Iptables Basics IV

This post is a continuation of the previous post on some of the basic functions of the linux firewall.

To match a specific set of tcp flags, execute:

iptables -A INPUT -p tcp --tcp-flags FIN,PSH,URG FIN,PSH,URG -j DROP

--tcp-flags - Match the specified tcp flags.  The first group of flags specifies the tcp flags to examine, in this case, FIN,PSH,URG.  The second group of flags specifies which flags must be set, in this case, FIN,PSH,URG.  This statement explicitly drops the Xmas tree scan from nmap.  If you wanted to make sure a specific flag was unset, you would leave it off of the second set of flags, e.g. --tcp-flags FIN,PSH,URG FIN,PSH.  This statement would examine FIN,PSH,URG, and match if FIN and PSH were set, and URG was unset.  You can use an exclamation point to reverse the meaning of the match, e.g.  ! --tcp-flags FIN,PSH,URG FIN,PSH,URG would match when FIN,PSH,URG are unset.

To limit the number of connections, execute:

iptables -A INPUT -p tcp --tcp-flags SYN SYN -m limit --limit 3/s --limit-burst 5 -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN SYN -j LOG --log-prefix SYN-ATTACK:
iptables -A INPUT -p tcp --tcp-flags SYN SYN -j DROP

-m limit - use the limit module
--limit - Specifiy the maximum average matching rate.  Can also specify /m (minutes), /h(hour), /d(day).
--limit-burst - Specify the maximum initial number of packets to match.  This value gets reset every time the --limit that is specified is not reached.

The statements following the limit statement log any packets that go above the threshold and drop them.

Iptables Basics III

This post is a continuation of the previous post on some of the basic functions of the linux firewall.

To block traffic at layer 2 by mac address, execute:

iptables -A INPUT -m mac --mac-source 00:11:22:33:44:55 -j DROP

-m - specifies an extension module to test for a specific property.  You can see a list of possible command line options for a specific module by adding on a -h after the "-m mac" option, in this case, --mac-source is the only available option for this module.  You can see a list of all possible modules in the man page of iptables-extensions.
--mac-source - source mac address of the ethernet frame to drop.

To block ping requests, execute:

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

-p icmp - specifies the protocol of the packet to check
--icmp-type - the type of icmp packet to match.  A full list of possibilities can be seen by executing iptables -p icmp -h.  You can also add on --reject-with option if you want to provide more information to the source of the ping.

To block a range of addresses, execute:

iptables -A INPUT -m iprange --src-range 1.1.1.1-1.1.1.10 -j DROP

-m iprange - specifies an extension module to test for a specific property.  You can see a list of possible command line options for a specific module by adding on a -h after the "-m iprange" option, in this case, --src-range and --dst-range are the only available option for this module.

Iptables Basics II

This post is a continuation of the previous post on some of the basic functions of the linux firewall.

To block all incoming traffic, but allow outgoing traffic, execute:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT

-m - specifies an extension module to test for a specific property.  You can see a list of possible command line options for a specific module by adding on a -h after the "-m state" option, in this case, --state is the only available option for this module.
--state - specifies state to match, which can be [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED]
-j - jump to the specified target chain.

The last rule is saying to allow NEW and ESTABLISHED connections back in; in other words, any connection that originated from the host.

To block a specific source ip address, execute:

iptables -A INPUT -s 1.1.1.1 -j DROP

To block an entire source network, execute:

iptables -A INPUT -s 1.1.1.1/8 -j DROP

To block a specific port, execute:

iptables -A INPUT -p tcp --dport 80 -j DROP

-p - specify the protocol to inspect
--dport - specify the port to match

To block traffic to a specific destination host or destination subnet, execute:

iptables -A OUTPUT -d 1.1.1.1 -j DROP
iptables -A OUTPUT -d 1.1.1.1/8 -j DROP

Iptables Basics I

This post will go over some of the basic functionality of iptables, the linux firewall.

To reset the rules of the firewall, execute:

iptables -F // delete every rule in the chain for the table
iptables -X // delete every non-builtin chain in the table
iptables -t nat -F // default table is filter, need to specify other tables.
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

To display the rules of the firewall, as well as packet count/byte count, execute:

iptables -t <table> -L -n -v --line-numbers

-t - specify the table to act on, default is filter if nothing is specified.
-L - list the chains in the default table, which is the filter table.  Use -t to switch tables.
-n - list ip addresses and ports as numbers.
-v - verbose output.
--line-numbers - show the line number of the rule in the chain.

To dump the iptables rules to stdout, execute:

iptables-save > rules.txt

Rules that get printed out from the format above can be restored by executing:

iptables-restore < rules.txt

To delete a specific rule, use the output from above to get the line number of the rule, and execute:

iptables -D <chain> <line>
e.g. iptables -D INPUT 1

To insert a rule, execute:

iptables -I <chain> <line-number> <rule>
e.g. iptables -I INPUT 2 -s 1.1.1.1 -j DROP

To set the default policy for a chain, execute:

iptables -P <chain> <policy>
e.g. iptables -P INPUT DROP

To log a rule, execute:

iptables <rule> -j LOG --log-prefix "Log Rule: "
e.g. iptables -s 1.1.1.1 -j LOG --log-prefix "Log Rule: "

Note that --log-prefix can be up to 29 characters long, and is useful for grepping through logs.  You may want to also limit the number of logs generated.  This can be done by adding on:

-m limit --limit <average-limit> --limit-burst <burst-limit>
e.g. iptables -s 1.1.1.1 -m limit --limit 3/m --limit-burst 5 -j LOG \
--log-prefix "Log Rule: "

Note that this rule is non-terminating, meaning after executing, the next rule will be executed.

