# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
1.2: Implement stateful rules:
# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED, -j ACCEPT
# iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED, -j ACCEPT
# iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED, -j ACCEPT
# iptables -I INPUT 2 -m conntrack --ctstate INVALID -j DROP
# iptables -I OUTPUT 2 -m conntrack --ctstate INVALID -j DROP
# iptables -I FORWARD 2 -m conntrack --ctstate INVALID -j DROP
1.3: Configure TCP new but not SYN
# iptables -I INPUT 3 -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
# iptables -I OUTPUT 3 -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
# iptables -I FORWARD 3 -m conntrack --ctstate NEW -p tcp ! --syn -j DROP
1.4: Allow Loopback: INPUT + OUTPUT
# iptables -I INPUT 4 -i lo -j ACCEPT
# iptables -I OUTPUT 4 -o lo -j ACCEPT
1.5: Allow DNS: INPUT + OUTPUT
# iptables -I INPUT 5 -i eth1 -p udp --dport 53 -j ACCEPT
# iptables -I INPUT 6 -i eth2 -p udp --dport 53 -j ACCEPT
# iptables -I OUTPUT 5 -o eth0 -p udp --dport 53 -j ACCEPT
1.6:
1.6 Invalid Log with prefix INVALID INPUT/OUTPUT/FORWARD. The log will be before the rule:
# iptables -I INPUT 2 -m conntrack --ctstate INVALID -j LOG --log-level 4 --log-prefix "INVALID INPUT"
# iptables -I FORWARD 2 -m conntrack --ctstate INVALID -j LOG --log-level 4 --log-prefix "INVALID FORWARD"
# iptables -I OUTPUT 2 -m conntrack --ctstate INVALID -j LOG --log-level 4 --log-prefix "INVALID OUTPUT"
1.6 TCP new but not SYN Log: Log with prefix SYN TCP INPUT/OUTPUT/FORWARD. The log will be before the rule:
# iptables -I INPUT 4 -p tcp ! --syn -j LOG --log-level 4 --log-prefix "SYN TCP INPUT:"
# iptables -I FORWARD 4 -p tcp ! --syn -j LOG --log-level 4 --log-prefix "SYN TCP FORWARD:"
# iptables -I OUTPUT 4 -p tcp ! --syn -j LOG --log-level 4 --log-prefix "SYN TCP OUTPUT:"
2.1 Allow Remote control with SSH:
# iptables -N SSH-IN
# iptables -I INPUT 7 -p tcp --dport 22 -j SSH-IN
# iptables -A SSH-IN -j ACCEPT
# iptables -I SSH-IN 1 -p tcp -m recent --name ssh --update --rttl --hitcount 3 --seconds 30 -j REJECT --reject-with tcp-reset
2.2
# iptables -I SSH-IN -m recent --name ssh --set --rsource
# iptables -I SSH-IN 1 -p tcp -m recent --name ssh --rcheck --rttl --hitcount 4 --seconds 60 -j LOG --log-prefix "SSHBR"
2.3 Allow ICMP only in output chain because of the ESTABILSHED,RELATED in the other side.
# iptables -I OUTPUT 8 -p icmp --icmp-type 8 -j ACCEPT
2.4
All Other traffic to the firewall should be drop.
- All the other traffic is already blocked because of the drop policy (Whitelist).
2.5 : create repositories white listing using IPSET: allow http outgoing traffic for updates only, every night at 0:00 am.
# iptables -I OUTPUT 9 -p tcp --dport 80 -j ACCEPT
# apt-get update
# apt-get install ipset
* Create Repository Ip's:
# ipset create repo hash:ip
# ipset add repo 91.189.91.23
# ipset add repo 91.189.91.26
# ipset add repo 91.189.88.149
# ipset add repo 91.189.88.152
# ipset add repo 91.189.88.161
# ipset add repo 91.189.88.162
# ipset add repo 91.189.94.40
# iptables -R OUTPUT 9 -p tcp --dport 80 -o eth0 -m set --match-set repo dst -j LOG --log-prefix "SYSTEM-UPDATE"
# ipset save > /etc/network/ipset.rules
Script For repo.sh:
#!/bin/bash
cat /etc/apt/sources.list | grep -v '#' | cut -d '/' -f3 | sort -u > /etc/cron.daily/whitelist.txt
iptables -I OUTPUT 9 -p tcp --dport 80 -j LOG --log-prefix "repo whitelist" --log-level 4
iptables -I OUTPUT 10 -p tcp --dport 80 -j ACCEPT
apt-get update
ipset -F repo
for ip in $(cat /etc/cron.daily/whitelist.txt); do
ipset add repo $ip
iptables -D OUTPUT 9
iptables -D OUTPUT 9
done
2.6 create a black list repository using IPSET: block traffic from Iran & China the black list should be updated every night at 1:00 am.
