Brother Bird's Server "Ten" Firewall

Posted by tomc_1 on Fri, 12 Jul 2019 19:34:23 +0200

TCP Wrappers
TCP Wrappers is a firewall-like mechanism managed by two files

/etc/hosts.allow
/etc/hosts.deny

Not all software can be managed through these two files, only the following two software can manage firewall rules through these two files:
Services managed by super daemon (xinetd)
Services supporting libwrap.so module

```
# Find out whether the system has installed xinetd, if not, please install, after installation, query xinitd management services.
[root@CentOS ~]# yum install xinetd
[root@CentOS ~]# chkconfig xinetd on
[root@CentOS ~]# chkconfig --list
    chargen-stream: off
    daytime-dgram:  off
    daytime-stream: off
    discard-dgram:  off
    discard-stream: off
    echo-dgram:     off
    echo-stream:    off
    rsync:          off
    tcpmux-server:  off
    time-dgram:     off
#All of the above can be easily set up by TCP Wrappers.

# Excuse me, rsyslogd, sshd, xinetd, httpd (if the service does not exist, please install it yourself), do these four programs support the blocking function of TCP Wrapers?
[root@CentOS ~]# ldd $(which rsyslogd sshd inetd httpd) #Output results are more complex, you need to look at them yourself.


[root@CentOS ~]# for name in rsyslogd sshd xinetd httpd; do echo $name; ldd $(which $name) | grep libwrap; done
rsyslogd
sshd
    libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f6204e8b000)
xinetd
    libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fc8102cf000)
httpd
#If the libwrap file name appears, the representative finds the library and supports TCP Wrappers. So sshd and xinetd are supported, but rsyslogd and httpd are not supported in these two programs. That is to say, httpd and rsyslogd cannot use / etc/hosts/{allow|dent} to control the firewall mechanism.

```

/ Settings of etc/hosts.{allow|dent}

# Grammar

<service(program_name)> : <IP, domain, hostname>
<Service (i.e. program name)>: (IP or domain or host name>

# The above ><Symbol does not exist in the configuration file

The order of firewall rules:
1. Optimize and compare with / etc/hosts.allow first. If the rule is in conformity, it will be released.
2. Comparing with / etc/hosts.deny, the rule will be resisted if it meets.
3. If the rules are not in conformity with the two documents, they will eventually be released.

# Let go of 127.0.0.1 to provide any local service, then let the local area network (192.168.1.0/24) use rsysc, colleagues 10.0.0.100 pages can use rsysc, but other sources are not allowed to use rsysc.

[root@CentOS ~]# cat /etc/xinetd.d/rsync 

# default: off


# description: The rsync server is a good addition to an ftp server, as it \


#   allows crc checksumming etc.

service rsync
{
    disable = yes
    flags       = IPv6
    socket_type     = stream
    wait            = no
    user            = root
    server          = /usr/bin/rsync  #File name of rsysc service startup. The file name is rsysc
    server_args     = --daemon
    log_on_failure  += USERID
}


# Because rsysc's service startup file is called rsysc. So it should be set up as follows:

[root@CentOS ~]# vim /etc/hosts.allow
ALL: 127.0.0.1
rsysc: 192.168.1.0/255.255.255.0 10.0.0.100  #No support for 192.168.1.0/24

[root@CentOS ~]# vim /etc/hosts.deny 
rsysc: ALL

iptables: linux packet filtering software

Compare the predefined rule content according to the analysis data of the packet. If the data of the packet is the same as the rule content, the action will be taken. Otherwise, the next rule comparison will continue.
If the rules do not conform, the default policy is executed
By default. linux's iptables have at least three tables, including Filter for managing local incoming and outgoing, NAT for managing back-end hosts (other computers inside the firewall), angle for managing special logo usage.
- Filter (filter): Mainly follow-up to the Linux native data package, is the default table.
  INPUT: Mainly related to data packets that want to enter the linux native machine
  OUTPUT: Mainly related to the data package of linux local stock market
  FORWARF: It has nothing to do with linux native, but has a high correlation with NAT table s.
- NAT (Address Conversion): It is mainly used for the conversion of IP or port from the destination, which is independent of the local computer of linux, and mainly related to the computer in the local area network after the Linux host.
  PREROUTING: Rules to be performed before routing decisions are made (DNA T/REDIRECT)
  POSTROUTING: Rules to be performed before routing decisions are made (SNAT/MASQUERADE)
  OUTPUT: Related to the packets sent out
- Mangle: Mainly related to the particular annoying routing flag of the packet.

