Help - Search - Members - Calendar
Full Version: Iptables Question/suggestion
Linuxhelp > Support > Technical Support
Robert83
Hi,

Well I did it, I'm using browsing the internet trough the firewall computer now [Only the firewall and I are connected, nothing else, for security/testing reasons].

So everything is nice acording to www.grc.com SHIELDSUP!, I'm running in all my ports in stealth mode, I can be pinged [do I have to enable pinging for the firewall itself?, or is it enough for the mailserver,ftp,http?]. How can I drop pings with my firewall?

My current firewall [iptables] looks like this :

NOTE: eth0 is internal network [192.168.0.0] ,eth1 is external network [xxx.xxx.xxx.xxx]

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT [all packets from in to out forward]
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
[allow established,related connections from outside to get inside]
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
[the same?, not sure...please explain]
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT [to accept connections to firewall from inside]
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT [to accept connections to firewall from inside]
iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 80 --syn -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 443 --syn -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 25 --syn -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 21 --syn -j ACCEPT
[the above four, I would like to allow, but they are in stealth mode...why?, please note
that non of those servers are up ...maybe that's why I'm getting the stealth mode, instead of
CLOSED or OPEN ?]
iptables -A POSTROUTING -t nat -s 192.168.0.0/255.255.255.0 -o eth1 -j SNAT --to-source
xxx.xxx.xxx.xxx [192.168.0.0 --> xxx.xxx.xxx.xxx]
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP [drop every not wanted udp packet]
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP [drop every not wanted tcp packet]

Please, any suggestions about this[my current settings for iptables]?
And why are those 80,443,25,21 ports in stealth mode, if I make the available from any source to
any destination? can it be because I have no mail,http,ftp server installed?

And do I need to make them able to ping my firewall? I mean it's public adress [xxx.xxx.xxx.xxx] ?
[NOTE]
the Firewall will be first like this FIREWALL->MAIL->FTP->HTTP [all seperate computers], If don't
allow anyone to ping my firewall will they be able to ping my other computers [mail,ftp,http], they will
have public ip adresses to].

How safe I am with this firewall?

Sincerely
Robert B
hughesjr
try this instead:

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

(same for 443, 21, 25)....now they should no longer be stealth ....

then after the forwards (before the postrouting rules) when you are ready to forward the ports to the actual servers do:

iptables -A PREROUTING -t nat -p tcp -d public_ip --dport 80 -j DNAT --to webserver_internal_ip_address:80

(same for 443, 21, 25) (except port 21 to the ftp server, port 25 to the mail server, port 22 (if you want to open it) to a ssh server .... actually, for ssh I personally use a different port than 22 (say 2121) on the public IP, but to port 22 on the server ... then people either have to scan or know that 2121 is the ssh port.
Robert83
Thank you for the advice smile.gif

Sincerely
Robert B
Robert83
Hi,

I've changed these lines :

iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 80 --syn -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 443 --syn -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 25 --syn -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 21 --syn -j ACCEPT

with

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

and www.grc.com still reports these ports as STEALTH [note : I've tried for just once to trust www.grc.com IP probe, and then it showed that SSH is OPEN, and the rest is closed].

[Here are my iptables rules]

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

[root@WindowsXP root]# iptables -nvL -t filter
Chain INPUT (policy ACCEPT 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination

6 939 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
444 36722 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0

2 200 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0

66 21648 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0

6 288 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x16/0x02

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

15 646 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0

12 480 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
state NEW,RELATED,ESTABLISHED tcp dpt:80
0 0 ACCEPT tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
state NEW,RELATED,ESTABLISHED tcp dpt:443
0 0 ACCEPT tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
state NEW,RELATED,ESTABLISHED tcp dpt:21
0 0 ACCEPT tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
state NEW,RELATED,ESTABLISHED tcp dpt:25

Chain OUTPUT (policy ACCEPT 291 packets, 54300 bytes)
pkts bytes target prot opt in out source destination

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[root@WindowsXP root]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 90 packets, 24566 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 5 packets, 370 bytes)
pkts bytes target prot opt in out source destination
5 246 SNAT all -- * eth1 192.168.0.0/24 0.0.0.0/0 to:xxx.xxx.xxx.xxx

Chain OUTPUT (policy ACCEPT 5 packets, 370 bytes)
pkts bytes target prot opt in out source destination

Note : I haven't added those PREROUTING rules, because I don't have any FTP,MAIL,HTTP server yet...

