IPTABLES Firewall rules for blocking DOS attacks

UPDATE: ipt_pkd 1.6!

February 7, 2010 20:20 pm · 1 comment

by Black

in Open Source,Security tools,Tool Updates

We blogged about ipt_pkd in our previous posts here.

So, “ipt_pkd is an iptables extension implementing port knock detection. This project provides 3 parts: the kernel module ipt_pkd, the iptables user space module libipt_pkd.so, and a user space client knock program. For the knock packet, it uses a UDP packet sent to a random port that contains a SHA-256 of a time-stamp, small header, random bytes, and a shared key. ipt_pkd checks the time window of the packet and does the SHA-256 to verify the packet. The shared key is never sent.

Now, ipt_pkd has been updated to version 1.6!

These are the changes made:
This version was updated for Linux 2.6.32 and iptables 1.4.6.
A new knock client was added, written in C# and works on both Linux and Windows and encrypts configuration data.
A pre-built kernel module, an iptables library for vyatta community edition 5, and a small install script for vyatta were added.

Download ipt_pkd version 1.6 here.

Searches leading to this post:
cache:afVIY6kmc-YJ:pentestit com/2010/02/07/openssh-53p1-remote-root-c/ openssh-53p1-remote-root c

Tagged as: , , , , ,

1 comment

ipt_pkd: The port knock detector!

December 6, 2009 23:29 pm · 0 comments

by Black

in Open Source,Security tools

If you have read our last few posts, you already what a port knock is. We had mentioned about it here when we wrote about winKnocks. Today, we are going to blog about ipt_pkd.

Port knocking per se can be very dangerous if you were to try it on your own firewall without any authentication mechanism. winKnocks is a good option though its implementation is mainly for Windows. So what do you do to protect your Linux based firewall, when you do want to use an option of port knocking? Simple – use ipt_pkd! ipt_pkd is an iptables extension implementing port knock detection. It makes use of single packet authorization. The knock packet is a sha256 of a timestamp, some random bytes, a small header, and a shared key, sent via udp. The timestamp and the bytes are passed in the packet so the server can do the sha256 and compare the results.  If its a match then the pkd module returns true, otherwise false and any more packets from the sender are dropped. To eliminate a replay attack, the source and destination ports are used in the hash!

There are two versions – one in C and the other in Python. The open source package has a small python script-knock.py which is a python implementation of ipt_pkd which reads the necessary information from ipt_pkd.ini. You can have it accept 3 options – a 40 bytes long-hex-shared key, a window (time until it waits for a valid knock from a system) and a 4 byte long tag which helps in speeding up the processing. You can make use of “hitcount” to maintain a control over the number of times you would like the knock until it is dropped,reset, etc.

Download ipt_pkd here.

Tagged as: , , , , ,

Be the first to comment!

Tutorial: Basic IPTABLES Firewall rules

April 23, 2009 11:37 am · 0 comments

by Black

in Tutorials

Guys, I was at a friends home and he wanted to know about a few basic rules that will help him secure his Linux installation. I thought why not share it with all of you. So, here it is. These are very baisc rules. If you would like to add some, please leave a comment and we would love to add them on our site. Nothing like good knowledge sharing right?

We have set the following parameters according to our linkings. Please change them according to yours:

INTERNALIFACE: The Internal Ethernet Interface Card.
preset to "eth1"
INTERNALNET: The internet network address range.
preset to "192.168.1.0/24"
INTERNALBCAST: The internal Broadcast address.
preset to "192.168.1.255"
EXTERNALI: The External Ethernet card identifier.
preset to "eth0"
IPTABLES="/sbin/iptables"

Here it goes:

The first rule that I normally apply is a rule that removes any restrictions to connections from localhost to the outside network:

$IPTABLES -A INPUT -i lo -j ACCEPT

I do not really like any restrictions when I connect outside. Hence the first rule.

The second rule will kill all packets from the Outside world claiming to be packets generated from Internal network!

$IPTABLES -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJECT

This rule will help in eliminating in some types of DOS attacks.

The third rule will reject connections from Outside world to Internal loop back device.

$IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT

There is no reason why the ‘outside world’ would like to connect to the internal loop back device. Hence the third rule.

The fourth rule will kill all INVALID packets.

$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP

A drop is always preferred over a reject as drop will silently drop the connection and reject will let the sender know about the packet being rejected. But, still there are always ways which will let the sender if the packets were dropped.

The fifth rule will apply no restrictions for traffic generating from legit internal addresses. This can be of a great help when you have a small network and maybe share a common machine which performs routing.

$IPTABLES -A INPUT -i $INTERNALIFACE -s $INTERNALNET -j ACCEPT

We will now concentrate on blocking DOS attacks and the like.

The sixth rule will block all ICMP packets

$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -o $INTERNALIFACE -j REJECT

The seventh rule will block all PING flood attacks.

$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP

The eighth rule will deny pings to local broadcast address and allow all other icmp.

$IPTABLES -A INPUT -p icmp -d $INTERNALBCAST -j DROP
$IPTABLES -A INPUT -p icmp -j ACCEPT

Now, the ninth rule will disable all SAMBA shares.

#$IPTABLES -A INPUT -p tcp --dport 137 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 137 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 138 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 138 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 139 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 139 -j ACCEPT

The tenth rule will deny forwarding SMB related traffic. Yet, you can have all other connections to be forwarded and allow replies from established connections!

$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 137 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 138 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 139 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 137 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 138 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 139 -j REJECT
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 137 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -i $INTERNALIFACE -j ACCEPT
$IPTABLES -A FORWARD -i $EXTERNALIF -m state --state ESTABLISHED,RELATED -j ACCEPT

We do this as Samba Services are one of the most aimed targets by attackers as a means to get in your network.

With the eleventh rule, we will block some common trojan ports. You can add more if you want to.

$IPTABLES -A INPUT -p tcp --dport 1433 -m limit -j LOG --log-prefix "Dropped packet: MSSQL "
$IPTABLES -A INPUT -p tcp --dport 1433 -j DROP
$IPTABLES -A INPUT -p tcp --dport 31337 -m limit -j LOG --log-prefix "Dropped packet: BO "
$IPTABLES -A INPUT -p tcp --dport 31337 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6000  -m limit -j LOG --log-prefix "Dropped packet: XWin "
$IPTABLES -A INPUT -p tcp --dport 6000  -j DROP

This is all we have from our side for now. Please leave your comments as we eagerly wait for them.

Related External Links

  • 51+ JQuery Tutorials and Examples at Expertz
  • 20 Tutorials for Professional Effects in Fireworks | Presidia Creative
  • 20 Websites To Learn and Master CSS & stylesheet Tutorials at Expertz
Searches leading to this post:
firewall rule tutor

Tagged as: , ,

Be the first to comment!