Booting into Rescue Mode in CentOS

This post will go over booting into rescue mode in CentOS.  To be able to boot into rescue mode, you will need to boot to the install media and select "Rescue installed system".

You will then need to pick a language, keyboard, and whether or not you want networking enabled.  Depending on the situation, you can then try to mount the system as read-write, read-only, or skip mounting the system.

Assuming the system has started successfully and the filesystems have been mounted successfully, you are now in runlevel 1, you now have a temporary root filesystem at /, and the actual system filesystems exist under /mnt.

You can then chroot to the filesystem to be able to execute commands as if you had booted to the actual os.  This will allow you to troubleshoot the system without the need for a full boot.

If all you need is root access to the local filesystem, you can boot into runlevel 1 from the grub boot screen by appending the word "single" at the end of the kernel line.

Using Grub From the Command Line in CentOS

This post will go over some basic commands you can use in the Grub CLI to try to boot a system that is having trouble.

When the system is coming up, be sure to press a key at the initial grub screen so the system does not try to boot automatically.  Once at the OS selection screen, press "c" to enter the grub cli.

In the grub cli, you can issue "help" for a list of commands.

To see what hard disks are available, you can use auto completion.  Start by typing in "root (hd" then tab to get a list of hard disks and partitions.  In this case, there is only one hard disk, and two partitions.

You can now do the same thing to view a list of files on the ext2 boot partition.  Type in "kernel (hd0,0)/" then tab to see a list of files.  In this case, vmlinuz-2.6.32-431.el6.i686 looks like a usable kernel.

If necessary, you can also add in the initial ramdisk.

You can now try booting the system with the "boot" command.

Creating Jail Flavours in FreeBSD

This post will go over how to create flavors in FreeBSD.  Flavours are directories that are copied over to a jail upon creation, and can make commonly created jails easier to deploy.

Step 1:
Create a directory for the flavour you want to have available.  This setup will have one "vanilla" jail that all other jails will be built from.  This vanilla jail is built from the example.local jail in the previous post.

cp -R /usr/jails/example.local /usr/jails/flavours/vanilla

Step 2:
Create a new jail using the "vanilla" flavour.  Be sure to add the necessary ip address to rc.conf, and restart the netif service.

echo 'ifconfig_em0_alias1="inet 10.0.2.21 netmask 255.0.0.0"' > > /etc/rc.conf
/etc/rc.d/netif restart
ezjail-admin create -f vanilla nginx01.local 10.0.2.21

Step 3:
Console in to the newly created jail and add the necessary packages and make any changes for the nginx flavour.

ezjail-admin console nginx01.local
pkg install nginx
echo 'nginx_enable="YES"' >> /etc/rc.conf'

Step 4:
Exit and stop the jail.  Copy the directory of the nginx01.local jail to a new directory under flavours, in this case, webserver-nginx.  Delete the original jail.  Note that 10.0.2.21 is now available for re-use in another jail.

ezjail-admin stop nginx01.local
cp -R nginx01.local flavours/webserver-nginx
ezjail-admin delete -w -f nginx01.local

Step 5:
You now have a "webserver-nginx" flavour available for easy creation.  The next time you need a jail for hosting nginx, be sure to have a free ip and execute

ezjail-admin create -f webserver-nginx nginx02.local 10.0.2.21
ezjail-admin start nginx02.local

Creating a Jail in FreeBSD

This post will go over how to create a jail in FreeBSD.  In this case, FreeBSD 10.0 is being used, and ezjail will be used to manage the jails.

Step 1:
Install ezjail-admin.  FreeBSD 10.0 uses pkgng for package management, so installation can be accomplished with

pkg install ezjail

Step 2:
Install the base jail.  In this example, the binary applications will be used.

ezjail-admin install

This creates the base jail in /usr/jails/basejail that all other jails will use.  The filesystem is mounted inside the jail as a read-only filesystem.  This creates a single point for base system management and saves disk space.

Step 3:
Create the jail.  In this case, "example.local" is the jail name, and 10.0.2.20 is the ip address.

ezjail-admin create example.local 10.0.2.20

The configuration file for the new jail will be /usr/local/etc/ezjail/example_local.  Be sure to add in the ip alias on the host system, and to verify the jail binds to the address.

echo 'ifconfig_em0_alias0="inet 10.0.2.20 netmask 255.0.0.0"' >> /etc/rc.conf 

Step 4:
Enable ezjail at boot and start the service.

echo 'ezjail_enable="YES"' >> /etc/rc.conf
service ezjail start

You can verify the jail is running with jls.

JID     IP Address     Hostname          Path
1       10.0.2.20      example.local     /usr/jails/example.local

Step 5:
To access a jail console, use

ezjail-admin console example.local

Any modifications to the jail outside of the base system will now be stored in the /usr/jails/example.local directory.  You may need to add a nameserver to the new jail to be able to add packages.  Something like "echo 'nameserver 8.8.8.8' > /etc/resolv.conf" from the jail console should do.  You can stop and start a particular jail with the command

service ezjail start <jailname>
service ezjail stop <jailname>