Nguyen Tien Huy: March 2014

Saturday, March 22, 2014

iptables accept ssh + apt-get

Sau 1 ngày vọc iptables, cuối cùng cũng tìm ra giải pháp.

Thông tin router:

IP: 192.168.0.1
DNS: 8.8.8.8, 8.8.4.4

Thông tin PC:

IP: 192.168.0.105

Mở file /etc/apt/source.list xem nội dung

deb http://ftp.debian.org/debian wheezy main
deb http://ftp.debian.org/debian wheezy contrib
deb http://security.debian.org/ wheezy/updates main
deb-src http://security.debian.org/ wheezy/updates main

=> ta thấy có 2 hostname mà apt sẽ kết nối đến.
Bây giờ ta sẽ tạo một file có ext là .sh và thêm các dòng:

#!/bin/sh
# My system IP/set ip address of server
SERVER_IP="192.168.0.105"
# Flushing all rules
iptables -F
iptables -X
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow unlimited traffic on loopback
#iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT
# Allow incoming is established
iptables -A INPUT -i eth0 -s 0/0 -d $SERVER_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow incoming ssh only
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
# Allow in/outcoming from dns
iptables -A OUTPUT -o eth0 -p tcp -s $SERVER_IP --sport 513:65535 -d 8.8.8.8 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 8.8.8.8 --sport 53 -d $SERVER_IP --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -s $SERVER_IP --sport 513:65535 -d 8.8.8.8 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -s 8.8.8.8 --sport 53 -d $SERVER_IP --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s $SERVER_IP --sport 513:65535 -d 8.8.4.4 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 8.8.4.4 --sport 53 -d $SERVER_IP --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -s $SERVER_IP --sport 513:65535 -d 8.8.4.4 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -s 8.8.4.4 --sport 53 -d $SERVER_IP --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
# Allow outcoming to anywhere with port 80
iptables -A OUTPUT -o eth0 -p tcp -s $SERVER_IP --sport 513:65535 -d 0/0 --dport 80 -j ACCEPT
# Allow incoming from ftp.debian.org
iptables -A INPUT -i eth0 -p tcp --src ftp.debian.org --sport 80 -d $SERVER_IP --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
# Allow incoming from security.debian.org
iptables -A INPUT -i eth0 -p tcp --src security.debian.org --sport 80 -d $SERVER_IP --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
# Log output message
iptables -A OUTPUT -s $SERVER_IP -d 0/0 -j LOG --log-prefix "OCATCH:" --log-level info
# DHCP Client
iptables -A INPUT -i eth0 -p udp -s 192.168.0.1 -d $SERVER_IP --dport 68 --sport 67 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -s $SERVER_IP -d 192.168.0.1 --dport 67 --sport 68 -j ACCEPT
# make sure nothing comes or goes out of this box
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

Lưu lại và chạy.

Thursday, March 20, 2014

Block All Incoming Traffic But Allow SSH

http://www.cyberciti.biz/tips/linux-iptables-4-block-all-incoming-traffic-but-allow-ssh.html

This is very common scenario. You want to permit access to a remote machine only by SSH. You would like to block all incoming traffic to your system except ssh connection under Linux.

Add following rules to your iptables shell script:

/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

First rule will accept incoming (INPUT) tcp connection on port 22 (ssh server) and second rule will send response of incoming ssh server to client (OUTPUT) from our ssh server source port 22.

However, iptables with kernel 2.4/2.6 provides very powerful facility to filter rule based upon different connection states such as established or new connection etc. Here is complete small script to do this task:

 
#!/bin/sh
# My system IP/set ip address of server
SERVER_IP="65.55.12.13"
# Flushing all rules
iptables -F
iptables -X
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
 
# Allow incoming ssh only
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
# make sure nothing comes or goes out of this box
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

This script is purely strict firewall. It only allows incoming ssh. No other incoming service or ping request or no outgoing service or request allowed. Incoming ssh connection can be either new or already established one and that is what specified by state rule '-m state --state NEW,ESTABLISHED'. Outgoing ssh connection state can be established only. By default this script allows everyone to ssh in by rule -s 0/0. If you want this access limited by IP or network address then replace -s 0/0 with IP address. For example allow incoming ssh from IP 202.54.1.20:

 
# Allow incoming ssh only from IP 202.54.1.20
iptables -A INPUT -p tcp -s 202.54.1.20 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 202.54.1.20 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT