# Modify this file accordingly for your specific requirement. # http://www.thegeekstuff.com # 1. Delete all existing rules iptables -F # 2. Set default chain policies iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # 3. Block a specific ip-address #BLOCK_THIS_IP="x.x.x.x" iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP # 4. Allow ALL incoming SSH iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT # 5. Allow incoming SSH only from a sepcific network iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT # 6. Allow incoming HTTP iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT # Allow incoming HTTPS iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT # 7. MultiPorts (Allow incoming SSH, HTTP, and HTTPS) iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT # 8. Allow outgoing SSH iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT # 9. Allow outgoing SSH only to a specific network iptables -A OUTPUT -o eth0 -p tcp -d 192.168.101.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT # 10. Allow outgoing HTTPS iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT # 11. Load balance incoming HTTPS traffic iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443 iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443 #iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443 # 12. Ping from inside to outside iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT # 13. Ping from outside to inside iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT # 14. Allow loopback access iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # 15. Allow packets from internal network to reach external network. # if eth1 is connected to external network (internet) # if eth0 is connected to internal network (192.168.1.x) iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT # 16. Allow outbound DNS #iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT #iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT # 17. Allow NIS Connections # rpcinfo -p | grep ypbind ; This port is 853 and 850 #iptables -A INPUT -p tcp --dport 111 -j ACCEPT #iptables -A INPUT -p udp --dport 111 -j ACCEPT #iptables -A INPUT -p tcp --dport 853 -j ACCEPT #iptables -A INPUT -p udp --dport 853 -j ACCEPT #iptables -A INPUT -p tcp --dport 850 -j ACCEPT #iptables -A INPUT -p udp --dport 850 -j ACCEPT # 18. Allow rsync from a specific network iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT # 19. Allow MySQL connection only from a specific network iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT # 20. Allow Sendmail or Postfix iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT # 21. Allow IMAP and IMAPS iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT # 22. Allow POP3 and POP3S iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT # 23. Prevent DoS attack iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT # 24. Port forwarding 422 to 22 iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22 iptables -A INPUT -i eth0 -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEPT # 25. Log dropped packets iptables -N LOGGING iptables -A INPUT -j LOGGING iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7 iptables -A LOGGING -j DROP
Tuesday, July 31, 2012
25 Most Frequently Used Linux IPTables Rules Examples
subnet-calculator
http://www.subnet-calculator.com/subnet.php
192.0.0.0/8 = 192.0.0.0 - 192.255.255.255
192.128.0.0/9 = 192.128.0.0 - 192.255.255.255
192.128.0.0/10 = 192.128.0.0 - 192.191.255.255
192.160.0.0/11 = 192.160.0.0 - 192.191.255.255
192.160.0.0/12 = 192.160.0.0 - 192.175.255.255
192.168.0.0/13 = 192.168.0.0 - 192.175.255.255
192.168.0.0/14 = 192.168.0.0 - 192.171.255.255
192.168.0.0/15 = 192.168.0.0 - 192.169.255.255
192.168.0.0/16 = 192.168.0.0 - 192.168.255.255
192.168.0.0/17 = 192.168.0.0 - 192.168.127.255
192.168.0.0/18 = 192.168.0.0 - 192.168.63.255
192.168.0.0/19 = 192.168.0.0 - 192.168.31.255
192.168.0.0/20 = 192.168.0.0 - 192.168.15.255
192.168.0.0/21 = 192.168.0.0 - 192.168.7.255
192.168.0.0/22 = 192.168.0.0 - 192.168.3.255
192.168.0.0/23 = 192.168.0.0 - 192.168.1.255
192.168.0.0/24 = 192.168.0.0 - 192.168.0.255
192.168.0.0/25 = 192.168.0.0 - 192.168.0.127
192.168.0.0/26 = 192.168.0.0 - 192.168.0.63
192.168.0.0/27 = 192.168.0.0 - 192.168.0.31
192.168.0.0/28 = 192.168.0.0 - 192.168.0.15
192.168.0.0/29 = 192.168.0.0 - 192.168.0.7
192.168.0.0/30 = 192.168.0.0 - 192.168.0.3
http://en.wikipedia.org/wiki/IPv4_subnetting_reference
http://en.wikipedia.org/wiki/Subnetwork
192.0.0.0/8 = 192.0.0.0 - 192.255.255.255
192.128.0.0/9 = 192.128.0.0 - 192.255.255.255
192.128.0.0/10 = 192.128.0.0 - 192.191.255.255
192.160.0.0/11 = 192.160.0.0 - 192.191.255.255
192.160.0.0/12 = 192.160.0.0 - 192.175.255.255
192.168.0.0/13 = 192.168.0.0 - 192.175.255.255
192.168.0.0/14 = 192.168.0.0 - 192.171.255.255
192.168.0.0/15 = 192.168.0.0 - 192.169.255.255
192.168.0.0/16 = 192.168.0.0 - 192.168.255.255
192.168.0.0/17 = 192.168.0.0 - 192.168.127.255
192.168.0.0/18 = 192.168.0.0 - 192.168.63.255
192.168.0.0/19 = 192.168.0.0 - 192.168.31.255
192.168.0.0/20 = 192.168.0.0 - 192.168.15.255
192.168.0.0/21 = 192.168.0.0 - 192.168.7.255
192.168.0.0/22 = 192.168.0.0 - 192.168.3.255
192.168.0.0/23 = 192.168.0.0 - 192.168.1.255
192.168.0.0/24 = 192.168.0.0 - 192.168.0.255
192.168.0.0/25 = 192.168.0.0 - 192.168.0.127
192.168.0.0/26 = 192.168.0.0 - 192.168.0.63
192.168.0.0/27 = 192.168.0.0 - 192.168.0.31
192.168.0.0/28 = 192.168.0.0 - 192.168.0.15
192.168.0.0/29 = 192.168.0.0 - 192.168.0.7
192.168.0.0/30 = 192.168.0.0 - 192.168.0.3
http://en.wikipedia.org/wiki/IPv4_subnetting_reference
http://en.wikipedia.org/wiki/Subnetwork
Sunday, July 29, 2012
Notes on Metasploit
1-How to stop running server?