Viewing and Clearing Rules

1. View Rules

[root@CentOS ~]# iptables [-t tables] [-L] [-nv]
-L: List the current rules
-n: Not to proceed IP and HOSTNAME On the contrary, the speed of displaying information will be much faster.
-v: List more information

# List rules for filter table

[root@CentOS ~]# iptables -L -n
Chain INPUT (policy ACCEPT)  #INPUT Chain
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT) #FORWARD Chain
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)  #OUTPUT Chain
target     prot opt source               destination 


# Rules for listing NAT tables

[root@CentOS ~]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

target: Operations performed on behalf of
prot: Represents the packet protocol used
opt: Additional instructions
Source: Represents which source IP is restricted for this rule
destination: Represents which target IP this rule restricts

# View the complete firewall rules

[root@CentOS ~]# iptables-save [-t table]
[root@CentOS ~]# iptables-save

# Generated by iptables-save v1.4.7 on Wed Apr  5 08:30:35 2017

*nat
:PREROUTING ACCEPT [17:1637]
:POSTROUTING ACCEPT [1:60]
:OUTPUT ACCEPT [1:60]
COMMIT

# Completed on Wed Apr  5 08:30:35 2017


# Generated by iptables-save v1.4.7 on Wed Apr  5 08:30:35 2017

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1909:187403]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
COMMIT

# Completed on Wed Apr  5 08:30:35 2017

2. Clearance rules

[root@CentOS ~]# iptables [-t tables] [-FXZ]   
-F: Clear up all established rules
-X: Remove all automatic user chains
-Z: Zero all chain counts and traffic statistics

# Clear all rules of the local firewall

[root@CentOS ~]# iptables -F
[root@CentOS ~]# iptables -X
[root@CentOS ~]# iptables -Z   

# Clears all rules, but does not change the default policy

Define default policies
When the data package is not within the rule, whether the data package is passed or not depends on the default policy.

[root@CentOS ~]# iptables [-t nat] [INPUT,OUTPUT,FORWARD] [ACCEPT,DROP]
-P: Define default policies
ACCEPT: Packet Acceptability
DROP: The packet is discarded directly


# Will be local INPUT Set to DROP， Other settings are ACCEPT

[root@CentOS Desktop]# iptables -P INPUT DROP
[root@CentOS Desktop]# iptables -P OUTPUT ACCEPT
[root@CentOS Desktop]# iptables -P FORWARD ACCEPT
[root@CentOS Desktop]# iptables-save

# Generated by iptables-save v1.4.7 on Wed Apr  5 08:54:50 2017

*nat
:PREROUTING ACCEPT [70:6483]
:POSTROUTING ACCEPT [4:682]
:OUTPUT ACCEPT [4:682]
COMMIT

# Completed on Wed Apr  5 08:54:50 2017


# Generated by iptables-save v1.4.7 on Wed Apr  5 08:54:50 2017

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

# Completed on Wed Apr  5 08:54:50 2017

Basic Comparisons of Packets: IP, Network and Interface Devices

[root@CentOS ~]# iptables [AI chain name] [-io network interface] [-p protocol] [-s source IP/network] [-d target IP/network] - j [ACCEPT|DROP|REJECT|LOG]
-AI: Permitting the insertion or accumulation of rules into a chain
-io: Network interface, in or out
-P Protocol: Set which packet format this rule applies to
-s Source: SourceIP/network 
-d: target IP/network
-j: Follow-up operation

# Setting up lo to be a trusted device, i.e. the incoming and outgoing Lo packets are accepted

[root@CentOS ~]# iptables -A INPUT -i lo -j ACCEPT


# As long as it is 192.168.100.0/24 from the Intranet, all data are accepted.

[root@CentOS ~]# iptables -A INPUT -i eth1 -s 192.168.100.0/24 -j ACCEPT


# It is accepted as long as it comes from 192.168.100.10, but discarded as long as it comes from 192.168.100.230.

[root@CentOS ~]# iptables -A INPUT -i eth1 -s 192.168.100.10 -j ACCEPT
[root@CentOS ~]# iptables -A INPUT -i eth1 -s 192.168.100.130 -j DROP