Any idea why are those ports [80,443,21,25] in stealth mode?

I change my rules the following way :
1./etc/init.d/iptables stop
2.source /home/iptables
3.iptables-save > /etc/sysconfig/iptables
4./etc/init.d/iptables start


Sincerely
Robert B
hughesjr
It might be that the firewall is accepting the connections, but since there is no place for the packets to go, they are still being dropped by the drop all rule at the bottom .....

try pointing port 80 (via the prerouting command) to an internal httpd server (or even an internal machine without a httpd server with iptables turned off) that is using the firewall as a default gateway and see what grc.com says about it then...
Robert83
yehaaaa IT's it's it's CLOSED yes! yes mwhahahahhaha port 80 is now CLOSED.

Thank you for the idea smile.gif


Sincerely
Robert B
Robert83
Oh and one more thing,

if someone from the internet tries to connect to my pc from some port, will the system create a log file for that, or will it only drop the user, and no report?

if no report, how can I tell the system to make reports, for example :

yyy.yyy.yyy.yyy connecting to xxx.xxx.xxx.xxx:430 DROPED
or
yyy.yyy.yyy.yyy connecting to xxx.xxx.xxx.xxx:431 SUCCESS

I mean how will I know If someone broke into my system, I mean in time, not after a complete mail server reformat smile.gif sad.gif


Sincerely
Robert B
Robert83
and one more thing about that port forwarding thingie , If I'm correct then I don't really need a public IP for my FTP server right?, or webserver , mailserver.

What do you reccomend, should I use public ip adresses [if I'm correct at the above question] or not for my FTP,MAIL,WEBSERVER ?


Sincerely
Robert B
hughesjr
You had a question about the line:

iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

That one would be required if you connected to internet from the firewall itself (like to download updates from off site) ... where the other line that has -i eth1 -o eth0 would be for connections from the inside through the firewall.....

You may not need the -i eth1 -o eth0 if you have the one that has only -i eth1

--------------------------------------------

Instead of using -j DROP in the last 2 lines, ... put this where you define chains:

iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-prefix iptables --log-level info
iptables -A drop-and-log-it -j DROP


Then use:

-j drop-and-log-it

in the last 2 lines instead.

here is information on the log level from the syslog.conf man page:
CODE
The priority is one of the  following  keywords,  in  ascending  order:
      debug,  info, notice, warning, warn (same as warning), err, error (same
      as err), crit, alert, emerg,  panic  (same  as  emerg).   The  keywords
      error,  warn  and  panic are deprecated and should not be used...


so if you have to many details with the level set to info, try notice ... if still to much, try warning, etc.
-------------
The logs will be where ever you have the kern logs going....probably /var/log/messages in whitebox...
Robert83
Thank you again for you're help.


Is there a way to tell iptalbes to log the dropped somewhere else? I mean like var/log/iptablesdropped

because as you know it, messages , logs other stuff as well, and it's really hard to even go trough a log that was made today.

Sincerely
Robert B
Robert83
sorry for all these question...

if I put :

iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-prefix iptables --log-level info
iptables -A drop-and-log-it -j DROP

instead of :

iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP

then on www.grc.com , nothing is in stealth mode...how exactly do I combine these five lines to DROP everything
and log it to....[sorry]


Sorry....


Sincerely
Robert B
Robert83
AHA!

iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-prefix iptables --log-level info
iptables -A drop-and-log-it -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j drop-and-log-it
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j drop-and-log-it

like this then?

[sorry, I was reading you're reply to fast, and misunderstood what you were telling me]


Then the above five lines would be correct right?

[going to try it now]

Sincerely
Robert B
Robert83
I've edited the iptables rules, like you said, everything works, ok, only port 80 open , the rest is in stealth mode...

after that since my /var/log was full with all all those infos, I've deleted every file [bad idea?].

