Cheat Sheet : IP Table

-
Ip tables is a command line firewall that comes with linux. Its essential to learn how to use the different parts of it for the scanning phase:

 IPTABLES: iptables has the following 4 built in tables:
 
i.FILTER table: it has 3 chains:
        1.INPUT chain- incoming to the firewall
        2.OUTPUT chain- outgoing from the firewall
        3.FORWARD chain-packets for another NIC on the local server
 
ii.NAT table: it has 3 chains:
        1.PREROUTING- alters packets before routing. (used for DNAT , destination nat)
        2.POSTROUTING – alters packets after routing. (used for SNAT , source nat)
        3.OUTPUT – used for packets generated locally 
 
iii.MANGLE table: specialized packet alteration. It modifys the QOS bit in the TCP header. It has these chains:
        1.PREROUTING
        2.OUTPUT
        3.FORWARD
        4.INPUT
        5.POSTROUTING
 
iv.RAW table: configuration exemptions. chains include:
        1.PREROUTING
        2.OUTPUT
 
* 4 values that iptables will do with a packet:
        i.ACCEPT-firewall accepts packet
        ii.DROP- firewall drops the packet
        iii.QUEUE- firewall will pass the packet to the userspace
        iv.RETURN- firewall will stop executing the next set of rules in the current chain
 
* .Some iptables examples:
 
i.Ok first lets make sure our tables are flushed: iptables –F
 
ii.Now lets check: iptables –L
 
iii.Now lets set a simple rule to block by ip address: iptables –A INPUT  –i eth0 –s “10.10.10.7” –j DROP
 
iv.Now lets do the same for output:  iptables –A OUTPUT –o eth0 –s “10.10.10.7”  -j DROP
now try to ping from bt5 to win7 and vice versa and see that you cannot
 
v.Allow all incoming ssh (need to set an input and output):  iptables –A INPUT –i eth0 –p tcp --dport 22 –m  state  --state NEW, ESTABLISHED  -j ACCEPT   and now for the output:  iptables –A  OUTPUT  -o eth0  -p tcp --sport 22 –m state  --state ESTABLISHED  -j ACCEPT   so what all this means is  -A is for specifying the chain, -i is for the NIC interface, -p is protocol,  dport is destination port, -m state is for the state of the connection, in the first rule it is syn and ack, or NEW and ESTABLISHED. –j is “jump to target”, tells it what to to do with the packet.
 
vi. Now lets allow ssh incoming from only a specific network:  iptables –A INPUT –i eth0  -p tcp  -s  192.168.3.0/24  --dport 22  -m state  --state NEW,ESTABLISHED  -j ACCEPT   now for the output:  iptables –A OUTPUT –o eth0   -p tcp  --sport 22  -m state  --state ESTABLISHED  -j ACCEPT
 
vii.Allow incoming http and https:  iptables –A INPUT  -i eth0 –p tcp  --dport 80 –m state  --state NEW,ESTABLISHED   -j ACCEPT   and now the output :  iptables –A OUTPUT  -o  eth0  -p  tcp --sport 80  -m state  --state ESTABLISHED  -j ACCEPT  . Now for the https just substitute the port 80 with 443
 
viii.Combine multiple rules with multiport:  iptables –A INPUT  -i eth0 –p tcp  -m multiport  --dports 22,80,443  -m state  --state NEW,ESTABLISHED  -j ACCEPT  and now the output : iptables –A OUTPUT  -o eth0 –p –m multiport  --sports 22,80,443  -m state --state ESTABLISHED  -j ACCEPT
 
ix.Allow outgoing ssh:  iptables –A OUTPUT  -o eth0 –p tcp --dport 22 –m state  --state NEW,ESTABLISHED –j ACCEPT  and now the input: iptables –A INPUT –i eth0 –p tcp  --sport 22 –m state  --state ESTABLISHED –j ACCEPT 
 
x.Allow ping from outside to in: iptables –A INPUT –p ICMP --icmp-type  echo-request  -j ACCEPT   and the outgoing: iptables –A OUTPUT –p ICMP  --icmp-type echo-reply  -j ACCEPT
 
xi.Allow internal to external. On a firewall server there would be one nic connected to external and one to internal. This rule allows internal to talk to external (eth1 is connected to external, eth0 is connected to internal) : iptables –A FORWARD –i eth0  -o eth1  -j ACCEPT
 
xii.Allow outbound dns: iptables –A OUTPUT  -p udp  -o eth0  --dport 53 –j ACCEPT  and now the inbound: iptables –A INPUT –p udp –i eth0  --sport 53 –j ACCEPT 
 
xiii.Now to port forward that comes to port 422 to port 22: first we allow 422: iptables –A INPUT –i eth0 –p tcp --dport 422  -m state   --state NEW,ESTABLISHED  -j ACCEPT  and now the output: iptables –A OUTPUT –o eth0 –p tcp  --sport 422  -m state  --state ESTABLISHED  -j ACCEPT  and now the port forward:  iptables  -t nat  -A PREROUTING  -p tcp  -d  192.168.3.6  --dport 422  -j  DNAT  --to 192.168.3.6:22
 
