Introduction to Firewall Builder 4.0

Posted on in Categories Iptables, PF Firewall, Security last updated March 16, 2009

This is the first article in the mini-series of two articles about Firewall Builder.

Systems administrators have a choice of modern Open Source and commercial firewall platforms at their disposal. They could use netfilter/iptables on Linux, PF, ipfilter, ipfw on OpenBSD and FreeBSD, Cisco ASA (PIX) and other commercial solutions. All these are powerful implementations with rich feature set and good performance. Unfortunately, managing security policy manually with all of these remains non-trivial task for several reasons. Even though the configuration language can be complex and overwhelming with its multitude of features and options, this is not the most difficult problem in my opinion. Administrator who manages netfilter/iptables, PF or Cisco firewall all the time quickly becomes an expert in their platform of choice. To do the job right, they need to understand internal path of the packet inside Linux or BSD kernel and its interaction with different parts of packet filtering engine. Things get significantly more difficult in the installations using different OS and platforms where the administrator needs to switch from netfilter/iptables to PF to Cisco routers and ASA to implement coordinated changes across multiple devices. This is where making changes get complicated and probability of human error increases. Unfortunately typos and more significant errors in firewall or router access list configurations lead to either service downtime or security problems, both expensive in terms of damage and time required to fix.

Security Through Obscurity: MAC Address Filtering ( Layer 2 Filtering )

Posted on in Categories data center, fedora linux, FreeBSD, Gentoo Linux, GNU/Open source, Hardware, Iptables, Linux, Networking, RedHat/Fedora Linux, Security, Ubuntu Linux, UNIX, Windows, windows vista, Wireless networking last updated February 17, 2009

MAC Filtering (layer 2 address filtering) refers to a security access control methodology whereby the 48-bit address assigned to each network card is used to determine access to the network. Iptables, pf, and IPFW can block a certain MAC address on a network, just like an IP. One can deny or allow from MAC address like 00:1e:2a:47:42:8d using open source firewalls. MAC address filtering is often used to secure LAN or wireless network / devices. Is this technique effective?

Linux Iptables Firewall: Log IP or TCP Packet Header

Posted on in Categories Howto, Iptables, Linux, Networking, Security last updated January 9, 2008

Iptables provides the option to log both IP and TCP headers in a log file. This is useful to:
=> Detect Attacks

=> Analyze IP / TCP Headers

=> Troubleshoot Problems

=> Intrusion Detection

=> Iptables Log Analysis

=> Use 3rd party application such as PSAD (a tool to detect port scans and other suspicious traffic)

=> Use as education tool to understand TCP / IP header formats etc.

How do I turn on Logging IP Packet Header Options?

Add the following command to your iptables script beo:

iptables -A INPUT -j LOG --log-ip-options
iptables -A INPUT -j DROP

How do I turn on Logging TCP Packet Header Options?

Add the following command to your iptables script:

iptables -A INPUT -j LOG --log-tcp-options
iptables -A INPUT -j DROP

You may need to add additional filtering criteria such as source and destination ports/IP-address and other connection tracking features. To see IP / TCP header use tail -f or grep command:
# tail -f /var/log/messages

Recommended readings:

Linux: Setup a transparent proxy with Squid in three easy steps

Posted on in Categories CentOS, Debian Linux, Howto, Linux, Networking, RedHat/Fedora Linux, Squid caching server, Ubuntu Linux last updated May 27, 2006

Y’day I got a chance to play with Squid and iptables. My job was simple : Setup Squid proxy as a transparent server.

Main benefit of setting transparent proxy is you do not have to setup up individual browsers to work with proxies.

My Setup:

i) System: HP dual Xeon CPU system with 8 GB RAM (good for squid).
ii) Eth0: IP:192.168.1.1
iii) Eth1: IP: 192.168.2.1 (192.168.2.0/24 network (around 150 windows XP systems))
iv) OS: Red Hat Enterprise Linux 4.0 (Following instruction should work with Debian and all other Linux distros)

Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.
Continue reading “Linux: Setup a transparent proxy with Squid in three easy steps”

No Route to Host error and solution

Posted on in Categories Debian Linux, Gentoo Linux, Linux, Networking, RedHat/Fedora Linux, Tips, Troubleshooting, Ubuntu Linux last updated May 5, 2006

I am getting error that read as No Route to Host. I am trying to ping my ISP gateway as well as DNS server but I am getting this error. How do I solve this problem?

This problem indicate networking conflicts or some sort of networking configuration problem.

Here are things to check:

Can you ping to your local router interface (such as 192.168.1.254)?

Make sure your card (eth0) is properly configured with correct IP address and router address. Use ifconfig command to configure IP address and route command to setup correct router address. If you prefer to use GUI tools:

  • redhat-config-network – Works on Red Hat and Fedora Linux/Cent OS.
  • network-admin – Debian and Other Linux distribution use this GUI too

Use above two GUI tools to setup correct IP address, DNS address and router address.

b) Make sure firewall is not blocking your access

iptables is default firewall on Linux. Run following command to see what iptables rules are setup:
# /sbin/iptables -L -n

You can temporary clear all iptables rules so that you can troubleshoot problem. If you are using Red Hat or Fedora Linux type command:
# /etc/init.d/iptables save
# /etc/init.d/iptables stop

If you are using other Linux distribution type following commands:
# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X

c) Finally make sure you are using a router and not a proxy server. Proxy servers are good for Internet browsing but not for other work such as ftp, sending ICMP request and so on.