And after that rebooted, and went to www.grc.com, to see what happens, well port 80 open, rest is stealth
but nothing is added to the /var/log ....no messages .

Only these files are under /var/log
dmesg
ksyms.0
ksyms.1
wtmp

what to do?

Sincerely
Robert B
hughesjr
I tried to help someone else do that ... but this is what I found:

http://lists.netfilter.org/pipermail/netfi...uly/013257.html
----------------------------

So, this script should work (I named it get_iptables):

CODE
#/bin/bash
                                                                               
PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin
                                                                               
SYS_LOG=/var/log/messages
IPTABLES_LOG=/var/log/iptables
TMP_DIR=/tmp
                                                                               
grep -i iptables $SYS_LOG >> $IPTABLES_LOG
grep -iv iptables $SYS_LOG > $TMP_DIR/messages
                                                                               
cp --remove-destination $TMP_DIR/messages $SYS_LOG
rm -rf $TMP_DIR/messages
                                                                               
chmod 600 $IPTABLES_LOG
chmod 600 $SYS_LOG


That script should put all the iptables entries (if you used iptables as the log prefix...) into the location in $IPTABLES_LOG and take all the iptables entries out of the syslog...If you want to do it every hour ... then you could save the file as get_iptables ....

chmod 755 get_iptables

cp get_iptables /etc/cron.hourly


If you are using the logrotate program, then you probably want to rotate the logs ... if you want to do it like /var/log/messages (weekly, saving 4 previous weeks) then add a file named /etc/logrotate.d/iptables that contains this code:

CODE
/var/log/iptables {
       nocompress
       missingok
       create 0600 root root
}
hughesjr
if there is no log file ... it should get created when needed ... or you can create a blank one with the command:

touch /var/log/messages
Robert83
errr smile.gif...syslog was no enabled ... smile.gif [I switched off every service , and left only the most needed ones to start up on the firewall, and I forgot about syslog]


And is there a way than to log iptables drop list to some other file like /var/log/iptables ?
I've looked into the syslog.conf....maybe I could add a seperate line, to log only iptables? can this be done?
how?


Sincerely
Robert B
hughesjr
see my script ... 2 posts up in this thread wink.gif
Robert83
I see it now, somehow I passed that reply...smile.gif

Thanx
hughesjr
you're welcome .... no problem laugh.gif
Robert83
Ok it works good now, I've left the the Whitebox Computer with the Firewall on for tonight, just to see how much will iptables log.
It has loged a few pages ...but here are two sample line, need help in fully understanding :

kernel : iptablesIN=eth1 OUT= MAC=00:30:4f:25:e6:15:00:30:b8:80:49:ee:08:00 SRC=172.182.16.29 DST=217.xxx.xxx.xxx LEN=328 TOS=0x00 PREC=0x00 TTL=115 ID=42954 DF PROTO=TCP SPT=1174 DPT=3127 WINDOW=65535 RES=0x00 SYN URGP=0

kernel : iptablesIN=eth1 OUT= MAC=00:30:4f:25:e6:15:00:30:b8:80:49:ee:08:00 SRC=172.182.16.29
DST=217.xxx.xxx.xxx LEN=328 TOS=0x00 PREC=0x00 TTL=115 ID=42954 DF PROTO=TCP SPT=1174 DPT=3127
WINDOW=65535 RES=0x00 SYN URGP=0

MAC: hardware adress of the connecting device[?]
SRC: The source IP from where the connection was initiated
DST: Destination adress
LEN:
TOS:
PREC:
TTL: [perhaps? time to live?]
ID: [identification?, then for what?]
DF:
PROTO: protocol TCP
SPT:
DPT
WINDOW:
RES:
SYN:
URGP:

And please, can you tell from a line like this , how do I know of wheter he succeded to enter the computer on a port or not?
How can I see if he connected to port 80 [wich is open], or tried messing around with the other ports wich are in stealth mode?



Sincerely
Robert B
hughesjr
BTW, if you didn't already, you need to start the service crond at startup...so the script to pull out iptables stuff can run....

One thing is ... if it's logged, he didn't get in (you are only logging dropped packets, unless you added another LOG function to the iptables rule set).

Another indicator is that the OUT= is blank ... so the firewall didn't pass it through....

This page tells you what every item is in the log....

SPT=1174 <-- Source Port (his port)
DPT=3127 <-- Destination Port (your port)

The MAC address is a combined MAC for both your PC and his PC .... issue this command to find your MAC address:

ifconfig eth1 | grep HWaddr | awk '{print $5}'

Then the rest of the MAC string is his MAC address...
hughesjr
Here are some things I recommend for your firewall to make it more secure and to drop any traffic that doesn't conform to a rule:
-------------------------------
Combine your 2 INPUT drop rules to one rule (instead of one for tcp and another for udp ... and get rid of the --syn from TCP) like this:

iptables -A INPUT -s 0/0 -d 0/0 -j drop-and-log-it
------------------------------
Add a drop rule for the FORWARD chain .... like this (it would go somewhere after your last FORWARD chain rule)

iptables -A FORWARD -j drop-and-log-it
------------------------------

Right now you don't have an OUTPUT chain .... you might want to consider doing one (see this page). It is not required, but it is more secure.

Here are some outbound blocks that I use:

At my company, we don't allow the reading of external e-mail (it bypasses the executable packages restriction and attachment virus scanning of our mail server)... only mail that has come through the our scanners and is on our local e-mail server can be accessed. So port 110 (POP3) and 143 (IMAP) outbound is blocked from all machines.

I have only 4 machines that need to send mail to other places directly ... the only reason a connection would be made on port 25 by all my other machines would be because they were infected by one of the mass mailing worms ... so port 25 is blocked outbound for all machines except the 4 machines that need to send e-mail directly.
Robert83
Thank you again, for you're advice VERY MUCH! smile.gif

And by the way...

so my firewall rule settings begin with

FORWARD --> what to accept
FORWARD --> what to drop
INPUT --> what to accept
INPUT --> what to drop
PREROUTING --> what to do with port 80 , in my case point it to internal machine
POSTROUTING --> local ip to public ip

is this setup correct, I mean the order first the accept rules for FORWARD, after that the drop rules for FORWARD,and so on for the rest...

In my case , just like yours, there are in a division[I hope this is how they say, when a company has a subgroup or something], there are 8 people that need to access webmail...

IPTABLES -A OUTPUT -s 192.168.1.20:80 -d 0.0.0.0:80 -j ACCEPT [can port numbers be added like this? ip:port?]
IPTABLES -A OUTPUT -s 0/0 -d 0/0 -j drop-and-log-it
would the above lines be correct?

Sincerely
Robert B

ps.: thank you again for you're advices smile.gif smile.gif smile.gif
Robert83
by the way IPTABLES -A FOWARD -j drop-and-log-it can this be just insterted into my iptables source file like this?
or do I need to add IPTABLES -A FORWARD -s 0/0 -d 0/0 -j drop-and-log-it ? what is good?

Sincerely
Robert B
Robert83
I've changed that INPUT drop rule from my two lines to you're one line, now I also pass the ping test on www.grc.com
,so I wonder...if my port 80 is open because of the webserver...if someone want's to see my webserver[webpage] from the internet will he/she be able to do so?

Sincerely
Robert B
Robert83
ok, I see, I see myself the webpage, even if I can't ping it good, I guess this is same for FPT, and MAIL right?

oh and about the order of lines in iptables

well the drop-and-log-it definition must be after the last FORWARD

and I've put the FORWARD -j drop-and-log-it rule after the INPUT -j drop-and-log-it ....

is this ok?

the only question is then...about that OUTPUT example I wrote down

Sincerely
Robert B
hughesjr
One thing you will need to do is move the lines for the Drop and Log stuff to the top (since you will be using it for INPUT chain drops and FORWARD chain drops) ....