First of all we will download the ipblocks list from ipdeny.com to /etc/network/
and after that build an automatically script.
wget http://www.ipdeny.com/ipblocks/data/countries/ir.zone -O /etc/network/ir.zone
and after that build an automatically script.
wget http://www.ipdeny.com/ipblocks/data/countries/ir.zone -O /etc/network/ir.zone
wget http://www.ipdeny.com/ipblocks/data/countries/cn.zone -O /etc/network/cn.zone
# ipset create BLACKLIST hash:net
Script for blacklist:
#!/bin/bash
rm -f /etc/network/ir.zone
rm -f /etc/network/cn.zone
ipdeny=$ host www.ipdeny.com | grep "has address" | cut -d " " -f 4
iptables -I OUTPUT 9 -p tcp --dport 80 -j LOG --log-prefix "BLACKLIST UPDATE" --log-level 5
iptables -I OUTPUT 10 -p tcp --dport 80 -j ACCEPT
wget http://www.ipdeny.com/ipblocks/data/countries/ir.zone -O /etc/network/ir.zone
wget http://www.ipdeny.com/ipblocks/data/countries/cn.zone -O /etc/network/cn.zone
ipset -F BLACKLIST
for net in $(cat /etc/network/ir.zone) and $(cat /etc/network/cn.zone); do
ipset add BLACKLIST $net
iptables -D OUTPUT 9
iptables -D OUTPUT 9
done
add the 2 files to cron.daily and set a command log for 00:00 and 01:00 in crontab
01 00 * * * root cd /etc/cron.daily && ./BLACKLIST.sh
00 00 * * * root cd /etc/cron.daily && ./repo.sh
3.1 - Allow HTTP/HTTPS
# iptables -A FORWARD -i eth1 -m multiport -p tcp --dport 80,443 -j ACCEPT
• DNS has been permited in section 1.5
3.2 - Allow FTP From LAN to Metasploitable Machine
# iptables -A FORWARD -i eth1 -p tcp --dport 21 -d 10.0.0.1 -j ACCEPT
Allow FTP From LAN to Bee-Box Machine
# iptables -A FORWARD -i eth2 -p tcp --dport 21 -d 10.0.0.2 -j ACCEPT
3.3 Allow HTTP/HTTPS from outside to DMZ Network
# iptables -N DMZ-IN
# iptables -A FORWARD -i eth0 -d 10.0.0.0/29 -p tcp -m multiport --dport 80,443 -j DMZ-IN
# iptables -A DMZ-IN -m state --state NEW -m recent --set
# iptables -I DMZ-IN -m state --state NEW -m recent --update --hitcount 100 -j ACCEPT
3.4 permit updates to DVWA and Mutillidea
# iptables -I FORWARD 6 -i eth2 -s 10.0.0.3 -m set --match-set repo dst -p tcp --dport 80 -j ACCEPT
# iptables -I FORWARD 7 -i eth2 -s 10.0.0.4 -m set --match-set repo dst -p tcp --dport 80 -j ACCEPT
4.1 protect firewall and LAN2 against SYN Flood and sockstress
# iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
5.1 Create a new custom chain for cleanup rules and configure that handle TCP, UDP and other protocols + add a LOG with rate of 5/min and log prefix.
# iptables -N INPUT-CLEANUP
# iptables -N OUTPUT-CLEANUP
# iptables -N FORWARD-CLEANUP
# iptables -A INPUT-CLEANUP -p tcp -j REJECT --reject-with tcp-reset
# iptables -A OUTPUT-CLEANUP -p tcp -j REJECT --reject-with tcp-reset
# iptables -A FORWARD-CLEANUP -p tcp -j REJECT --reject-with tcp-reset
# iptables -A INPUT-CLEANUP -p udp -j REJECT --reject-with icmp-port
# iptables -A OUTPUT-CLEANUP -p udp -j REJECT --reject-with icmp-port
# iptables -A FORWARD-CLEANUP -p udp -j REJECT --reject-with icmp-port
# iptables -A INPUT-CLEANUP -j REJECT --reject-with icmp-proto-unreachable
# iptables -A OUTPUT-CLEANUP -j REJECT --reject-with icmp-proto-unreachable
# iptables -A FORWARD-CLEANUP -j REJECT --reject-with icmp-proto-unreachable
# iptables -A INPUT -j INPUT-CLEANUP
# iptables -A OUTPUT -j OUTPUT-CLEANUP
# iptables -A FORWARD -j FORWARD-CLEANUP
* These cleanup rules will be in last place of INPUT/OUTPUT/FORWARD list (Append)
Log Incoming Traffic with limit of 5 minutes:
# iptables -I INPUT-CLEANUP -j LOG -m limit --limit 5/min --log-level 6 --log-prefix "INPUT-CLEANUP"
Save the rules:
# iptables-save > /etc/network/iptables.rules
# iptables-save > /etc/network/iptables.rules
Attack with Hydra:
hydra 172.16.14.100 ssh -l fabio -P rockme.txt -vV –f
hydra 172.16.14.100 ssh -l fabio -P rockme.txt -vV –f
The hydra Is working after several times the system show an error and after the time limit is continue.
