Showing posts with label iptables. Show all posts
Showing posts with label iptables. Show all posts

Wednesday, August 30, 2017

CentOS: iptables

This worked!

Command:

# cat /etc/sysconfig/iptables


Result:

# (1) ポリシーの設定 OUTPUTのみACCEPTにする
*filter
:INPUT   DROP   [0:0]
:FORWARD DROP   [0:0]
:OUTPUT  ACCEPT [0:0]

# (2) ループバック(自分自身からの通信)を許可する
-A INPUT -i lo -j ACCEPT

# (3) データを持たないパケットの接続を破棄する
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# (4) SYNflood攻撃と思われる接続を破棄する
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# (5) ステルススキャンと思われる接続を破棄する
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# (6) icmp(ping)の設定
# hashlimitを使う
# -m hashlimit                   hashlimitモジュールを使用する
# —hashlimit-name t_icmp  記録するファイル名
# —hashlimit 1/m               リミット時には1分間に1パケットを上限とする
# —hashlimit-burst 10        規定時間内に10パケット受信すればリミットを有効にする
# —hashlimit-mode srcip    ソースIPを元にアクセスを制限する
# —hashlimit-htable-expire 120000   リミットの有効期間。単位はms
-A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-name t_icmp --hashlimit 1/m --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-htable-expire 120000 -j ACCEPT

# (7) 確立済みの通信は、ポート番号に関係なく許可する
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

# (8) 任意へのDNSアクセスの戻りパケットを受け付ける
-A INPUT -p udp --sport 53 -j ACCEPT

# (9) SSHを許可する設定
# hashlimitを使う
# -m hashlimit                   hashlimitモジュールを使用する
# —hashlimit-name t_sshd 記録するファイル名
# —hashlimit 1/m              リミット時には1分間に1パケットを上限とする
# —hashlimit-burst 10       規定時間内に10パケット受信すればリミットを有効にする
# —hashlimit-mode srcip   ソースIPを元にアクセスを制限する
# —hashlimit-htable-expire 120000   リミットの有効期間。単位はms
-A INPUT -p tcp -m state --syn --state NEW --dport 22 -m hashlimit --hashlimit-name t_sshd --hashlimit 1/m --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-htable-expire 120000 -j ACCEPT

# (10) 個別に許可するプロトコルとポートをここに書き込む。
# この例では、HTTP(TCP 80)とHTTPS(TCP 443)を許可している。
-A INPUT -p tcp --dport 80   -j ACCEPT
-A INPUT -p tcp --dport 443  -j ACCEPT

COMMIT


Reference:

http://knowledge.sakura.ad.jp/beginner/4048/

CentOS: iptables: Fixing Webserver Accessibility (How secure now?)

Command:

# diff /etc/sysconfig/iptables /etc/sysconfig/iptables.org


Result:

1c1,2
< # Generated by iptables-save v1.4.7 on Wed Aug 30 00:09:28 2017
---
> # Firewall configuration written by system-config-firewall
> # Manual customization of this file is not recommended.
3,11c4,12
< :INPUT DROP [0:0]
< :FORWARD DROP [0:0]
< :OUTPUT ACCEPT [24:2320]
< -A INPUT -i lo -j ACCEPT
< -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
< -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
< -A INPUT -p udp -m udp --dport 53 -j ACCEPT
< -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
< -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
---
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
13d13
< # Completed on Wed Aug 30 00:09:28 2017


Reference:

http://programmerbox.com/2013-12-24_vps_construct_procedure_manual/

Tuesday, August 29, 2017

CentOS: iptables: Opening HTTP and HTTPS Ports

Command:

# diff /etc/sysconfig/iptables /etc/sysconfig/iptables.org


Result:

13,14d12
< -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
< -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT


Command:

# service iptables restart


Result:

iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]

Monday, July 25, 2016

CentOS: iptables

Command:

# cat ./set_firewall

Result:

