www.LinuxCabal.com

Un Lugar Donde Confiar Muros Contrafuegos Con Netfilter/IPTables

Un Lugar Donde Confiar

Un Lugar Donde Confiar

Un Lugar Donde Confiar

Un Lugar Donde Confiar

Un Lugar Donde Confiar

Un Lugar Donde Confiar

Un Lugar Donde Confiar

Un Lugar Donde Confiar

1er. Generation: ipFWadmin Un Lugar Donde Confiar 1er. Generation: ipFWadmin 2nd. Generation: ipChains 3re. Generation: Netfilter/ipTables

Un Lugar Donde Confiar

ISO/OSI Model Un Lugar Donde Confiar Application Presentation Session Transport Network Link Physical

Un Lugar Donde Confiar Tables filter nat raw mangle

Un Lugar Donde Confiar raw PREROUTING OUTPUT

mangle INPUT OUTPUT FORWARD PREROUTING POSTROUTING Un Lugar Donde Confiar mangle INPUT OUTPUT FORWARD PREROUTING POSTROUTING

Un Lugar Donde Confiar nat PREROUTING OUTPUT POSTROUTING

NAT Un Lugar Donde Confiar 192.168.1.51 eth0 207.214.84.142 eth0 eth1 192.168.51.1

Un Lugar Donde Confiar filter INPUT OUTPUT FORWARD

Un Lugar Donde Confiar

RULES/REGLAS iptables [-t table] -N Chain Un Lugar Donde Confiar RULES/REGLAS iptables [-t table] -N Chain iptables [-t table] -A Chain RuleSpec iptables [-t table] -F [Chain] iptables [-t table] -L [Chain] iptables [-t table] -I Chain [#] RuleSpec iptables [-t table] -D Chain # iptables [-t table] -E OldChain NewChain iptables [-t table] -P Chain Target iptables [-t table] -R Chain # RuleSpec

Parámetros [!] -i, --in-interface nombre Un Lugar Donde Confiar Parámetros [!] -i, --in-interface nombre [!] -o, --out-interface nombre [!] -s, --source dirección/[mascara] [!] -d, --destinación dirección/[mascara]

-p, --protocol tcp|udp|icmp|all Un Lugar Donde Confiar -p, --protocol tcp|udp|icmp|all [!] --dport puerto[:puerto] [!] --sport puerto[:puerto] [!] --tcp-flags mask oblig Ops: SYN ACK FIN RST URG PSH ALL NONE [!] --syn [!] --tcp-option número

-m, --match Un Lugar Donde Confiar iprange [!] --src-range ip-ip iprange [!] --dst-range ip-ip mac [!] --mac-source xx:xx:xx:xx:xx:xx multiport [!] --source-ports puerto[,puerto[,puerto:puerto...]] multiport [!] --destination-ports puerto[,puerto[,puerto:puerto...]] multiport [!] --ports puerto[,puerto[,puerto:puerto...]] owner [!] --uid-owner # [!] --gid-owner # [!] --pid-owner # conntrack --ctstate INVALID|NEW|ESTABLISHED|RELATED tcp|udp [!] --source-port puerto[:puerto] tcp|udp [!] --destination-port puerto[:puerto] tcp [!] --tcp-flags mask oblig Ops: SYN|ACK|FIN|RST|URG|PSH|ALL [!] --syn [!] --tcp-option número

-m, --match connlimit Un Lugar Donde Confiar : # limit the number of parallel HTTP requests to 16 per class C sized network (24 bit netmask) iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT

-j Targets ACCEPT QUEUE User Defined DROP RETURN Chain Un Lugar Donde Confiar -j Targets ACCEPT QUEUE User Defined DROP RETURN Chain REJECT --reject-with type LOG --log-prefix --log-level BALANCE --to-destination ipaddr-ipaddr MASQUERADE SNAT DNAT REDIRECT --to-ports puerto[-puerto]

Vamos crear un muro contrafuego Un Lugar Donde Confiar Vamos crear un muro contrafuego Verifica que tiene FORWARD_IPV4=yes en su /etc/sysconfig/network O net.ipv4.ip_forward = 1 en su /etc/sysctl.conf service iptables start Iptables-save

Un Lugar Donde Confiar Muro de Fuego eth0 LAN Inalámbrica Hub/Switch Router/ADSLMódem Muro de Fuego eth0 LAN Inalámbrica Hub/Switch eth2 LAN

iptables -t raw -P PREROUTING ACCEPT Un Lugar Donde Confiar iptables -t raw -P PREROUTING ACCEPT iptables -t mangle -P OUTPUT ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t filter -P INPUT ACCEPT

iptables-save Un Lugar Donde Confiar # Generated by iptables-save v1.4.0 on Mon Sep 8 16:45:26 2008 *filter :INPUT ACCEPT [29:2054] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [17:2426] COMMIT # Completed on Mon Sep 8 16:45:26 2008 *nat :PREROUTING ACCEPT [1:42] :POSTROUTING ACCEPT [1:132] :OUTPUT ACCEPT [1:132] *mangle :PREROUTING ACCEPT [37:2508] :INPUT ACCEPT [37:2508] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [24:3320] :POSTROUTING ACCEPT [24:3320] COMMIT # Completed on Mon Sep 8 16:45:26 2008 # Generated by iptables-save v1.4.0 on Mon Sep 8 16:45:26 2008 *raw :PREROUTING ACCEPT [39:2612] :OUTPUT ACCEPT [26:3600]

