| View previous topic :: View next topic |
| Author |
Message |
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
 Posted: Mon Aug 25, 2003 8:23 pm Post subject: trying to grasp iptables.. |
 |
|
I'm somewhat at a loss here... I've been fiddling with IPTABLES all day, but cannot figure out how to deny (DROP) packets coming in on ports 6000-6009. This is just a standalone system that I want secured.. the stealthing works great, and I've fortunately been able to resolve 90% of the vulnerabilities detected by Nessus, but this one (X Server vulnerability) just stumps me! Most likely due to the fact that it's the only part of the script I write fully by myself...
now I do have an understanding of ipfwadm commands, and have grown to love them.. iptables for some reason has just thrown me for a loop! 
btw, I have two interfaces on this laptop, eth0 (EEPro100) and eth1 (Cisco Airo wireless PC Card).
Here is my /etc/init.d/firewall script: | Code: |
#!/sbin/runscript
IPTABLES=/sbin/iptables
EXTIF="eth0"
INTIF="eth1"
IFCONFIG=/sbin/ifconfig
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
start() {
ebegin "Loading Firewall"
printf "\nExternal Interface: $EXTIF\nInternal Interface: $INTIF\n\n"
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
echo "Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
# enable this following option. This enables dynamic-address hacking
# which makes the life with Diald and similar programs much easier.
#
echo "Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Set external device IP Address VAR
EXTIP="`$IFCONFIG $EXTIF | $AWK \
/$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
echo "Exernal ip is $EXTIP"
#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP (REJECT is not a valid policy)
#
echo "Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo "FWD: Allow all connections OUT and only existing and related ones IN"
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED $
#$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
### Custom
$IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -o $EXTIF -j ACCEPT
### End Custom
$IPTABLES -A FORWARD -j LOG
echo "Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j DNAT --to 192.168.1.1
#$IPTABLES -t nat -A PREROUTING -p tcp -d $EXTIP --dport 80 -j DNAT --to 192.168.1.1
### Lines added by Ixion
echo "Enabling Custom Protection"
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --destination-port 6000:6009 -j DROP
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --destination-port 6000:6009 -j DROP
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --destination-port 6000:6009 -j DROP
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --destination-port 6000:6009 -j DROP
### End lines added by Ixion
printf "\n"
eend 0
}
stop() {
ebegin "Clearing Firewall"
iptables -F
eend 0
}
|
yes, it is pretty much a mess, and I apologize for my sloppy script habits. There are commented out lines that came with the script I've copied from another thread here. The '###Custom', '###Added lines by Ixion', etc. are added by me.
_________________
only the paranoid survive |
|
| Back to top |
|
 |
BradB
Apprentice
Joined: 18 Jun 2002
Posts: 190
Location: Christchurch NZ
|
| Posted: Mon Aug 25, 2003 9:02 pm Post subject: |
|
|
Checkout firehol.sourceforge.net
You'll never go back 
Brad
_________________
Microsoft - bringing the pain right into your home since 1982 |
|
| Back to top |
|
|
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
| Posted: Mon Aug 25, 2003 10:58 pm Post subject: |
|
|
looks like a terrific alternative, but I would really like to learn IPTABLES..
Thanks anyway!
_________________
only the paranoid survive |
|
| Back to top |
|
|
devon
l33t
Joined: 23 Jun 2003
Posts: 943
|
| Posted: Mon Aug 25, 2003 11:03 pm Post subject: |
|
|
| Wouldn't you want the default policy for INPUT to be to deny all traffic? |
|
| Back to top |
|
|
Leander256
l33t
Joined: 05 Jul 2003
Posts: 910
Location: Singapour
|
| Posted: Mon Aug 25, 2003 11:17 pm Post subject: Re: trying to grasp iptables.. |
|
|
| ixion wrote: | | Code: | ### Lines added by Ixion
echo "Enabling Custom Protection"
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --destination-port 6000:6009 -j DROP
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --destination-port 6000:6009 -j DROP
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --destination-port 6000:6009 -j DROP
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --destination-port 6000:6009 -j DROP
### End lines added by Ixion |
|
First line should be:
| Code: | | $IPTABLES -A INPUT -i $EXTIF -p tcp --destination-port 6000:6009 -j DROP |
And same thing applies to the other lines (by the way you have twice the same rule  ) |
|
| Back to top |
|
|
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
| Posted: Tue Aug 26, 2003 12:41 am Post subject: |
|
|
ah, good idea... I now see I was adding the deny rules to the end... the allow's were catching it before the deny's..
I will test this tomorrow while I'm at work and post back here my findings!
Thanks! 
