IPTables and libwrap

aalmazan@rackspace.com (alex almazan) — Sat, 03 May 2008 01:02:00 -0500

Secruing Services

NOTE choose the easiest otions first such as TCPwrappers to control service connections.

/etc/hosts.allow
/etc/hosts.deny

man page syntax identical:

basic syntax is : : ex. to allow ssh connections for SSH

sshd: 192.168.2.200

These files are parse in the following order:

/etc/hosts.allow	If the configuration of this file permits the requested connection, the connection is immediately allowed
/etc/hosts.deny	If the configuration of this file does not permit the requested connection, the connection is immediately refused.

TCP wrappers can only be run on packages compiled agains libwrap. ldd can be used to check if it has been compiled against libwrap.

example for checking with ‘ldd’

[root@station home]# ldd /usr/sbin/sendmail.sendmail |grep wrap
        libwrap.so.0 => /usr/lib/libwrap.so.0 (0x006a8000)

portmap is another service , but it is a bit convoluted:

[root@station home]# strings /sbin/portmap |grep hosts
hosts_access_verbose
hosts_allow_table
hosts_deny_table
/etc/hosts.allow
/etc/hosts.deny

here are others configured against libwrap:

ssh,sendmail,xinetd,vsftpd,stunnel - Two choices when configuring hosts.allow|deny in the following example. permit connections for vsftp from 10.1.1.1, but block from 10.0.0.0/255.0.0.0

you can make seperate entries in both:

hosts.deny

vsftpd: 10.0.0.0/255.0.0.0

hosts.allow

vsftpd: 10.1.1.1

Or you can add this to just the deny file as suggested with the keyword

‘EXCEPT’

# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!
#vsftpd: 10.0.0.0/255.0.0.0
vsftpd: 10.0.0.0/255.0.0.0 EXCEPT 10.1.1.1

‘ALL’ can be used in the config as the service or the connecting source:

ALL:ALL EXCEPT 192.168.1.1

In /etc/hosts.deny to block all service affected by libwrap, but open to the one source or

ALL:ALL

In hosts.deny, with explicit service permissions in /etc/hosts.allow.

‘DenyHosts is a script from sourceforge that you can run from cron to parse /var/log/secure to review those that have attempted multiple brute force attacks’ (‘swatch’-‘pamABL’ are similar scripts, but modify iptables)

IPTables

Permits packet filterring at the kernel level. Netfilter is the kernel module that does the dirty work, iptables helps define the rules/chains to permit/deny through the kernels ip stack.

INPUT	responsible for inbound destined for the server
OUTPUT	responsible for outbound traffic leaving the server
FORWARD	across the servers interfaces

iptables -L

lists or prints the current rules in place

iptables -L -n -v -t nat

iptables-save writes to /etc/sysconfig/iptables. (keeping rules persistent,they must be apart of this file)

Configuration parsed from top to bottom. IPTables will response based on the first match. If there is no specific match, the chain policy will apply.

IPtables uses targets to determine what action will be taken if traffic matches an existing rule.

DROP	will drop package and send no info to the user
REJECT	will send a connection refused notice back to the sender
ACCEPT	will permit the connection
LOG	will log the connection attempt

IPTables syntax rule formulation help:-

What chain will the rule apply to?

-A INPUT

What patterns(s) would you like to check for?

-s 192.168.2.100

To make the rule active, you can add the following info to /etc/sysconfig/iptables

-A INPUT -s 192.168.2.100 -j REJECT

You can also configure the rule from CLI with

iptables -A INPUT -s 192.168.2.100 -j REJECT

What should IPTables do when a matching pattern is found?

-j REJECT

You can also match on the following criteria:

-i	incoming interface
-p	protocol
-s	source ip address
-d	destination ip address
-dport	destination port

Saving the rules service iptables-save

iptables -D INPUT 3

This command will delete the third rule in the INPUT CHAIN A quick means of identifying line number is:

iptables -L --line-numbers

iptables -D INPUT <rule>

This command will delete the specific rule from the INPUT chain.

iptables -F

This command will flush the IPTables rulesets

system-config-securitylevel utility used to create the following config

[root@station sysconfig]# cat iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT                             
---(permit the loopback)
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT                             
---(for ipsec)
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT                             
---(for ipsec)
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
---(multicast/Avahi)
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT            ---(for cups)
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT            ---(for cups)
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 837 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

created the following chain to apply the rules in /etc/sysconfig/iptables:

RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT

This and the allowed outlined rules above where automagically put in place. Considered a mostly closed configuration based on the ‘ACCEPT’ policy. If you need to use the rulesets generated by ‘system’ utlities comment out the last rule to keep from failing the test

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

service iptables panic changes to a default drop policy

[root@station sysconfig]# service iptables panic
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy DROP: filter                      [  OK  ]
[root@station13 sysconfig]# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Put these back in place to permit connections

[root@station sysconfig]# iptables -P INPUT ACCEPT
[root@station sysconfig]# iptables -P OUTPUT ACCEPT

[root@station sysconfig]# iptables -L -v
Chain INPUT (policy ACCEPT 1 packets, 78 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination

configure your mail server not to accept connections from the 192.168.1.0/24 network, EXCEPT for the 192.168.1.2 host:

iptables example

[root@station etc]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  10.0.0.0/8           anywhere            reject-with
icmp-port-unreachable
ACCEPT     tcp  --  192.168.1.2          anywhere            tcp dpt:smtp
REJECT     tcp  --  192.168.1.0/24       anywhere            tcp dpt:smtp
reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

[root@station etc]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Thu Aug  9 16:08:07 2007
*filter
:INPUT ACCEPT [134:32679]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [47:4569]
-A INPUT -s 10.0.0.0/255.0.0.0 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 25 -j REJECT
--reject-with icmp-port-unreachable

tcp wrapper example ( since this said sendmail, it must be the MTA running, not postfix, as postfix is not compiled against libwrap)

alternatives—config mta

then /etc/hosts.deny:

[root@station etc]# cat /etc/hosts.deny
#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!
#vsftpd: 10.0.0.0/255.0.0.0
#vsftpd: 10.0.0.0/255.0.0.0 EXCEPT 10.1.1.1
sendmail: 192.168.1.0/24 EXCEPT 192.168.1.2

followed with rules for governing port 110/143: -

[root@station etc]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Thu Aug  9 16:08:07 2007
*filter
:INPUT ACCEPT [134:32679]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [47:4569]
-A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -s 192.168.1.2/255.255.255.255 -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 143 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 993 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 110 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 995 -j REJECT --reject-with icmp-port-unreachable

alexalmazan.com: IPTables and libwrap

IPTables and libwrap