xiv.Iptables –L –n –v  shows the full state of the firewall
 
xv.You can also set a connection limit, lets say allow only two telnet connections per host: iptables –A INPUT  -p  tcp   --syn  --dport 23  -m connlimit  --connlimit-above  2  -j REJECT
 
xvi.Default policy of drop all: iptables  -P FORWARD DROP (do a flush first –F and notice the default policy for FORWARD is accept)
 
xvii.Setting up a basic nat, forward packets from my internal network(eth1) to the external network (eth0) and hide it (masquerade) :  iptables  -t  nat  -A  POSTROUTING  -o  eth0  -j MASQUERADE  then the next line:  iptables  -A FORWARD  -i eth0  -o eth1  -m state  --state RELATED,ESTABLISHED  -j ACCEPT  then the next line: iptables –A FORWARD  -i eth1  -o eth0  -j ACCEPT
 
xviii.(have students do this one on their own) The business objective in this example is to block all traffic except web surfing from the internal network. The internal network is 192.168.3.0/24 :  
1.first we turn on NAT (masquerading) on eth0: iptables –t nat –A POSTROUTING   -o eth0 –j MASQUERADE
2.then we set the default policy (-P) of the forward chain: iptables   -P  FORWARD  DROP
3.then we append (-A) the forward chain with a rule to jump (-j)  to accept when traffic is coming from a source address (-s), to a certain protocol (-p) , to a destination port (--dport ) : iptables –A FORWARD   -j  ACCEPT   -s 192.168.3.0/24  -p udp  --dport 53  then on the next line type : iptables –A FORWARD  -j  ACCEPT  -s 192.168.3.0/24  -p tcp  --dport 80
4.now we need to allow traffic to return to the internal network (-d)  if it is coming from the allowed source ports: iptables  -A  FORWARD  -j  ACCEPT  -d 192.168.3.0/24  -p udp  --sport 53   then on the next line :  iptables –A  FORWARD  -j ACCEPT  -d 192.168.3.0/24  -p tcp  --sport 80.  So basically its saying allow traffic to return only if its coming from ports 80 and 53

Comments

Post a Comment

Popular posts from this blog

Cheat Sheet : Wireshark

-
 Now that you know some command line packet sniffing, lets go over some wireshark display filters: * If you want to filter by a protocol, just type it in, like arp, dns, etc.   * If you click the analyze tab you can filter here as well   * If you did it by tp, you can go to preferences/protocols/tcp and take the check out of “relative sequence numbers” and they will show the real seq numbers   * Right click a packet and follow tcp stream to see the whole conversation between the client and the server . if you do this and you close out of the window you will see that the filter is listed for these packets   * A source filter can be applied to restrict the packet view in wireshark to only those packets that have source IP as mentioned in the filter. The filter applied in the example below is: ip.src == 10.10.10.5   * A destination filter can be applied to restrict the packet view in wireshark to only those packets that have destination IP as m...
Read more

Monitor and block SSH connection attempts

-
Monitor and block SSH connection attempts. Here is a simple guide for iptables... This will set iptables to default: ........ sudo iptables -P INPUT ACCEPT sudo iptables -P OUTPUT ACCEPT sudo iptables -P FORWARD ACCEPT Then flush the rules: sudo iptables -F INPUT sudo iptables -F OUTPUT sudo iptables -F FORWARD This allows you to view your current rules: $ sudo iptables -L ........ Install iptables-persistent package to save tables on reboot. $ sudo apt-get install iptables-persistent During the installation, you will asked if you want to save your current firewall rules. If you update your firewall rules and want to save the changes, run this command: $ sudo netfilter-persistent save $ sudo netfilter-persistent reload ........ With the following, an attacker is allowed to produce exactly 3 faulty logins in 2 minutes. Afterwards, they will be blocked for 120 seconds. 1) Add the following line to /etc/ssh/sshd...
Read more

Cheat Sheet : NetCat

-
Netcat is known by most hackers as the swiss army knife of hacking. Its a great tool to setup backdoors or just plain and simple tcp or udp connections. Heres a few examples of how you can use netcat: Lets do some exercises with it in Kali linux. Our VMs today are a kali linux  and a windows 7. First start by looking at the help file nc -h  1. Lets check to see what ports are listening,(first start the apache2 service) type: nc -v 80  2. If you had started the apache service on kali linux you should see it shows there as open  3. You can also set up a listener port, type: nc -lvp 1234  4. The l here is for listen, the v is for verbose, the p is to specify the port to listen on  5. Lets open up a second terminal window and use netcat to connect to the listener  6. In the second terminal type: nc 10.0.0.100 1234 and hit enter  7. The first terminal should show you connected  8. Now lets chat from the second terminal b...
Read more