Nmap:
Scapy: the packet is going directly to Cleanup.
Iptables-save:
# Generated by iptables-save v1.4.21 on Sat Dec 10 14:31:35 2016
*nat
:PREROUTING ACCEPT [1423:118483]
:INPUT ACCEPT [4:292]
:OUTPUT ACCEPT [92391:7770957]
:POSTROUTING ACCEPT [1129:46540]
-A PREROUTING -d 172.16.14.101/32 -j DNAT --to-destination 10.0.0.1
-A PREROUTING -d 172.16.14.102/32 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 172.16.14.103/32 -j DNAT --to-destination 10.0.0.3
-A PREROUTING -d 172.16.14.104/32 -j DNAT --to-destination 10.0.0.4
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.0.0.0/29 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Dec 10 14:31:35 2016
# Generated by iptables-save v1.4.21 on Sat Dec 10 14:31:35 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:DMZ-IN - [0:0]
:FORWARD-CLEANUP - [0:0]
:INPUT-CLEANUP - [0:0]
:OUTPUT-CLEANUP - [0:0]
:SSH-IN - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "INVALID INPUT"
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SYN TCP INPUT: "
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j SSH-IN
-A INPUT -i eth1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -j INPUT-CLEANUP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix "INVALID FORWARD"
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SYN TCP FORWARD: "
-A FORWARD -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A FORWARD -s 10.0.0.3/32 -i eth2 -p tcp -m set --match-set repo dst -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 10.0.0.4/32 -i eth2 -p tcp -m set --match-set repo dst -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A FORWARD -d 10.0.0.1/32 -i eth1 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -d 10.0.0.2/32 -i eth1 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -d 10.0.0.0/29 -i eth0 -p tcp -m multiport --dports 80,443 -j DMZ-IN
-A FORWARD -j FORWARD-CLEANUP
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "INVALID OUTPUT"
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SYN TCP OUTPUT: "
-A OUTPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -j OUTPUT-CLEANUP
-A DMZ-IN -m state --state NEW -m recent --update --hitcount 100 --name DEFAULT --mask 255.255.255.255 --rsource -j ACCEPT
-A DMZ-IN -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A FORWARD-CLEANUP -p tcp -j REJECT --reject-with tcp-reset
-A FORWARD-CLEANUP -p udp -j REJECT --reject-with icmp-port-unreachable
-A FORWARD-CLEANUP -j REJECT --reject-with icmp-proto-unreachable
-A INPUT-CLEANUP -m limit --limit 5/min -j LOG --log-prefix INPUT-CLEANUP --log-level 6
-A INPUT-CLEANUP -p tcp -j REJECT --reject-with tcp-reset
-A INPUT-CLEANUP -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT-CLEANUP -j REJECT --reject-with icmp-proto-unreachable
-A OUTPUT-CLEANUP -p tcp -j REJECT --reject-with tcp-reset
-A OUTPUT-CLEANUP -p udp -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT-CLEANUP -j REJECT --reject-with icmp-proto-unreachable
-A SSH-IN -p tcp -m recent --rcheck --seconds 60 --hitcount 4 --rttl --name ssh --mask 255.255.255.255 --rsource -j LOG --log-prefix SSHBR
-A SSH-IN -p tcp -m recent --update --seconds 30 --hitcount 3 --rttl --name ssh --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A SSH-IN -m recent --set --name ssh --mask 255.255.255.255 --rsource
-A SSH-IN -j ACCEPT
COMMIT
# Completed on Sat Dec 10 14:31:35 2016
# Generated by iptables-save v1.4.21 on Sat Dec 10 14:31:35 2016
*mangle
:PREROUTING ACCEPT [93839:10462674]
:INPUT ACCEPT [93716:10447121]
:FORWARD ACCEPT [76:5928]
:OUTPUT ACCEPT [185834:18156429]
:POSTROUTING ACCEPT [93483:10388452]
-A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
COMMIT
# Completed on Sat Dec 10 14:31:35 2016
