Showing posts with label iptables. Show all posts
Showing posts with label iptables. Show all posts

Friday, June 17, 2011

Ports to remember

#########
Ports to remember
#########
TCP
80 http
443 https
22 ssh
20 ftp-data
21 ftp
53 domain
5901  vnc (depends on the settings of /etc/sysconfig/vncservers)

UDP
53 domain
Posted by at No comments:
Labels: , ,

Thursday, April 21, 2011

Security quick referrence

Iptables quick referrence
Commands
iptables --line-numbers --list

iptables -[A,I,D] INPUT -p [tcp,udp] -m [tcp,udp] --dport [port-number] -j [ACCEPT,REJECT,DROP]

iptables -[A,I,D] INPUT -p [tcp,udp] -m [tcp,udp] -s ip-address/netmask --dport [port-number] -j [ACCEPT,REJECT,DROP]

iptables -t nat -A POSTROUTING -s ip-network/ipaddress/netmask -o interface-that-has-internet -j MASQUERADE
NAT
iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -o eth1 -j MASQUERADE

/etc/sysctl.conf
net.ipv4.ip_forward = 1

echo 1 > /proc/sys/net/ipv4/ip_forward


TCP Wrappers

How to know if daemon supports tcp wrappers
# ldd /usr/sbin/sshd|grep libwrap

/etc/hosts.allow
sshd: 192.168.1. EXCEPT 192.168.1.202

/etc/hosts.deny
ALL: ALL
Posted by at No comments:
Labels: ,

Monday, March 21, 2011

Sample IPTABLES

This is a sample custom IPTABLES config to be used in rhel01 server

#flush all chains PREROUTING FORWARD INPUT OUTPUT POSTROUTING
iptables -F
#zero counters
iptables -Z
#erase user created chains
iptables -X
#drop packets
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
#create "custom-fw" chain
iptables -N custom-fw-input
#add custom-fw to default INPUT chain
iptables -A INPUT -j custom-fw-input
#add rules on custom-fw
iptables -A custom-fw-input -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A custom-fw-input -i eth0 -m state --state NEW -s 192.168.1.0/24 -j ACCEPT
#open ssh port
iptables -A custom-fw-input -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#open http port for apache webserver
iptables -A custom-fw-input -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#drop other packets
iptables -A custom-fw-input -j DROP
#set OUTPUT chain to ACCEPT for demo only
iptables -P OUTPUT ACCEPT
Checking the iptables config
[root@rhel01 ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
custom-fw-input all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain custom-fw-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
DROP all -- anywhere anywhere
Saving iptables config
[root@rhel01 ~]# iptables-save > /etc/sysconfig/iptables
[root@rhel01 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue Mar 22 02:36:51 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [185:22677]
:custom-fw-input - [0:0]
-A INPUT -j custom-fw-input
-A custom-fw-input -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A custom-fw-input -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A custom-fw-input -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A custom-fw-input -j DROP
COMMIT
# Completed on Tue Mar 22 02:36:51 2011

Lab iptables Config in rhel01.localdomain
####################################################
# #
# iptables config #
# http://rhel6notes.blogspot.com #
# mctofferatgmaildotcom #
####################################################

#flush all chains PREROUTING FORWARD INPUT OUTPUT POSTROUTING
iptables -F

#zero counters
iptables -Z

#erase user created chains
iptables -X

#drop packets
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#create "custom-fw" chain
iptables -N custom-fw-input

#INPUT chain jump to custom-fw-input
iptables -A INPUT -j custom-fw-input

#add rules on custom-fw
iptables -A custom-fw-input -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A custom-fw-input -i lo -j ACCEPT

#allow icmp
iptables -A custom-fw-input -p icmp --icmp-type echo-request -j ACCEPT
#iptables -A custom-fw-input -i eth0 -m state --state NEW -s 192.168.1.0/24 -j ACCEPT

#open ssh port
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 22 -j ACCEPT

#VNC client port
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 5901 -j ACCEPT
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 5902 -j ACCEPT

#Webserver
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 80 -j ACCEPT

#NFS
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 111 -j ACCEPT
iptables -A custom-fw-input -p udp -m state --state NEW --dport 111 -j ACCEPT
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 2049 -j ACCEPT
iptables -A custom-fw-input -p udp -m state --state NEW --dport 2049 -j ACCEPT
iptables -A custom-fw-input -p udp -m state --state NEW --dport 32803 -j ACCEPT
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 32769 -j ACCEPT
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 892 -j ACCEPT
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 662 -j ACCEPT
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 2020 -j ACCEPT

#PXE kickstart ports
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 67 -j ACCEPT
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 68 -j ACCEPT
iptables -A custom-fw-input -p udp -m state --state NEW --dport 68 -j ACCEPT
iptables -A custom-fw-input -p udp --dport 69 -j ACCEPT

#NIS
iptables -A custom-fw-input -p tcp --dport 834 -j ACCEPT
iptables -A custom-fw-input -p udp --dport 834 -j ACCEPT
iptables -A custom-fw-input -p tcp --dport 835 -j ACCEPT
iptables -A custom-fw-input -p udp --dport 835 -j ACCEPT

#drop all other packets
iptables -A custom-fw-input -j DROP

#accept OUTPUT chain
iptables -P OUTPUT ACCEPT
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)