So the three lines:

iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-prefix iptables --log-level info
iptables -A drop-and-log-it -j DROP


Need to be at the top, before the FORWARD or INPUT chain rules....
--------------------------------------
I think you can use the -s 0/0 -d 0/0 ... or not .... I believe it is the default if nothing is specified....it isn't used in the scripts I looked at for FORWARD ... it is used for INPUT.
--------------------------------------

Yes ... someone from the outside should be able to get to the open port 80 ... they might have to use the external IP Address of the firwall if you haven't updated the DNS yet.
hughesjr
And yes .... you can put all the things for each chain together (like all the FORWARDs and all the INPUTs) .... but remember to put the DROPs after the ACCEPTs in each chain....
Robert83
I currently have no reverse DNS, since this is only a test

Sincerely
Robert B
Robert83
if I move those three drop-and-log-it lines to the very top...

like this

....drop-and-log-it
....drop-and-log-it
....drop-and-log-it
....ACCEPT RULES....
....DROP RULES...


I get the following error
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables v1.2.8: Couldn't load target `drop-and-log-it':/lib/iptables/libipt_drop-and-log-it.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.8: Couldn't load target `drop-and-log-it':/lib/iptables/libipt_drop-and-log-it.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

Sincerely
Robert B
Robert83
hmmm, I don't know how good this is, but works...so as I wrote before, when I put the three drop-and-log-it rules at the top I get errors, so I err.... did this

....FIRST FORWARD RULE...
....drop-and-log-it.....
....drop-and-log-it.....
....drop-and-log-it.....
....ACCEPT RULES....
....DROP RULES....


... so only that OUTPUT rule needs to be done, a few posts before in this thread.

Sincerely
Robert B
Robert83
Ok, I also needed to make another cronjob....to delete after 1hrs 2min the /var/log/message then restart syslog...
since after each get-iptables it stopped for some reasen...I mean it was reporting that it was working, but no output...


one more question,

my ISP is always trying to access me from :
10.0.148.1

is there a way to clean /var/log/iptables of these entries, since they take up a lot of space, and it's hard to see anything.
Perhaps another script?


Sincerely
Robert B
hughesjr
Ok,

To take care of the address 10.0.148.1 ,

Change:

grep -i iptables $SYS_LOG >> $IPTABLES_LOG

to:

grep -i iptables $SYS_LOG | grep -v 10.0.148.1 >> $IPTABLES_LOG
hughesjr
If your syslog isn't working well with the other cron ... maybe we should stop it before we start messing with the log file ... and turn it back on after we are done ... like this:

CODE
#/bin/bash

PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin

SYS_LOG=/var/log/messages
IPTABLES_LOG=/var/log/iptables
TMP_DIR=/tmp

/etc/init.d/syslog stop

grep -i iptables $SYS_LOG | grep -v 10.0.148.1 >> $IPTABLES_LOG
grep -iv iptables $SYS_LOG > $TMP_DIR/messages

cp --remove-destination $TMP_DIR/messages $SYS_LOG
rm -rf $TMP_DIR/messages

chmod 600 $IPTABLES_LOG
chmod 600 $SYS_LOG

/etc/init.d/syslog start
Robert83
Thank you again for you're help.

One more question, since you're wisdom with firewalls/hackers is much more better the mine.

1.What are the first signs of a hacker trying to attack you're system, or a hacker that has already succeded in attacking you're system?

Sincerely
Robert B

ps.: those OUTPUT rules are ok?
IPTABLES -A OUTPUT -s 192.168.1.20:25 -d 0.0.0.0:25 -j ACCEPT [can port numbers be added like this? ip:port?]
IPTABLES -A OUTPUT -s 0/0 -d 0/0 -j drop-and-log-it
hughesjr
On the firewall ... you really can't know if someone has broken in reviewing the firewall logs. You can see people trying to break in via the drop packets, and you can take action to block those IPs if necessary ....

a rule like:

iptables -A INPUT -i eth1 -s xxx.xxx.xxx.xxx/32 -j drop-and-log-it

will block an individual address....(xxx.xxx.xxx.xxx is the IP ... /32 is CIDR for a single host .... xxx.xxx.xxx.0/24 would block a whole class "c" network, xxx.xxx.0.0/16 would block a class B network, etc.)
------------------------------------------
So what you might want to do is run an IDS (Intrusion Detection System) ...

There are 2 types of IDS's ...

