Security and PrivacySadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.
Please check the following and tell me what should i take off ? and
what i should add in order to be the safiest possible.
I'm sure that there is some redundancy, but i need your expertise THANKS
We are in an institutions where Student's are trying to hack the server
Quote:
[root@serveur ~]# iptables -L OUTPUT -n --line-numbers
Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:80
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp spts:1024:65535 dpt:443
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:21 state NEW
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpts:1024:65535 state NEW
7 ACCEPT all -- 192.168.0.0/24 0.0.0.0/0
8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
An other thing which is very embarrasing, is that many students are using Torrent's for downloading things which have nothing to do with their lecture's. How to fix that (we are using squid but some webproxies are just passing through; the HTTPS is also another problem since we can't stop it, it is needed for logging as an example)
Thanks a lot
red
__________________
IBM ThinkPad z60m
Last edited by hermouche; 29th October 2011 at 09:37 PM.
Reason: to close
I would like to DROP the INPUT chain (Actually it is dropped) but which command should i put inside in order to let the http, dns, https and ssh passing through
Well it depends on what "let through" means. If you only want to forward then for all intents and purposes, it's all in the nat table. Yes, you still lock down In and Out. So for ex.,
But squid, dnsmasq... would seam as logical. You'll have to forgive me because I don't know how comfortable you are with iptables so I just copied and edited some rules as examples. Just some ideas. Yeah you'd edit the sport, dports, and subnets as needed. For ex.., Dropping 0.0.0.0 will break dhcpd. Assuming you ran it from here i.e.,
filter
Example of logging
Code:
###
# * eth0 *
# * Public NIC
###
-A INPUT -i eth0 -s 0.0.0.0/8 -j LOG --log-prefix "eth0 Spoofed source IP"
-A INPUT -i eth0 -s 0.0.0.0/8 -j DROP
filter
examples from a home pc
Code:
# *** Unlimited on the loopback interface
#
# * lo *
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Previously initiated and accpeted exchanges bypass rule checking
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# ICMP requests
-A INPUT -p ICMP --icmp-type echo-request -j ACCEPT
-A INPUT -p ICMP --icmp-type echo-reply -j ACCEPT
-A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT
-A OUTPUT -p ICMP --icmp-type echo-reply -j ACCEPT
#
# Dropping Known Attacks
#
#... Make sure NEW incoming tcp connections are SYN packets
#... Packets with incoming fragments
#... Incoming malformed XMAS packets
#... Incoming malformed NULL packets
#
# killing squid. need to identify alternate methods.
# -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# -A INPUT -f -j DROP
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# ==================================================================================
# ****
# **** WAN POLICY (eth0)
# ****
# **** - Squid relaying remotes for everyone @ here
# **** - OpenVPN Access Server. LAN not permitted to connect
# **** - OpenVPN. Remote Connections. LAN not permitted to connect
# ***
# ===================================================================================
# HTTP
-A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
# OpenVPN
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 1196 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58000 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58001 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58002 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58003 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58004 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58005 -j ACCEPT
# OpenVPN AS
-A INPUT -i eth0 -s ! 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -s ! 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 943 -j ACCEPT
-A INPUT -i eth0 -s ! 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 946 -j ACCEPT
-A INPUT -i eth0 -s ! 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 947 -j ACCEPT
-A INPUT -i eth0 -s ! 192.168.167.201/24 -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT
# Drop the rest
# =======================================
-A INPUT -i eth0 -j REJECT
-A OUTPUT -o eth0 -j REJECT
# =======================================================================================
# ****
# **** LAN POLICY (eth1)
# ****
# **** - Samba as remote file server. Accessable only to Remote and LAN
# **** - SSH from LAN
# **** - GDM & XRDP available for remote desktop
# ****
# ****
# ****
# =========================================================================================
# Samba
# Accessable only to vpn and bound to eth1.
-A INPUT -i eth1 -s 192.168.167.201,10.221.30.0/24,10.208.16.0/24 -m tcp -p tcp --dport 135 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201,10.221.30.0/24,10.208.16.0/24 -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201,10.221.30.0/24,10.208.16.0/24 -m tcp -p tcp --dport 445 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201,10.221.30.0/24,10.208.16.0/24 -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201,10.221.30.0/24,10.208.16.0/24 -m udp -p udp --dport 138 -j ACCEPT
# SSH
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# GDM
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m udp -p udp --dport 177 -j ACCEPT
# XRDP
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 3389 -j ACCEPT
# VSFTP
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
# NTOP Web Access
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 3000 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 3001 -j ACCEPT
# Vpn Management Ports
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 58101 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 58102 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 58103 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 58104 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 58105 -j ACCEPT
# BackupPC
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
# WebCal
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 8008 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
# Drop the rest
# =======================================
-A INPUT -i eth1 -j REJECT
-A OUTPUT -o eth1 -j REJECT
Well it depends on what "let through" means. If you only want to forward then for all intents and purposes, it's all in the nat table. Yes, you still lock down In and Out. So for ex.,
But squid, dnsmasq... would seam as logical. You'll have to forgive me because I don't know how comfortable you are with iptables so I just copied and edited some rules as examples. Just some ideas. Yeah you'd edit the sport, dports, and subnets as needed. For ex.., Dropping 0.0.0.0 will break dhcpd. Assuming you ran it from here i.e.,
filter
Example of logging
Code:
###
# * eth0 *
# * Public NIC
###
-A INPUT -i eth0 -s 0.0.0.0/8 -j LOG --log-prefix "eth0 Spoofed source IP"
-A INPUT -i eth0 -s 0.0.0.0/8 -j DROP
filter
examples from a home pc
Code:
# *** Unlimited on the loopback interface
#
# * lo *
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Previously initiated and accpeted exchanges bypass rule checking
