mysurface

Posts tagged with "firewall"

Log blocked connections using iptables and syslog

Friday, 9. June 2006, 16:01:29

Now its time for me to explain a bit of 2% of my iptables knowledge. You may wanna log the connections that trying to access you but failed. You must put the log before the reject rules:

-A RH-Firewall-1-INPUT -m state --state NEW -j LOG --log-level warning --log-prefix "BLOCK "
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

It is very important to remember that, the rules will be read from top to down, if a connection is been accepted or rejected in the middle of the rules, rules below it will be ignore. That means if you put your log rule after reject rule, log action will not be take place. On the other hand, if you place infront of accept rule, you will log all the connection whether it success or failed.

I also wanna log down ssh connection, so i add ssh log rule infront of ssh accept rule

-A RH-Firewall-1-INPUT -p tcp --dport 22 -j LOG --log-level warning --log-prefix "SSH "
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

--log-level is used for me to indicate that the particular log must be recorded into another file by setting syslog.conf , will discuss later.

--log-prefix is used to inject wording infront of the log records, the purpose is to differenciate between block connection and ssh connection.

/etc/syslog.conf is a configuration file for log system daemon. All logging basically controls by syslogd, to manipulate which log goes to which file, we need to modified /etc/syslog.conf. I am not going to illustrate too much on what is syslog, you can always read up with "man syslog.conf"

The iptables log will goes to kern category of syslog, therefore to direct all iptables log to /var/log/iptables, edit /etc/syslog.conf with adding line bellow at somewhere:

kern.warning /var/log/iptables

For me I wounldn't like to dirty my /var/log/messages which it used to log all the system messages, so i modified the messages part into this:

*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none;\
        !kern.warning           -/var/log/messages

I add in the line "!kern.warning", to indicate syslogd don't write the log of kern with level warning to messages.

After that, do 2 fin action and you are done.

/etc/syslogd restart
/etc/iptables restart

Refers to http://my.opera.com/mysurface/blog/show.dml/289865 if you couldn't find iptables under /etc/init.d

p.s. : I donno why when I type dmesg, iptables log is still display. I tot dmesg reads from messages, it seems that I am wrong.

Disclamer: I do not take responsibily on the code above to be a right way, I just share my experience on iptables, do it at your own risk.

2 comments

Firewall under ubuntu dapper

Thursday, 8. June 2006, 17:34:01

firewall, linux, ubuntu, iptables

I realized that ubuntu doesn't come with default firewall settings like FC5, Centos and RH does. When you try to list the firewall rules which it return empty list. A easy solution is download a front end firewall packages suck as firestarter etc. I found that firestarter is great and it is very easy to configure, but it is not flexible. The better solution is use iptables packages.

I have installed FC5, so I study the way FC5 define the firewall rules and come out something so that my ubuntu is under protection too. FC5 have a very good service scripts where it can use to start and stop daemon services easily. For example to start a ssh service at ubuntu (debian based OS), you need to do this:

sudo /etc/init.d/ssh start

With FC5 and those RH based distro, you do this:

service sshd start

And it apply to all services, including setup and flush firewall rules.

iptables tag along with 2 packages, which is iptables-save and iptables-restore. I used this 3 packages to do my tricks. The purpose of iptables-save is to save the rules that already applied to a file, which later you can restore back by running iptables-restore. Okay, first i copy the rules from my FC5.

iptables-save > iptables.conf

The code shows bellow, bare in mind I have edited the file to add some extra rules.

# Generated by iptables-save , edited by surface, Thu Jun  8 18:42:02 MYT 2006
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:623]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -j LOG --log-level warning
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jun  8 18:43:43 MYT 2006

Don't ask me to explain the rules clearly, some of the rules I have no idea how it works, my knowledge of iptables is only 2 %, what I know it works. I store iptables.conf to /etc and I am going to write a script to start and stop the rules just like others daemons. Again, I grab the code from FC5, anyway, it do not works directly without modification. I erase away those lines that I couldn't understand and left some clean and simple command that I wanted. To start firewall rules, you need to restore, iptables-restore < /etc/iptables.conf did the trick. To stop? iptables -F it means flush all the rules. To restart? same as start. To show status? iptables -L. Thats it, my creepy codes shows as bellow:

#!/bin/sh
#
# iptablesStart iptables firewall
#
# description:Starts, stops and saves iptables firewall
#
. /lib/lsb/init-functions

IPTABLES=iptables

if [ ! -x /sbin/$IPTABLES ]; then
    echo -n $"/sbin/$IPTABLES does not exist."; warning; echo
    exit 0
fi

if lsmod 2>/dev/null | grep -q ipchains ; then
    echo -n $"ipchains and $IPTABLES can not be used together."; warning; echo
    exit 0
fi

# Old or new modutils
/sbin/modprobe --version 2>&1 | grep -q module-init-tools \
    && NEW_MODUTILS=1 \
    || NEW_MODUTILS=0

case "$1" in
    start)
log_daemon_msg "Setup Iptables..."
iptables-restore < /etc/iptables.conf
log_end_msg 0
;;
    stop)
log_daemon_msg "Stopping Iptables..."
iptables -F
log_end_msg 0
;;
    restart)
$0 start
;;
    status)
iptables -L
;;
    *)
echo $"Usage: $0 {start|stop|status}"
exit 1
;;
esac

exit 0

This script have to be store in /etc/init.d and to start the script automatically, you need to create a symlink to rc2.d which is the default run level my ubuntu used.

ln -s /etc/init.d/iptables /etc/rc2.d/S08iptables

To start, try /etc/init.d/iptables start
P.S. iptables.conf file should not contain blank lines or comment lines in between the rules, this is the restrictions of iptables-restore.

