Hi, I am Rafay Baloch, a security researcher, author and a public speaker.

A Beginners Guide To Using IPTables

ABSTRACT

Readers, there are numerous reasons ... It is well known that the Internet is an unmanaged an decentralized network, running under a set of protocols, which are not designed to ensure the integrity and confidentiality of information and access controls.
There are several ways to breach a network, but these ways do nothing more than take advantage of flaws within network protocols and services.


CONCEPTS

IPTABLES is an editing tool for packet filtering, with it you can analyze the header and make decisions about the destinations of these packets, it is not the only existing solution to control this filtering. We still have the old ipfwadm and ipchains, etc.
It is important to note that in Gnu / Linux, packet filtering is built into the kernel. Why not configure your installation in accordance with this article, since most distributions come with it enabled as a module or compiled directly into the kernel.

STEP BY STEP


case "$1" in
start)

Clearing Rules
iptables -t filter -F
iptables -t filter -X

Tips [ICMP ECHO-REQUEST] messages sent to broadcast or multicast
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

Protection against ICMP redirect request
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

Do not send messages, ICMP redirected.
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

(Ping) ICMP 
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT

Packages logs with nonexistent addresses (due to wrong routes) on your network
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

Enabling forwarding packets (required for NAT)
echo "1" >/proc/sys/net/ipv4/ip_forward

SSH accepted
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT

Do not break established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Block all connections by default
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

IP spoofing protection
echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
echo - Subindo proteção contra ip spoofing : [OK]

Disable sending the IPV4
echo 0 > /proc/sys/net/ipv4/ip_forward

SYN-Flood Protection
iptables -N syn-flood
iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN
iptables -A syn-flood -j LOG --log-prefix "SYN FLOOD: "
iptables -A syn-flood -j DROP

# Loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

Tips connections scans
iptables -A INPUT -m recent --name scan --update --seconds 600 --rttl --hitcount 3 -j DROP
iptables -A INPUT -m recent --name scan --update --seconds 600 --rttl --hitcount 3 -j LOG --log-level info --log-prefix "Scan recent"

Tips SYN packets invalid
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level info --log-prefix "Packages SYN Detected"
# Tips SYN packets invalid
iptables -A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level info --log-prefix "Packages SYN Detected"

Certifies that new packets are SYN, otherwise they Tips
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Discard packets with fragments of entry. Attack that can cause data loss
iptables -A INPUT -f -j DROP
iptables -A INPUT -f -j LOG --log-level info --log-prefix "Packages fragmented entries"

Tips malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-level info --log-prefix "malformed XMAS packets"

DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT

NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT

WHOIS Out
iptables -t filter -A OUTPUT -p tcp --dport 43 -j ACCEPT

FTP Out
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 30000:50000 -j ACCEPT

FTP In
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 30000:50000 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT

HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT

Mail SMTP:25
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT

Mail POP3:110
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT

Mail IMAP:143
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT

# Reverse
iptables -t filter -A INPUT -p tcp --dport 77 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 77 -j ACCEPT

MSF
iptables -t filter -A INPUT -p tcp --dport 7337 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 7337 -j ACCEPT

#######################################
WEB Management Firewall
touch /var/log/firewall
chmod +x /var/log/firewall
/var/log/firewall -A INPUT -p icmp -m limit --limit 1/s -j LOG --log-level info --log-prefix "ICMP Dropped "
/var/log/firewall -A INPUT -p tcp -m limit --limit 1/s -j LOG --log-level info --log-prefix "TCP Dropped "
/var/log/firewall -A INPUT -p udp -m limit --limit 1/s -j LOG --log-level info --log-prefix "UDP Dropped "
/var/log/firewall -A INPUT -f -m limit --limit 1/s -j LOG --log-level warning --log-prefix "FRAGMENT Dropped "
/var/log/firewall -A INPUT -m limit --limit 1/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
/var/log/firewall -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
exit 0
;;

stop)
echo "turning off the firewall "
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t filter -F
exit 0
;;

restart)
/etc/init.d/firewall stop
/etc/init.d/firewall start
;;

echo "Use: /etc/init.d/firewall {start|stop|restart}"
exit 1
;;
esac

Logs available: /var/log/firewall
COMMANDS TO MONITOR LOGS: tail -f /var/log/messages
Save: /etc/init.d/firewall

CONCLUSION

Gentlemen, I hope to help you in configuring your network security and remind you to choose only the best options available.
Allow me to add a few Advantages of using your firewall. Be sure to Block unknown and unauthorized connections. You can specify what types of network protocols and services to be provided and you may control the packets from any untrusted services. Your firewall also allows blocking websites with URL filters, access control, access logs for reports by user, protecting the corporate network through proxies, and Automatic Address Conversion (NAT). Control services that can either be executed or not, on the network allowing for high performance in their duties with easy administration and reliability.

A hug to all who follow RHA and my sweet brother Rafay Baloch.

ABOUT THE AUTHOR:

This is a guest post written by , RAFAEL FONTES SOUZA. He is the maintainer of the “Project Backtrack Team Brazilian”, He works at RHAinfosec as a senior penetration tester. He is also the Founder of the "Wikileaks and Intelligence, Cypherpunks". Good communication in groups and the general public, attended college projects with a focus on business organization, he currently seeks work experience outside of brazil”. He frequently contributes at RHA and talks about various topics related to internet security. 
© 2023 All Rights Reserved by RHA Info Sec. Top

Contact Form

Name

Email *

Message *

Powered by Blogger.