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# ICMP requests
-A INPUT -p ICMP --icmp-type echo-request -j ACCEPT
-A INPUT -p ICMP --icmp-type echo-reply -j ACCEPT
-A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT
-A OUTPUT -p ICMP --icmp-type echo-reply -j ACCEPT
#
# Dropping Known Attacks
#
#... Make sure NEW incoming tcp connections are SYN packets
#... Packets with incoming fragments
#... Incoming malformed XMAS packets
#... Incoming malformed NULL packets
#
# killing squid. need to identify alternate methods.
# -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# -A INPUT -f -j DROP
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# ==================================================================================
# ****
# **** WAN POLICY (eth0)
# ****
# **** - Squid relaying remotes for everyone @ here
# **** - OpenVPN Access Server. LAN not permitted to connect
# **** - OpenVPN. Remote Connections. LAN not permitted to connect
# ***
# ===================================================================================
# HTTP
-A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
# OpenVPN
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 1196 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58000 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58001 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58002 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58003 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58004 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 58005 -j ACCEPT
# OpenVPN AS
-A INPUT -i eth0 -s ! 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -s ! 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 943 -j ACCEPT
-A INPUT -i eth0 -s ! 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 946 -j ACCEPT
-A INPUT -i eth0 -s ! 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 947 -j ACCEPT
-A INPUT -i eth0 -s ! 192.168.167.201/24 -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT
# Drop the rest
# =======================================
-A INPUT -i eth0 -j REJECT
-A OUTPUT -o eth0 -j REJECT
# =======================================================================================
# ****
# **** LAN POLICY (eth1)
# ****
# **** - Samba as remote file server. Accessable only to Remote and LAN
# **** - SSH from LAN
# **** - GDM & XRDP available for remote desktop
# ****
# ****
# ****
# =========================================================================================
# Samba
# Accessable only to vpn and bound to eth1.
-A INPUT -i eth1 -s 192.168.167.201,10.221.30.0/24,10.208.16.0/24 -m tcp -p tcp --dport 135 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201,10.221.30.0/24,10.208.16.0/24 -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201,10.221.30.0/24,10.208.16.0/24 -m tcp -p tcp --dport 445 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201,10.221.30.0/24,10.208.16.0/24 -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201,10.221.30.0/24,10.208.16.0/24 -m udp -p udp --dport 138 -j ACCEPT
# SSH
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# GDM
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m udp -p udp --dport 177 -j ACCEPT
# XRDP
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 3389 -j ACCEPT
# VSFTP
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
# NTOP Web Access
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 3000 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 3001 -j ACCEPT
# Vpn Management Ports
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 58101 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 58102 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 58103 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 58104 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 58105 -j ACCEPT
# BackupPC
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
# WebCal
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 8008 -j ACCEPT
-A INPUT -i eth1 -s 192.168.167.201/24 -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
# Drop the rest
# =======================================
-A INPUT -i eth1 -j REJECT
-A OUTPUT -o eth1 -j REJECT
OUP's i'm sorry, but you are going very fast
I'm not an expert, sorry.
We don't have any web server or any application to protect.
Basically, we have a LAN (about 100 students) and a gateway (PC) with two NIC's:
eth0 ---> Connected to a modem/router ----> then to the WEB
eth1----> is our LAN
We want to be able to go to the web either from LAN and from the gateway (WAN).
It's all trial and error so you'll have to slug at it but here's a starting point. Attached is a pic loading it through system-config-firewall (custom rules, filter table). I put in some notes and structure. But, like I said, it's trial and error.
Assuming:
- no NAT between network on eth0 and network on eth1. Done at modem/router.
- modem/router knows the route back to eth1
- dns and squid runs on modem/router
- squid handling ssl and non-ssl (447 & 80)
- I tossed out some networks/24. I hope it's clear
It's all trial and error so you'll have to slug at it but here's a starting point. Attached is a pic loading it through system-config-firewall (custom rules, filter table). I put in some notes and structure. But, like I said, it's trial and error.
Assuming:
- no NAT between network on eth0 and network on eth1. Done at modem/router.
- modem/router knows the route back to eth1
- dns and squid runs on modem/router
- squid handling ssl and non-ssl (447 & 80)
- I tossed out some networks/24. I hope it's clear
Thank you very much beaker for your perseverance
I would like you if you don't mind to see PLEASE, the following and just tel me what should i write inside the INPUT chain without touching the following OUTPUT, FORWARD,PREROUTING and the POSTROUTING chains.
The objectif is to get the outside world "web" either from the LAN (eth1) and from the Gateway (eth0)
Do we have to allow local connections with the following:
Quote:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
Because, if i erase them, i don't reach the web either from the LAN nor from the Firewall !!
is it normal? More over, the following is the results when we allow local connections: "just an extract":
So while allowing the local connection, the results as we can see, it NEGATES the DROP policy for both OUTPUT and INPUT, which means as far as i know that i am telling it to accept everything from anywhere (it's like if i said the policy is ACCEPT for both OUTPUT and INPUT!!!
So what's the point to DROP "INPUT and OUTPUT", since just after it says Accept from anywhere to anywhere !!!!
So i'm really confused here ....
red
__________________
IBM ThinkPad z60m
Last edited by hermouche; 3rd November 2011 at 05:28 AM.
iptables rules!
THANKS
Linear Mode