# View Detailed Rules

[root@CentOS ~]# iptables-save

# Generated by iptables-save v1.4.7 on Wed Apr  5 09:20:57 2017

*nat
:PREROUTING ACCEPT [132:12351]
:POSTROUTING ACCEPT [25:2813]
:OUTPUT ACCEPT [25:2813]
COMMIT

# Completed on Wed Apr  5 09:20:57 2017


# Generated by iptables-save v1.4.7 on Wed Apr  5 09:20:57 2017

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -s 192.168.100.0/24 -i eth1 -j ACCEPT 
-A INPUT -s 192.168.100.10/32 -i eth1 -j ACCEPT 
-A INPUT -s 192.168.100.203/32 -i eth1 -j DROP 
COMMIT

# Completed on Wed Apr  5 09:20:57 2017

# Record a rule that you want to record (write to the kernel log file)

[root@CentOS ~]# iptables -A INPUT -s 192.168.2.200 -j LOG
[root@CentOS ~]# iptables -L -n

Rule comparison between TCP and UDP: for port settings

[root@CentOS ~]# iptables [-AI chain] [-io network interface] [-P tcp,udp] [-s source IP/network] [--sport Port range] [-d target IP/network] [--dport Port range] -j [ACCEPT|DROP|REJECT]
--sport Port range: Limit the source port number, which can be continuous, such as 1024:65535

# Because only TCP and UDP packets have port numbers, it is necessary to add - PTcp or - P udp parameters to use - dport and - sport to succeed.


# Packets that want to connect to native port 21 are blocked

[root@CentOS Desktop]# iptables -A INPUT -i eth0 -p tcp --dport 21 -j DROP


# Online neighbors (udp port 137, 138 TCP port 139, 445) connected to the local computer are released.

[root@CentOS ~]# iptables -A INPUT -i eth0 -p udp --dport 137:138 -j ACCEPT
[root@CentOS ~]# iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT
[root@CentOS ~]# iptables -A INPUT -i eth0 -p tcp --dport 445 -j ACCEPT


# Packets from port 1024:65535 of 192.168.1.0/24 are blocked as long as ssh port wants to connect to the local computer.

[root@CentOS ~]# iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 --sport 1024:65535 --dport ssh -j DROP


# Discard the 1:1023 connection that actively connects port 1:1023 from anywhere

[root@CentOS ~]# iptables -A INPUT -i eth0 -p tcp --sport 1:1023 --dport 1:1023 --syn -j DROP


#

iptables plug-in module: mac and state

[root@CentOS ~]# Iptables-A INPUT [-m state] [[state state state]
-m: some iptables External module, state or mac
--state: Some Packet Status
    INVALID: Invalid Packets
    ESTABLISHED: The status of a successful connection
    NEW: Want to create new packet status
    RELATED: Represents that the data packet is related to the data sent out by the host.

# As long as a connection has been established or a requested packet is passed, the illegal packet is discarded.

[root@CentOS ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@CentOS ~]# iptables -A INPUT -m state --state INVALID -j ACCEPT


# For LAN aa:bb:cc:dd:ee:ff Host opens its connection

[root@CentOS ~]# iptables -A INPUT -m mac --mac-source aa:bb:cc:dd:ee:ff -j ACCEPT

Comparison of ICMP Packet Rules: Quasi-response to ping to design

[root@CentOS ~]# iptables -A INPUT [-p icmp] [--icmp-type type] [-j ACCEPT
--icmp-typpe: The back must be connected. ICMP Packet types can also be coded.8Is an echo request

# Let 0, 3, 4, 11, 12, 14, 16, 18 ICMP type s enter the machine

[root@CentOS ~]# vim somefile

#!/bin/bash

icmp_type="0 3 4 11 12 14 16 18"
for typeicmp in $icmp_type
do
        iptables -A INPUT -i eth0 -p icmp --icmp-type $typeicmp -j ACCEPT
done
[root@CentOS ~]# chmod +x somefile
[root@CentOS ~]# sh somefile

Super Simple Client Firewall Design and Firewall Rule Storage

If the Linix host is used as a client and does not provide network services, the firewall should be mapped and designed:
1. Rule Zero: iptables-F
2. Default policy, set INPUT to DROP and other ACCEPT
3. Trust native machine, lo must be set as trust device
4. Responding to the data packet allows the local machine to enter the local machine (ESTABLISHED,RELATED) by initiatively sending out requests.
5. Trust users

