Friday, September 25, 2009

iptables

See help.ubuntu or v7n.forum or linux.networking or root (in czech)

All commands run as root (or via sudo).

List of all rules:
iptables -L
iptables -L -v

Allow 22 and 80 port:
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Drop input from address,range of addresses, MAC address :
iptables -I INPUT -s ADDRESS -j DROP
iptables -I INPUT -s 55.55.55.1:55.55.55.100 -j DROP
iptables -I INPUT -s 55.55.55.0/24 -j DROP
iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP

Drop input if more than 10 connection on ssh port per minute:
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP


Drop input on port:
iptables -A INPUT -p tcp --dport 199 -j DROP

Delete of drop rule:
iptables -D INPUT -s 55.55.55.55 -j DROP

Logging first 5 similar records not more than 3 times per hour
iptables -A INPUT -m limit --limit 3/hour --limit-burst 5 -j LOG

Drop all rules:
iptables -F

Save and restore iptables:
iptables-save -c > /iptables-backup
iptables-restore -c < /iptables-backup

Example of iptables file, for smtp,http,ssh server 1.1.1.1, with logging:

# Generated by iptables-save v1.3.6 on Wed Dec 2 07:46:26 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 1.1.0.0/255.255.0.0 -i eth0 -p tcp --dport 1:65000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 1.1.0.0/255.255.0.0 -i eth0 -p udp --dport 1:65000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -d 1.1.1.1 -i eth0 -p tcp --sport 25 --dport 1000:65000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s 1.1.1.1 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 1.1.0.0/16 -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p ICMP -i eth0 --icmp-type 0 -j ACCEPT
-A INPUT -p ICMP -i eth0 --icmp-type 3 -j ACCEPT
-A INPUT -p ICMP -i eth0 --icmp-type 8 -j ACCEPT
-A INPUT -p ICMP -i eth0 --icmp-type 11 -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 5 -j ACCEPT
-A INPUT -m limit --limit 5/hour --limit-burst 3 -j LOG --log-prefix "Dropped by firewall IN: "
-A OUTPUT -m limit --limit 5/hour --limit-burst 3 -j LOG --log-prefix "Dropped by firewall OUT: "
-A INPUT -i eth0 -p tcp --dport 1:65000 -j DROP
-A INPUT -i eth0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
COMMIT
# Completed on Wed Dec 2 07:46:26 2009
Posted by at No comments:
Labels:

Friday, September 18, 2009

ssh tunnel for smtp

For details see: http://cg.scs.carleton.ca/~morin/misc/laptopmail/

local - where you are using email client (i.e. laptop) and (yet) cannot send email through server
server - where smpt is running

On local generate key:
sudo ssh-keygen -t dsa -f /root/.ssh/specialkey
add its public part to ~/.ssh/authorized_keys2 on server

Edit authorized_keys2 on the server and modify line with key to start like
command="netcat localhost 25",no-X11-forwarding,no-agent-forwarding,no-port-forwarding ssh-dss AAAAB3NzaC1k..

Test connection (you should get something about 220 ESMTP Postfix):
sudo ssh login@smtp.server -p ssh_port -i /root/.ssh/specialkey

Add smtp role to /etc/inetd.conf and restart it (on local)
127.0.0.1:smtp stream tcp nowait root /usr/bin/ssh -T -i /root/.ssh/specialkey login@smtp.server -p ssh_port

sudo /etc/init.d/openbsd-inetd restart

Update settings of your mail client on local to use "local" smtp server
localhost:25
Posted by at No comments:
Labels: ,

Tuesday, September 15, 2009

ports

List of open ports: redhat-docs

sudo nmap -sT -O localhost

Complete port scan
nmap address -PN -p1-65535

UDP ports:
sudo nmap -sU localhost

netstat -nat

netstat -l --tcp

lsof -i
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)