#!/bin/bash

# Flush all the chains in filter (default) table.
iptables -F

# Attempt to delete every non-builtin chain in filter (default) table.
iptables -X

# Set the policy for INPUT chain to DROP target.
iptables -P INPUT DROP

# Set the policy for FORWARD chain to DROP target.
iptables -P FORWARD DROP

# Set the policy for OUTPUT chain to ACCEPT target.
iptables -P OUTPUT ACCEPT

# Append rules to INPUT chain.
# Protocol of the rule is icmp (Internet Control Message Protocol) which is the protocol for ping.
# Target is ACCEPT.
iptables -A INPUT -p icmp -j ACCEPT

# Append rules to INPUT chain.
# The rule is for Loopback network interface.
# Target is ACCEPT.
iptables -A INPUT -i lo -j ACCEPT

# Append rules to INPUT chain.
# The rule is for tcp protocol on port 80.
# Target is ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Append rules to INPUT chain.
# The rule is for tcp protocol on port 22.
# Target is ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Append rules to INPUT chain.
# The rule for packets after session ESTABLISHED and RELATED packets.
# Target is ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Dump iptables rules to stdout
iptables-save


Command:

# ./set_firewall

Result:

# Generated by iptables-save v1.4.21 on Tue May 24 23:44:34 2016
*nat
:PREROUTING ACCEPT [41489:3695453]
:INPUT ACCEPT [15:960]
:OUTPUT ACCEPT [628:160830]
:POSTROUTING ACCEPT [628:160830]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o enp0s3 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i enp0s3 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Tue May 24 23:44:34 2016
# Generated by iptables-save v1.4.21 on Tue May 24 23:44:34 2016
*mangle
:PREROUTING ACCEPT [58667:5285859]
:INPUT ACCEPT [58666:5285283]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [28814:3788418]
:POSTROUTING ACCEPT [28814:3788418]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i enp0s3 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Tue May 24 23:44:34 2016
# Generated by iptables-save v1.4.21 on Tue May 24 23:44:34 2016
*security
:INPUT ACCEPT [17193:1591366]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [28814:3788418]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Tue May 24 23:44:34 2016
# Generated by iptables-save v1.4.21 on Tue May 24 23:44:34 2016
*raw
:PREROUTING ACCEPT [58667:5285859]
:OUTPUT ACCEPT [28814:3788418]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Tue May 24 23:44:34 2016
# Generated by iptables-save v1.4.21 on Tue May 24 23:44:34 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue May 24 23:44:34 2016


Command:

# iptables -L -v

Result:

Chain INPUT (policy DROP 4 packets, 128 bytes)
 pkts bytes target     prot opt in     out     source               destination      
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere          
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere          
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
   57  3900 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination      

Chain OUTPUT (policy ACCEPT 29 packets, 7336 bytes)
 pkts bytes target     prot opt in     out     source               destination

Sunday, June 26, 2016

iptables: Setting Up iptables: Accept Only Output and Reject Input

Command (Checking current settings for iptables):

$ sudo iptables -L -v
[sudo] password for username:

Result:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination      

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination      

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination


Command (Create a script):

$ cat ~/bin/set_firewall

Result:

#!/bin/bash

#Deleting every configurations
iptables -F
iptables -X

#Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#Accept ping
iptables -A INPUT -p icmp -j ACCEPT

#Accept loopback
iptables -A INPUT -i lo -j ACCEPT

#Open using ports
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#After session is established, let packets through
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Save the configurations
iptables-save


Command (Add execution mode):

$ sudo chmod +x ./set_firewall 


Command (Execute the script):

$ sudo ./set_firewall 

Result:

# Generated by iptables-save v1.6.0 on Sun Jun 26 11:24:41 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sun Jun 26 11:24:41 2016


Command (Checking current settings for iptables):

$ sudo iptables -L -v
[sudo] password for username:

Result:

Chain INPUT (policy DROP 376K packets, 21M bytes)
 pkts bytes target     prot opt in     out     source               destination        
  262 15437 ACCEPT     icmp --  any    any     anywhere             anywhere          
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere          
  637 35360 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
17217 2332K ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 17561 packets, 3529K bytes)
 pkts bytes target     prot opt in     out     source               destination