# Use scripts to set up

[root@CentOS ~]# vim firewall.sh

#!/bin/bash

PATH=/sbin:/bin:/usr/sbin:/usr/bin; export PATH

# 1. Clearance Rules

iptables -F
iptables -X
iptables -Z

# 2. Setting up Policies

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# 3-5 Formulating Rules

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

#iptables -A INPUT -i eth0 -s 192.168.1..0/24 -j ACCEPT


# 6. Write Firewall Rules Profile

/etc/init.d/iptables save

[root@CentOS ~]# ./firewall.sh 
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]


#chkconfig --listiptables. It's also possible to modify / etc/sysconfig/iptables directly without scripting


#To save the various settings of this modification at the next boot, you need to add parameters to the command / etc/init.d/iptables save

IPv4's Kernel Management Function: / etc/sys/net/ipv4/*

1. / proc/sys/net/ipv4/tcp_syncookies: Kernel SYN Cookie module can be enabled to prevent SYN flooding attacks.
When starting SYN Cookie, before sending SYN/ACK confirmation package, the host will ask Client to reply a serial number in a short time to buy the serial number containing many information of original SYN package, including IP'port, etc. Multi-Client can reply a correct serial number. Our host will confirm that the data package is trustworthy, so SYN/ACK data package will be sent, otherwise it will ignore the data package.
```
# Start the SYN Cookie module (causing some service delays).

[root@CentOS ~]# echo "1" > /proc/sys/net/ipv4/tcp_syncookies 
```
2. / peoc/sys/net/icmp_echo_ignore_broadcasts: To prevent ping of death attacks, you can cancel the echo of type 8 of ICMP.
Some common services in LAN, such as DHCP, use ping to detect duplicate IP, so it's better not to cancel all ping responses.
/ icmp_echo_ignore_broadcasts in proc/sys/net/ipv4: Cancel ping response only when ping broadcast address
/ icmp_echo_all in proc/sys/net/ipv4: All ping does not respond
```
[root@CentOS ~]# echo "1" > /proc/sys/net/ipv4icmp_echo_ignore_broadcasts
```
3. / proc/sys/net/ipv4/conf/network interface/*
rp_filter: Reverse path filtering
log_martians: Functions that can be used to start recording illegal IP sources
accept_source_route
accept_redirects
send_redirects: Send an ICMP redirect packet
```
# You can use echo 1 >/proc/sys/net/ipv4/conf/network interface/rp.filter


# Suggested modifications to configuration files

[root@CentOS ~]# vim /etc/sysctl.conf
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcast = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.cong .default.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1

[root@CentOS ~]# sysctl -p
```

An example of setting up a single-machine firewall

Drafting of Rules
External network card eth0
Intranet network card eth1, cut the internal use of 192.168.100.0/24 network segment
Host, default open services are WWW,SSH,HTTPS
Default filter table policies: INPUT DROP, OUPUT ACCEPT, FORWARD ACCEPT

# The whole script is divided into three parts:


# iptable.rule: Setting the most basic rules


# iptables.deny: Setting Blockades


# iptables.allow: Set release

[root@CentOS ~]# mkdir -p /usr/local/virus/iptables
[root@CentOS ~]# cd /usr/local/virus/iptables
[root@CentOS iptables]# vim iptables.rule

#!/bin/bash



# Please enter the relevant parameters first, do not enter errors

EXTIF="eth0"  # This is the network interface that can come to your public ip
INIF="eth1"   #Network connection of internal LAN, if not written as INIF=""
INNET="192.168.100.0/24"   # If there is no internal network interface, please fill in INNET=""
export EXTIF INIF INNEF 


# The first part is about the firewall settings for the local computer.


# 1. Set up the network function of the kernel first

echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4icmp_echo_ignore_broadcasts
for i in /proc/sys/net/ipv4/conf/*/{rp_filter,log_martians}; do
    echo "1" > $i
done
for i in /proc/sys/net/ipv4/conf/*/{accept_source_route,accept_redirects,send_redirects}; do
    echo "0" > $i
done