See also:

Iptables Restricting Access By Time Of The Day

Posted on in Categories Debian Linux, Howto, Iptables, Linux, Linux desktop, RedHat/Fedora Linux, Sys admin, Tips, Ubuntu Linux last updated January 12, 2006

Recently I was asked to control access to couple of services based upon day and time. For example ftp server should be only available from Monday to Friday between 9 AM to 6 PM only. It is true that many services and daemons have in built facility for day and time based access control.

Iptables MAC Address Filtering

Posted on in Categories Iptables, Linux last updated December 27, 2005

LAN or wireless access can be filtered by using the MAC addresses of the devices transmitting within your network. A mac address is acronym for media access control address, is a unique address assigned to almost all-networking hardware such as Ethernet cards, routers, mobile phones, wireless cards and so on (see mac address at wikipedia for more information). This quick tutorial explains how to block or deny access using MAC address using iptables – Linux administration tool for IPv4 packet filtering and NAT.

Linux Cutting the tcp/ip network connection with cutter command

Posted on in Categories CentOS, Debian Linux, Gentoo Linux, GNU/Open source, Howto, Linux, Monitoring, Networking, RedHat/Fedora Linux last updated December 9, 2005

Recently I came across very powerful and nifty tool called cutter. Just imagine that people in your private network using peer to peer (P2P) software such as Kazaa, iMesh or others and you want to cut them or just want to cut all ftp connection over your firewall but not all traffic to host. Network security administrators sometimes need to be able to abort TCP/IP connections routed over their firewalls on demand

cutter utility

In the following sample network diagram client workstation 192.168.1.1 sending ftp, http, ssh traffic using 192.168.1.254 (Linux based) router to server outside our network, and you would like to cut ftp traffic without interrupting other connection? So how do you block and cut traffic? Simply, use cutter utility.

client ->    Linux firewall -> Internet --> Servers
FTP    ->    192.168.1.254  -> Internet --> FTP Server
HTTP   ->    192.168.1.254  -> Internet --> HTTP Server
SSH    ->    192.168.1.254  -> Internet --> SSH Server
192.168.1.1

Cutter is an open source program that allows Linux firewall administrators to abort TCP/IP connections routed over Linux based firewall. This tool is very handy in situation like:

  • To terminate connection such as SSH tunnels or VPNs left by your own users
  • To abort crackers attacks as soon as they detected
  • To kill high bandwidth consuming connection
  • To kill peer-to-peer traffic etc

How do I use cutter command?

Use apt-get to install cutter on a Debian / Ubuntu Linux firewall:
# apt-get install cutter

1) Login to your iptables based firewall router

2) Identify your internal connection (use netstat or tcpdump)

3) Use cutter the command as follows:
cutter {IP-address} {Port}

Examples:
Cut all connections from 192.168.1.5 to server
# cutter 192.168.1.5

Cut all ssh connection from 192.168.1.5 to server
# cutter 192.168.1.5 22

Cut all ssh connection from 192.168.1.5 to ssh server 202.54.1.20
# cutter 202.54.1.20 192.168.1.5 22

Please note that cutter has been designed for use as a administrators tool for Linux firewalls do not use this tool for malicious purpose. For more information about this tool & how actually it works by sending FIN -> ACK -> RST sequence of packets to terminate connection, see the official web site.

Update: As pointed out by Mina Naguib you can also use tcpkill command for same purpose.

Related articles:

Linux Iptables open Bittorrent tcp ports 6881 to 6889

Posted on in Categories CentOS, Debian Linux, Howto, Iptables, Linux, Linux desktop, Networking, RedHat/Fedora Linux, Security, Shell scripting, Suse Linux, Ubuntu Linux last updated December 8, 2005

I already wrote about Linux command line bittorrent client. However, I received few more queries regarding firewall issues. Basically you need to open ports using iptables.

Bittorrent client by default uses tcp 6881 to 6889 ports only. In order to work with Bittorrent client you need to open these ports on firewall. Remember, if you are behind a firewall (hardware or software) you need to enable port forwarding to internal systems.

Scenario # 1: Windows or Linux desktop behind router firewall

Internet ->     Hardware Router    -> Your Linux Desktop
          with port forwarding          Client
              enabled

You have router (ADSL/DSL/Cable modem+router) and you have already enabled port forwarding on router (open web browser > Open router web admin interface > Find port forwarding > Enable port forwarding for bittorent protocol). You also need to open port using following iptables rules on Linux desktop (open TCP port 6881 to 6999):

iptables -A INPUT -p tcp --destination-port 6881:6999 -j ACCEPT
iptables -A OUTPUT -p tcp --source-port 6881:6999 -j ACCEPT

Here is a complete sample firewall script:

#!/bin/sh
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow bittorent incomming client request
iptables -A INPUT -p tcp --destination-port 6881:6999 -j ACCEPT

#Uncomment below to allow sshd incoming client request
#iptables -A INPUT -p tcp -dport 22 -j ACCEPT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Scenario # 2

Internet -> Linux computer Router  ->  Your Linux Desktop
         with port forwarding      OR Windows XP client
         enabled using IPTABLES       IP:192.168.1.2
           IP:192.168.1.254

Here you are using a Linux as software firewall and iptables as your NAT (firewall) for internal network (192.168.1.2). You need to enable port forwarding to a internal Linux desktop (may be Windows XP desktop) for BitTorrent client system. Add following two line of code to your existing NAT firewall script.

iptables -t nat -A PREROUTING -p tcp --dport 6881:6889
-j DNAT --to-destination 192.168.1.2

iptables -A FORWARD -s 192.168.1.2 -p tcp --dport 6881:6889
-j ACCEPT

Related: Linux Command line BitTorrent client