1. One is Host based {that is, on each host} tripwire is the best of these types ... and chkrootkit will test for rootkits.

2. The other type of IDS is Network based IDS ... of which, snort is the best. This requires a network hub/switch that allows you to set a monitoring port (or one that isn't switched ... that is, a hub that shows all traffic from all ports). If you are on a switching hub (or switch) with no monitoring port, you will only see traffic for your computer that snort is running on...
-------------------------------------------
Both of the IDS systems (tripwire, snort) are fairly complicated to use...but after researching them they can be very good. chkrootkit is very easy to use ... and most people who break into your systems do so to install a root kit (or it happens because of a worm), and chkrootkit is good at finding both.

I use tripwire on my servers, chkrootkit on all my linux machines (servers and workstations), and I used to run a snort server .... (I now use ISS real secure on a Windows machine ... as mandated by my company)

All 3 items are available via apt on redhat 9 (with the apt repository from Dag Wieers) .... do:

apt-cache showpkg chkrootkit
apt-cache showpkg snort
apt-cache showpkg tripwire
------------------------------------------
As to the output rule ... NO, can't do ports like that ... I also misspoke ... I use FORWARD rules, not OUTPUT rules to do that. THe 2 rules below would limit all outbound traffic going to a destination Port 25 (ie sending e-mail) except for the machine that you want to allow to send e-mail....It would need to go just before the rule:

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT [all packets from in to out forward]

Here are the rules:

iptables -A FORWARD -i eth0 -p tcp -s 192.168.1.200/32 -d 0/0 --dport 25 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp -s 0/0 -d 0/0 --dport 25 -j drop-and-log-it

As I said, this would prevent any machine to connect to a remote port 25 except the mail server ... the same thing would prevent any out going port 110 (POP3) and 143 (IMAP) connections....

iptables -A FORWARD -i eth0 -p tcp -s 0/0 -d 0/0 --dport 110 -j drop-and-log-it
iptables -A FORWARD -i eth0 -p tcp -s 0/0 -d 0/0 --dport 143 -j drop-and-log-it

If your e-mail server must connect to a POP3 to down load e-mail from another site (or IMAP) then you would use:

iptables -A FORWARD -i eth0 -p tcp -s 192.168.1.200/32 -d 0/0 --dport 110 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp -s 192.168.1.200/32 -d 0/0 --dport 143 -j ACCEPT

So the final result would be this:

iptables -A FORWARD -i eth0 -p tcp -s 192.168.1.200/32 -d 0/0 --dport 25 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp -s 192.168.1.200/32 -d 0/0 --dport 110 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp -s 192.168.1.200/32 -d 0/0 --dport 143 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp -s 0/0 -d 0/0 --dport 25 -j drop-and-log-it
iptables -A FORWARD -i eth0 -p tcp -s 0/0 -d 0/0 --dport 110 -j drop-and-log-it
iptables -A FORWARD -i eth0 -p tcp -s 0/0 -d 0/0 --dport 143 -j drop-and-log-it
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT


And then machine 192.168.1.200 could make connections to outside POP3, IMAP and SMTP machines ... no other internal machines could do that. It assumes that all e-mail you want them to have access to comes from into the mail server 192.168.0.200 and they can connect to that to get their mail...

This wouldn't stop them from going to mail.yahoo.com (and sites like it) with their web browser and reading webmail ... those would need to be blocked seperately....
hughesjr
BTW,

The official Linux IP Masquerade site is here ... just for anyone looking for IPMASQ info.
Robert83
Thank you again for you're response...

Tomorrow I will start "playing" with Tripwire,chkrootkit.


By the way, I found out how to block mail sites with squid, and also found a way, to block users from cheating the proxy smile.gif, by only allowing them to go out trough the proxy.

The question is, is there a site or something that keeps log of all mail sites, so that I can add it to my Squid ACL[access control list], to block them all at once? , since I only need 2 sites available for webmail, the ones that are pretty good [got good viruscaner for mails].


Sincerely
Robert B
hughesjr
Here is a place to start for free webmail providers

http://www.fepg.net/providers.html
Robert83
Hi,

So I've started working with TRIPWIRE on the WBL3.0, I see now what you meant about complicated, well actualy
the Policy is a bit complicated...