# 2. Clear rules, set default policies and open lo and related settings

PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin; export PATH
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FPRWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -nm state -state RELATED,ESTABLISHED -j ACCEPT


# 3. Start additional firewall script module

if [ -f /usr/local/virus/iptables/iptables.deny ]; then
    sh /usr/local/virus/iptables/iptables.deny
fi 
if [ -f /usr/local/virus/iptables/iptables.allow ]; then 
    sh /usr/local/virus/iptables/iptables.allow
fi
if [ -f /usr/local/virus/iptables/iptables.http ]; then 
    sh  /usr/local/virus/iptables/iptables.http
fi


# 4. Allow certain types of ICMP packets to enter


AICMP ="0 3 3/4 11 12 14 16 18"
for tyicmp in $AICMP
do 
    iptables -A INPUT -i #EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT
done


# 5. Allow access to certain services. Open them according to your environment.


# iptables -A INPUT -p TCP -i $EXTIF --dport 21 --sport 1024:65535 -j ACCEPT # FTP


# iptables -A INPUT -p TCP -i $EXTIF --dport 22 --sport 1024:65535 -j ACCEPT # SSH


# iptables -A INPUT -p TCP -i $EXTIF --dport 25 --sport 1024:65535 -j ACCEPT # SMTP


# iptables -A INPUT -p TCP -i $EXTIF --dport 53 --sport 1024:65535 -j ACCEPT # DNS


# iptables -A INPUT -p TCP -i $EXTIF --dport 53 --sport 1024:65535 -j ACCEPT # DNS


# iptables -A INPUT -p TCP -i $EXTIF --dport 80 --sport 1024:65535 -j ACCEPT # WWW


# iptables -A INPUT -p TCP -i $EXTIF --dport 110 --sport 1024:65535 -j ACCEPT # POP3


# iptables -A INPUT -p TCP -i $EXTIF --dport 443 --sport 1024:65535 -j ACCEPT # HTTPS



# The second part, the firewall settings for the back-end host


# 1. Load some useful modules first

modules="ip_tables iptables_nat ip_nat_ftp ip_nat-irc ip_conntrack ip_conntrack_ftp ip_conntrack_irc"
for mod in $modules
do
    testmod=`lsmod | grep "^${mod} " | awk '{print $1}'`
    if [ "$testmod" == "" ]; then
        modprobe $mod
    fi


# 2. Rules for clearing NAT table s

iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT


# 3. If there are internal interfaces (dual network cards) open to routers and IP Sharers

if [ "$INIF" != "" ]; then
    iptables -A INPUT -i $INIF -j ACCEPT
    echo "1" > /proc/sys/net/ipv4/ip_forward
        if [ "$INIET" != "" ]; then 
            for innet in $INNET
            do
                iptables -r nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE
            done
        fi
fi

# If your MSN has been unable to connect, or some website OK, some website OK is not OK, it may be MTU problem, then you can cancel the following line to start the MTU range.

iptables -A FORWARD -p tcp  -m tcp --tcp-flags STN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu


# 4. NAT Server Back End LAN External Value Server Settings

iptables -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80 -j DNAT --tp-description 192.168.1.210:80   #WWW


# 5. Special functions, including rules for generating remote desktops on windows, assume that the desktop host is 1.2.3.4


# iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4 --dport 6000 -j DNAT --to-description 192.168.100.10


# iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4 --sport 3389 -j DNAT --to-description 192.168.100.20



# 6. Finally, store these functions

/etc/init.d/iptables save

Suppose I want all hosts of 140.116.44.0/24 network to be able to access the local host.

[root@CentOS iptables]# vim iptables.allow

#!/bin/bash


# Next, fill in the host or network that allows access to other networks on this machine.

iptables -A INPUT -i $EXTIF -s 140.116.44.0/24 -j ACCEPT


# Here's the file settings for blocking

[root@CentOS iptables]# vim iptables.deny 

#!/bin/bash


# Here's what you want to block.

iptables -A INPUT -i $EXTIF -s 140.116.44.254 -j DEOP

[root@CentOS iptables]# chmod 700 iptables.*



# Set up boot start

[root@CentOS iptables]# vim /etc/re.d/rc.local

# 1 . Firewall

/usr/local/virus/iptables/iptables.rule

Topics: iptables CentOS network firewall

Programmer Think

Brother Bird's Server "Ten" Firewall

Hot Topics