j ACCEPT
# allow traceroute to works
iptables -A OPEN -p udp -m state --state NEW --dport 33343:33690 -j ACCEPT

# forwarding rules, define your rules here!
# hint: block netbios ports? worms? other malware ports
iptables -A FORWARD_OPEN -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
iptables -A FORWARD_OPEN -p udp -m udp -j ACCEPT

#### BLOG ########################################################

# log to syslog and drop it to the floor
iptables -A BLOG -m limit --limit 1/s -j LOG --log-level debug --log-prefix "[WARN] "
iptables -A BLOG -p tcp -j REJECT --reject-with tcp-reset
iptables -A BLOG -j DROP

#### PSD #########################################################

# going to blackhole Mr. Jones?
iptables -A PSD -m limit --limit 1/s -j LOG --log-level debug --log-prefix "[PSD] "
iptables -A PSD -p tcp -j REJECT --reject-with tcp-reset
iptables -A PSD -j DROP

#### MISC ########################################################

# take the pills and shut up!
#iptables -A OUTPUT -m owner --gid-owner 5154 -p tcp --dport 21 -j REJECT
#iptables -A OUTPUT -m owner --gid-owner 5154 -p tcp --dport 80 -j REJECT


# Now save it to /etc/sysconfig/iptables
/sbin/service iptables save && \
/sbin/chkconfig iptables on && \
echo "Everything seems to be Ok, now you may need to tweak /etc/sysconfig/iptables"

############## see it for yourself, how it flows ###############################
#
# Chain INPUT (policy DROP)
# target prot opt source destination
# ACCEPT all -- anywhere anywhere
# BLOG all -f anywhere anywhere
# SCAN all -- anywhere anywhere
# IANA all -- anywhere anywhere
# IPSD all -- anywhere anywhere
# ICMP icmp -- anywhere anywhere
# BLOG all -- anywhere anywhere state INVALID
# ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
# ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
# OPEN all -- anywhere anywhere
#
# Chain FORWARD (policy DROP)
# target prot opt source destination
# BLOG all -f anywhere anywhere
# SCAN all -- anywhere anywhere
# IANA all -- anywhere anywhere
# ICMP icmp -- anywhere anywhere
# BLOG all -- anywhere anywhere state INVALID
# ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
# ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
# IPSD all -- anywhere anywhere
# FORWARD_OPEN all -- anywhere anywhere
#
# Chain OUTPUT (policy ACCEPT)
# target prot opt source destination
#
# Chain BLOG (31 references)
# target prot opt source destination
# LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level debug prefix `[WARN] '
# REJECT tcp -- anywhere anywhere reject-with tcp-reset
# DROP all -- anywhere anywhere
#
# Chain FORWARD_OPEN (1 references)
# target prot opt source destination
# ACCEPT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
# ACCEPT udp -- anywhere anywhere udp
#
# Chain IANA (2 references)
# target prot opt source destination
# BLOG all -- 10.0.0.0/8 anywhere
# BLOG all -- 127.0.0.0/8 anywhere
# BLOG all -- 192.168.0.0/16 anywhere
# BLOG all -- 14.0.0.0/8 anywhere
# BLOG all -- 24.0.0.0/8 anywhere
# BLOG all -- 39.0.0.0/8 anywhere
# BLOG all -- 128.0.0.0/16 anywhere
# BLOG all -- 169.254.0.0/16 anywhere
# BLOG all -- 191.255.0.0/16 anywhere
# BLOG all -- 192.0.2.0/24 anywhere
# BLOG all -- 192.88.99.0/24 anywhere
# BLOG all -- 192.18.0.0/15 anywhere
# BLOG all -- 223.255.255.0/24 anywhere
# BLOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere
# BLOG all -- 240.0.0.0/4 anywhere
# BLOG all -- 255.255.255.255 anywhere
# BLOG all -- zinc.mitra.net.id anywhere
# BLOG all -- nitrous.mitra.net.id anywhere
#
# Chain ICMP (2 references)
# target prot opt source destination
# ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
# ACCEPT icmp -- anywhere anywhere icmp echo-reply
# ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
# ACCEPT icmp -- anywhere anywhere icmp source-quench
# ACCEPT icmp -- anywhere anywhere icmp echo-request
# ACCEPT icmp -- anywhere anywhere icmp time-exceeded
# ACCEPT icmp -- anywhere anywhere icmp parameter-problem
# LOG icmp -- anywhere anywhere limit: avg 1/sec burst 5 LOG level debug prefix `[ICMP] '
# DROP icmp -- anywhere anywhere
#
# Chain IPSD (2 references)
# target prot opt source destination
#
# Chain OPEN (1 references)
# target prot opt source destination
# ACCEPT tcp -- 202.43.252.0/24 anywhere tcp flags:SYN,RST,ACK/SYN
# ACCEPT udp -- 202.43.252.0/24 anywhere
# ACCEPT tcp -- 202.43.249.128/27 anywhere tcp flags:SYN,RST,ACK/SYN
# ACCEPT udp -- 202.43.249.128/27 anywhere
# ACCEPT tcp -- 172.17.0.0/16 anywhere tcp flags:SYN,RST,ACK/SYN
# ACCEPT udp -- 172.17.0.0/16 anywhere
# ACCEPT tcp -- 172.27.0.0/16 anywhere tcp flags:SYN,RST,ACK/SYN
# ACCEPT udp -- 172.27.0.0/16 anywhere
# ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN
# ACCEPT udp -- anywhere anywhere state NEW udp dpts:33343:33690
#
# Chain PSD (0 references)
# target prot opt source destination
# LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level debug prefix `[PSD] '
# REJECT tcp -- anywhere anywhere reject-with tcp-reset
# DROP all -- anywhere anywhere
#
# Chain SCAN (2 references)
# target prot opt source destination
# ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
# BLOG tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST limit: avg 1/sec burst 5
# BLOG tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 1/sec burst 5
# BLOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/FIN limit: avg 1/sec burst 5
# BLOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 1/sec burst 5
# BLOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 1/sec burst 5
# BLOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit: avg 1/sec burst 5
# BLOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,PSH,URG limit: avg 1/sec burst 5
# BLOG tcp -- anywhere anywhere tcp option=64 limit: avg 1/sec burst 5
# BLOG tcp -- anywhere anywhere tcp option=128 limit: avg 1/sec burst 5

kepet@wiki

menu

recent list 20

2010-03-13

2008-08-20

2008-04-03

2008-03-10

2008-02-15