_________________
only the paranoid survive |
|
| Back to top |
|
|
sschlueter
Guru
Joined: 26 Jul 2002
Posts: 578
Location: Dortmund, Germany
|
| Posted: Tue Aug 26, 2003 3:21 am Post subject: Re: trying to grasp iptables.. |
|
|
| ixion wrote: |
I'm somewhat at a loss here... I've been fiddling with IPTABLES all day, but cannot figure out how to deny (DROP) packets coming in on ports 6000-6009. This is just a standalone system that I want secured.. the stealthing works great, and I've fortunately been able to resolve 90% of the vulnerabilities detected by Nessus, but this one (X Server vulnerability) just stumps me! Most likely due to the fact that it's the only part of the script I write fully by myself...
|
While you can use iptables to block access to this port / these ports, you can just as well start your x server(s) with the "nolisten tcp" option. |
|
| Back to top |
|
|
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
| Posted: Tue Aug 26, 2003 12:19 pm Post subject: |
|
|
This is my new firewall script below. Nessus still reports that TCP 6000-6009 are vulnerable. Am I still missing the point here, or is nessus (as it warns me) bringing up false negatives on tcp?
As for the 'nolisten tcp' option, where should that be entered? ~/.Xauthority, ~/.xinitrc, a startx switch? I would like to utilize that, although I am still very much interested in why I'm not getting IPTABLES to block incoming connections to 6000-6009.
| Code: |
#!/sbin/runscript
IPTABLES=/sbin/iptables
EXTIF="eth0"
INTIF="eth1"
IFCONFIG=/sbin/ifconfig
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
start() {
ebegin "Loading Firewall"
printf "\nExternal Interface: $EXTIF\nInternal Interface: $INTIF\n\n"
EXTIP="`$IFCONFIG $EXTIF | $AWK \
/$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
echo "Exernal ip is $EXTIP"
echo "Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo "Loading Firewall Scripts.."
$IPTABLES -A INPUT -i $EXTIF -p tcp --destination-port 6000:6009 -j DROP
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j DROP
printf "\n"
eend 0
}
stop() {
ebegin "Clearing Firewall"
$IPTABLES -F
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
eend 0
}
|
_________________
only the paranoid survive |
|
| Back to top |
|
|
Leander256
l33t
Joined: 05 Jul 2003
Posts: 910
Location: Singapour
|
| Posted: Tue Aug 26, 2003 1:29 pm Post subject: |
|
|
If you're scanning your computer from your local networks, ports 6000-6009 are still reachable because the rule
| Code: | | $IPTABLES -A INPUT -i $EXTIF -p tcp --destination-port 6000:6009 -j DROP |
is applied only to traffic coming from the external interface (internet I guess). |
|
| Back to top |
|
|
sploo22
n00b
Joined: 21 Aug 2003
Posts: 20
Location: Cayman Brac, Cayman Islands
|
| Posted: Tue Aug 26, 2003 1:38 pm Post subject: |
|
|
For testing purposes, you can add copies of those firewall rules with "$EXTIF" changed to "lo"; that will catch packets generated locally. I use that technique a lot because I'm not actually on a network yet
_________________
This signature will self-destruct in 10 seconds. Close browser window now to avoid permanent monitor damage. |
|
| Back to top |
|
|
kallamej
Administrator
Joined: 27 Jun 2003
Posts: 4983
Location: Gothenburg, Sweden
|
| Posted: Tue Aug 26, 2003 2:38 pm Post subject: |
|
|
| ixion wrote: | As for the 'nolisten tcp' option, where should that be entered? ~/.Xauthority, ~/.xinitrc, a startx switch? I would like to utilize that, although I am still very much interested in why I'm not getting IPTABLES to block incoming connections to 6000-6009.
|
This is covered in the security guide. From the guide: startx -- -nolisten tcp or edit the appropriate config files.
_________________
Please read our FAQ Forum, it answers many of your questions.
irc: #gentoo-forums on irc.libera.chat |
|
| Back to top |
|
|
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
| Posted: Tue Aug 26, 2003 2:42 pm Post subject: |
|
|
Setting up lo worked!
now I understand.. sorry for the incompetence, it would seem I didn't understand rules as well as I originally thought...
Thank you for all your advice and patience!! 
_________________
only the paranoid survive |
|
| Back to top |
|
|
sschlueter
Guru
Joined: 26 Jul 2002
Posts: 578
Location: Dortmund, Germany
|
| Posted: Wed Aug 27, 2003 12:01 am Post subject: |
|
|
| ixion wrote: | | This is my new firewall script below. Nessus still reports that TCP 6000-6009 are vulnerable. Am I still missing the point here, or is nessus (as it warns me) bringing up false negatives on tcp? |
Are you scanning from an external host?
| ixion wrote: | | As for the 'nolisten tcp' option, where should that be entered? ~/.Xauthority, ~/.xinitrc, a startx switch? |
It depends on your setup. If you use startx, then this is the file that needs to be edited. For kdm it's /usr/kde/3.1/share/config/kdm/Xservers and for gdm it's etc/X11/gdm/gdm.conf |
|
| Back to top |
|
|
|
Networking & Security
