User Tools

Site Tools


linux:firewalls

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux:firewalls [2019/01/21 11:22] (current)
seanburns created
Line 1: Line 1:
 +<​markdown>​
 +## iptables ​
  
 +Five predifined tables (*operations*) and chains.
 +
 +Tables include:
 +
 +- nat
 +- mangle
 +- raw
 +- filter
 +- security
 +
 +*chain*: a list of rules that act on a packet flowing through the system.
 +
 +Chains include:
 +
 +- prerouting
 +- forward
 +- postrouting
 +- input
 +- output
 +
 +We'll cover the filter table and the nat tables. As applied:
 +
 +- filter table, the default table
 +  - forward: for packets destined to be routed through local
 +  - input: for packets destined to local
 +  - output: for locally generated packets
 +- nat table, when a packet that creates a new connection is encountered
 +  - prerouting: for altering packets as soon as they come in
 +  - postrouting:​ for alterning packets as they are about to go out
 +  - output: for altering locally-generated packets before routing
 +
 +## usage
 +
 +```bash
 +# iptables -L -v | less
 +# iptables -L | grep policy
 +```
 +
 +Let's change the default policy for the FORWARD chain:
 +
 +```bash
 +# iptables --policy FORWARD DROP
 +# iptables -L | grep policy
 +```
 +
 +1. To locate the IP address for FB.
 +2. To locate the CIDR value or IP range for FB.
 +3. To block the IP range for FB.
 +
 +```bash
 +$ host www.facebook.com
 +$ whois 157.240.2.35 | grep CIDR
 +$ sudo su
 +# iptables -A OUTPUT -p tcp -d 157.240.0.0/​16 -j DROP
 +# iptables -A INPUT -p tcp -d 157.240.0.0/​16 -j DROP
 +# w3m facebook.com
 +# ping facebook.com
 +```
 +
 +1. since table isn't added, this uses the default table, which is the filter
 +   table
 +2. -A OUTPUT: append to table 
 +3. -p tcp: the protocol for the rule
 +4. -d IP address: destination address
 +5. -j DROP: specifies the target of the rule -- what to do if the packet
 +   ​matches. In this case, the target is to drop the package. Usual options
 +   ​include:​
 +
 +- ACCEPT : allow the connection
 +- DROP   : drop and ignore the connection ​
 +- REJECT : do not allow the connect and return error to source
 +
 +## Allow connections only from subnet
 +
 +```bash
 +# comment: first, set policy to drop all incoming
 +$ sudo iptables --policy INPUT DROP
 +# comment: second, set policy to drop all forwarding ​
 +$ sudo iptables --policy FORWARD DROP
 +# comment: thir , set policy to drop all outgoing ​
 +$ sudo iptables --policy OUTPUT DROP
 +# comment: review new policies for the above chains
 +$ sudo iptables -L | grep policy
 +# comment: now accept only input, forwarding, and output from the following
 +# network ranges:
 +$ sudo iptables -A INPUT -s 10.163.34.0/​24 -j ACCEPT
 +$ sudo iptables -A FORWARD -s 10.163.34.0/​24 -j ACCEPT
 +$ sudo iptables -A OUTPUT -s 10.163.34.0/​24 -j ACCEPT
 +```
 +
 +## Saving changes
 +
 +Save changes permanently,​ otherwise on restart, iptables reverts to default
 +settings:
 +
 +```bash
 +$ sudo su
 +# /​sbin/​service iptabels save
 +```
 +
 +There are lots of examples on the web. Examples from:
 +
 +- http://​www.tecmint.com/​linux-iptables-firewall-rules-examples-commands/​
 +- https://​www.howtogeek.com/​177621/​the-beginners-guide-to-iptables-the-linux-firewall/​
 +
 +## PREROUTING
 +
 +Forward all traffice to port 25 to port 2525: 
 +
 +```bash
 +# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 2525
 +```
 +
 +## OUTPUT
 +
 +Disable outgoing eamil:
 +
 +```bash
 +# iptables -A OUTPUT -p tcp --dports 25,465,587 -j REJECT
 +```
 +
 +## firewall-cmd
 +
 +firewalld is a slightly more user friendly interface to netfilters in Red Hat
 +based distros.
 +
 +Zones are important concept in firewalld. Some predefine zones:
 +
 +- DROP : strictest. All incoming network packets are dropped
 +- BLOCK : all very strict
 +- PUBLIC : only selected incoming connections are accepted. Good zone for web
 +  server, email server, etc.
 +- EXTERNAL : external networks (useful for NAT)
 +- DMZ : computers located in DMZ 
 +- work : trust most computers in network and accept some services
 +- home : trust most computers in network and accept some services ​
 +- trusted : trust all machines in network
 +
 +Check if running:
 +
 +```bash
 +# firewall-cmd --state
 +```
 +
 +Get active zones and interfaces attached to them:
 +
 +```bash
 +# firewall-cmd --get-zones
 +# firewall-cmd --get-default-zone
 +# firewall-cmd --get-active-zones
 +```
 +
 +<pre>
 +FedoraServer
 +  interfaces: enp0s3
 +</​pre>​
 +
 +```bash
 +# firewall-cmd --zone=FedoraServer --add-port=22/​tcp
 +# firewall-cmd --zone=FedoraServer --list-ports
 +# firewall-cmd --zone=FedoraServer --remove-service=ssh --permanent
 +# firewall-cmd --zone=FedoraServer --add-service=smtp --permanent
 +```
 +
 +Go into panic mode (drop all incoming/​outgoing packets):
 +
 +```bash
 +# firewall-cmd --panic-on
 +# firewall-cmd --panic-off
 +```
 +
 +To change default zone:
 +
 +```bash
 +# firewall-cmd --permanent --set-default-zone=public
 +```
 +
 +## ufw
 +
 +```bash
 +$ host www.facebook.com
 +$ whois 157.240.2.35 | grep CIDR
 +$ sudo su
 +# sudo ufw reject out to 157.240.0.0/​16
 +# sudo ufw reject in to 157.240.0.0/​16
 +```
 +</​markdown>​
linux/firewalls.txt ยท Last modified: 2019/01/21 11:22 by seanburns