jobs >> kill
2-How to set global variable? use SETG instead of SET
3-All CAPTURE Auxiliary modules (auxiliray/server/capture/XXXX) are used to create FAKE services that is designed to capture authentication credentials.
4-When it's "RHOSTS", that means you can define a range of ip addresses, BUT you can't specify that range by for example 192.168.1.1-254 or 192.168.1.,2,3,4 :(
jobs >> kill
2-How to set global variable? use SETG instead of SET
3-All CAPTURE Auxiliary modules (auxiliray/server/capture/XXXX) are used to create FAKE services that is designed to capture authentication credentials.
4-When it's "RHOSTS", that means you can define a range of ip addresses, BUT you can't specify that range by for example 192.168.1.1-254 or 192.168.1.,2,3,4 :(
auxiliary/scanner/telnet/
setting up the environment:
windows machine:
Control Panel\Programs\Programs and Features >> turn windows features on or off >> check Telnet serverrun >> services.msc >> Telnet >> start
Till now you can login with the administrator credential,
to permit another account >> Control Panel\System and Security\Administrative Tools >> computer management >> system tools >> local users and groups >> Groups >> TelnetClients, then add another account
[the server accounts must have password]
Backtrack machine:
you can test the server by :
telnet [server_ip]
scanner/telnet/telnet_version
Used to detect telnet version on remote system
scanner/telnet/telnet_login
This module will test a telnet login on a range of machines and report successful logins
login successful
scanner/telnet/telnet_encrypt_overflow
scanner/telnet/lantronix_telnet_version
auxiliary/scanner/ssh/
Metasploit auxiliray modules come with four SSH scanners namely,
- scanner/ssh/ssh_version
- scanner/ssh/ssh_login
- scanner/ssh/ssh_identify_pubkeys
- scanner/ssh/ssh_login_pubkey
All are used against a RANGE of IPs, so most of the other modules, and that is the damn good advantage of auxiliary modules. BUT you need to specify one ip by another, you can't use for example xx.xx.xx.1-254 or xx.xx.xx.1,2,3,4 :(
There are two types of SSH authentication, USERNAME-PASSWORD and PRIVATE-PUBLIC KEYS.
USERNAME-PASSWORD authentication is simply the user and password of a user on the local machine. key authentication is an alternative to user-pass authentication, simply the public key is the server-side and the private key is the remote-side.
auxiliary/scanner/ssh/ssh_version
This module is used to detect SSH version on a range of ip addresses
auxiliary/scanner/ssh/ssh_login
This module will test ssh logins on a range of machines and report successful logins
[SSH login is simply a server account login]
auxiliary/scanner/ssh/ssh_identify_pubkeys
set KEY_FILE to whether the puplic key path or the private key path
auxiliary/scanner/ssh/ssh_login_pubkey
Puplic-private key authentication is an alternative to Username-password authentication. Demo:
To generate Puplic-private authentication key:
ssh-keygen -t rsa
This will generate 2 files, located in /root/.ssh/
public key "id_rsa.pub" >> for the server
private key "id_rsa" >> for the client
To register that key, you need to add the .pub to /root/.ssh/authorized_keys, automatically by using:
ssh-id-copy -i /root/.ssh/id_rsa.pub [user@server_ip]
To test your registered key:
Saturday, July 28, 2012
auxiliary/scanner/discovery/arp_sweep
This module scan a range of ip addresses to identify hosts alive and missing on the local Ethernet
Subscribe to:
Posts (Atom)