I've printed out the policy example so ...

/ -> +bgmprstuCMS (emailto=somebody@xxxxxxxx.co.yu)

+b Number of blocks
+g File owner's group ID
+m Modification timestamp
+p Premissions and file mode bits
+r Device Number
+s File Size
+t File Type
+u File owner's user ID
+C CRC-32 hash value
+M MD5 hash value
+S SHA hash value

Would this be good? just one entry to scan the entire / ?
Or should I create a seperate line for each dir in /etc/ ...and each device? if so, what devices should be watched really carefully?

Oh, and this e-mail thing, I guess I'll need to install sendmail on the firewall computer, [currently I have no e-mail server], and I would use the smtp.stcable.co.yu , how should I add this to the sendmail.mc ?

Sincerely
Robert B
Robert83
Hi,

How do I add an e-mail to to these lines? and a severity? [by the way what does severity really do?]


(
rulename = "Tripwire Binaries",
severity = $(SIG_HI),
emailto = somebody@xxxxxx.co.yu --->> should I ad it like this ?
)

Sincerely
Robert B
Robert83
Hi,

So i've used the original tripwire policy file , offcourse I've modified it, since 183 of those entries were no valid for my system, I've also managed to get that e-mail thingie, in the policy to work.


Questions:

1.Tripwire is run as a demon? , or do I need to add it as a CRON job ?
2.I think that I should enable sendmail as a DEMON to make tripwire able to send e-mail to me right?
3.What do I need to change in sendmail.mc to use smtp.stcable.co.yu ?
[3a]. If I'm correct I don't need to enable SMTP port to be visible from outside right? since I only need to make the firewall computer to send smtp trough smtp.stcable.co.yu hm?

Sincerely
Robert B
hughesjr
You need to run tripwire in check mode (-m c) as a cron .... as often as you want to check your machines ...

I only run it 3 times per day on my servers....

After you do system updates with yum (or apt-get, up2date, etc.), you will need to run tripwire once in database update mode (-m u) to get the new info written to the database.
-------------------------------------------------------------
You do not need to open port 25 into the firewall (ie make it visible from the outside) to send e-mail ...

If you have sendmail working, it will send mail to the account without forwarding it thru an e-mail server. If you want to forward all mail through a specific server, edit the file /etc/mail/sendmail.mc and remove the dnl from in front of the line:

dnl define('SMART_HOST','smtp.your.provider')

and change it to:

define('SMART_HOST','smtp.stcable.co.yu')

then run the command:

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

Here is the RHEL 3 docs for sendmail...
hughesjr
BTW,

SNORT is what you really want to run to see if someone (or something) is getting internal to your firewall .... In fact, a product that uses snort, called Demarc PureSecure is pretty awesome... if you signup and click the trial download, you can get a personal version that works pretty well (it least it did about a year ago when I used it).

Here are some other frontends for snort ... I haven't used any of them, except Demarc
Robert83
Thank you! smile.gif

Sincerely
Robert B
Robert83
Hi,

With you're help I've managed to to seperate iptables log from the /var/log/messages, now there is another question :

I wan't to somehow check /var/log/iptables in every hour 4 min, and automaticaly add ip adresses that show up more then 15 times in the drop-and-log-it list[iptables], to the hosts.deny list , I think that this would permamently deny that ip from my computer right?

Can you please help me with this task? can this be done by a script, and how?


Sincerely
Robert B
hughesjr
I would not recommend doing it automatically ... although it could be done with perl. (you could add a remark like this)

#<--Put_blocks_here-->#

(and we could insert the rules there)

I would instead recommend that you get e-mailed the info for your review ... because it could cause major downtime if a wrong address is blocked. For example, a port 113 might get blocked when a valid e-mail is recieved ... so you could accidentially block your email server from the network.

Snort has the ability to actually see traffic on the inside of the firewall and match it to actual vulnerabilites ... and you could write scripts to use that info to adjust the firewall settings.

It has been my experience that the vast majority of the indications (even from snort) are false positives ....
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.