1 comment

iptables-save and iptables-restore

Tuesday, 10. January 2006, 18:20:35

linux, firewall, iptables

You can save your current iptables rules to a file and restore back. No matter what GUI or front-end firewall tools you used, as long as it uses iptables, you can list it by using

sudo iptables -L

In case you wanna save your current iptables rules, you can do that by invoke iptables-save

iptables-save > firewall

The text file firewall is created, you can try to change the rules and restore with iptables-restore

iptables-restore <firewall

In Red Hat / fedora core / Centos , it have iptables script under /etc/init.d where you can call

service iptables start | stop | restart

If i am not mistaken, the iptables rules is defined in /etc/sysconfig/iptables

Unfortunately, it doesn't exist in ubuntu, so you may want to write it your own firewall script to start | stop the firewall. The simplest way is simply write a script in /etc/rc2.d

iptables-restore < /etc/firewall

where you place your iptables rules in /etc/firewall

I haven't try that, by right it should work. The disadvantages is the stop | start | restart function are not define, less flexible.

No comments

Run firestarter at background

Saturday, 7. January 2006, 10:38:01

firestarter, linux, firewall, ubuntu

One of the disadvantages of firestarter is it is a resource eater. If you leave firestarter in a long run, your RAM will be getting lesser and lesser. When you close the firestarter, Wow! you frees your RAM. (I use gkrellm to monitor my box resources)

I suspect it is because firestarter keep adding entry into my blocked event, as 24-7 there are so many strangers all around the world keep scanning my box and been blocked by firestarter. So how to resolve this if i want firestarter continue to protect my box and at the same time don't waste my RAM?

I discover that when I close my firestarter, the firewall rules stays. I try to check my iptables, the rules is still there until I reboot my system.

sudo iptables -L

And secondly i found a script at /etc/init.d, it is "firestarter". That means i can start the firestarter defined firewall rules without required to start the GUI, that's great!

I quickly create a symlink to /etc/rc2.d and reboot my system.

sudo ln -s /etc/init.d/firestarter /etc/rc2.d/S20firestarter

It works! But now i can't get the infomation of who is scanning my ports. I am wrong! i still can get the infomation, firestarter do store everything into /var/log/message. So if I wanna know the latest 20 blocked packets i can do this

dmesg | tail -n 20

Update:

 cat /var/log/messages | tail -n 20

Although it shows the same records, but with this, it shows more info.

1 comment

Using Firestarter in Ubuntu to setup firewall

Sunday, 1. January 2006, 16:21:37

firestarter, firewall, ubuntu, linux

By default ubuntu doesn't come with firewall, not like other distro. But setup firewall can be very easy by using Firestarter. Setting up firewall in Linux can be very flexible by using iptables. You can customized your firewall by writting iptables script which it can be very complex, Iptables not only use to define firewall rules, it can be use as a bandwidth monitoring, port forwarding, etc. But If you only want to setup a simple firewall to protect your box, i suggest you try firestarter.

Why I want to setup firewall?

Before I decided to setup firewall, I always ask myself, why would I want to set up firewall. For me, i don't really care at first. But after i used firestarter ( firestarter have real time monitor to track down active connections and the blocked connections) I discover that there are so many host keep scaning my ports, why would I wanna let them scan my port? The feeling is just like you open your windows (NOT microsoft OS) and people keep spying you through your windows.

How to setup firewall using firestarter?

By default, firestarter deny most of the inbound ports and open all ports for outbound. That means if you use default firestarter settings, it blocks most of the inbound ports such as IRC, GAIM, EDonkey, SSH, samba, dhcp etc. That means you will facing problem of allows others user access through these ports. So you would like to allow these ports for outsiders.

1. At Policy tab, select Inbound traffic policy.
2. Select the second bar which have Allow service, port, for fields.
3. Click Add rules button.
4. Select the service you want to allow, let say samba(smb)
5. You can allows to anyone, but for me, i only allow for hosts within my subnet
6. My subnet is from 192.168.1.1 til 192.168.1.254
7. So i select "ip, host or network" option and insert "192.168.1.0/24"
(In order to understand why 192.168.1.0/24 , you need more reading on IP subneting)
8. Select Outbound traffic policy, make sure it selects "Permissive by default, blicklist traffic"
9. Click apply rules and start firewall.

Bellow are the common ports to open which do not defines in firestarter:

1. eDonkey network 4662-4672
2. msn, yahoo, gaim 1863
3. ircd 6667-6670 (default IRC port is 6667)
4. msn file transfer (6891-6900)

To know more about what ports for what purpose, go
here, in case you wanna allow other port for your application.

[Update]
Use to search port: http://ports.tantalo.net/
IRC: chat.freenode.net do authentication using tcp 113, i facing some delay to log in the server, should accept this freenode-ip:113 tcp.

No comments