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE Un Lugar Donde Confiar iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE o iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.51.1

iptables-save Un Lugar Donde Confiar # Generated by iptables-save v1.4.0 on Mon Sep 8 16:57:16 2008 *nat :PREROUTING ACCEPT [1:42] :POSTROUTING ACCEPT [12:968] :OUTPUT ACCEPT [12:968] -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.51.1 COMMIT # Completed on Mon Sep 8 16:57:16 2008

Un Lugar Donde Confiar iptables -t filter -N block iptables -A block -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A block -i eth1 -m conntrack --ctstate NEW -j ACCEPT iptables -A block -j LOG --log-prefix "IPTables:block " --log-level 6 iptables -A block -j DROP

iptables-save Un Lugar Donde Confiar # Generated by iptables-save v1.4.0 on Mon Sep 8 17:09:37 2008 *filter :INPUT ACCEPT [768:36126] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [746:61346] :block - [0:0] -A block -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A block -i eth1 -m conntrack --ctstate NEW -j ACCEPT -A block -j LOG --log-prefix "IPTables:block " --log-level 6 -A block -j DROP COMMIT # Completed on Mon Sep 8 17:09:37 2008

iptables -A FORWARD -j block Un Lugar Donde Confiar iptables -A FORWARD -j block

iptables-save Un Lugar Donde Confiar # Generated by iptables-save v1.4.0 on Mon Sep 8 19:35:06 2008 *filter :INPUT ACCEPT [3060:148984] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2997:236170] :block - [0:0] -A FORWARD -j block -A block -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A block -i eth1 -m conntrack --ctstate NEW -j ACCEPT -A block -j LOG --log-prefix "IPTables:block " --log-level 6 -A block -j DROP COMMIT # Completed on Mon Sep 8 19:35:06 2008

Un Lugar Donde Confiar iptables -A INPUT ! -i eth2 -p tcp --dport 22 -j ACCEPT iptables -A INPUT ! -i eth2 -p tcp --dport 25 -j ACCEPT iptables -A INPUT ! -i eth2 -p tcp --dport 53 -j ACCEPT iptables -A INPUT ! -i eth2 -p udp --dport 53 -j ACCEPT iptables -A INPUT ! -i eth2 -p tcp --dport 80 -j ACCEPT iptables -A INPUT ! -i eth2 -p tcp --dport 443 -j ACCEPT iptables -A INPUT ! -i eth2 -p tcp --dport 993 -j ACCEPT iptables -A INPUT ! -i eth2 -p tcp --dport 995 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -j block

iptables-save Un Lugar Donde Confiar *filter :INPUT ACCEPT [3097:151128] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3187:276550] :block - [0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i eth2 -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -i eth2 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i eth2 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i eth2 -p udp -m udp --dport 80 -j ACCEPT -A INPUT -i eth2 -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -i eth2 -p tcp -m tcp --dport 993 -j ACCEPT -A INPUT -i eth2 -p udp -m udp --dport 995 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j block -A FORWARD -j block -A block -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A block -i eth1 -m conntrack --ctstate NEW -j ACCEPT -A block -j LOG --log-prefix "IPTables:block " --log-level 6 -A block -j DROP COMMIT

Un Lugar Donde Confiar iptables -t raw -A PREROUTING -d 192.168.51.255/32 -j LOG --log-prefix "IPTables:raw:De0BCast: " --log-level 6 iptables -t raw -A PREROUTING -d 192.168.51.255/32 -j DROP iptables -t raw -A PREROUTING -d 192.168.51.0/32 -j LOG --log-prefix "IPTables:raw:De0Net: " --log-level 6 iptables -t raw -A PREROUTING -d 192.168.51.0/32 -j DROP iptables -t raw -A PREROUTING -d 192.168.69.255/32 -j LOG --log-prefix "IPTables:raw:De1BCast: " --log-level 6 iptables -t raw -A PREROUTING -d 192.168.69.255/32 -j DROP iptables -t raw -A PREROUTING -d 192.168.69.0/32 -j LOG --log-prefix "IPTables:raw:De1Net: " --log-level 6 iptables -t raw -A PREROUTING -d 192.168.69.0/32 -j DROP iptables -t raw -A PREROUTING -d 10.0.69.255/32 -j LOG --log-prefix "IPTables:raw:De2BCast: " --log-level 6 iptables -t raw -A PREROUTING -d 10.0.69.255/32 -j DROP iptables -t raw -A PREROUTING -d 10.0.69.0/32 -j LOG --log-prefix "IPTables:raw:De2Net: " --log-level 6 iptables -t raw -A PREROUTING -d 10.0.69.0/32 -j DROP iptables -t raw -A PREROUTING -d 0.0.0.0/32 -j LOG --log-prefix "IPTables:raw:DGNet: " --log-level 6 iptables -t raw -A PREROUTING -d 0.0.0.0/32 -j DROP iptables -t raw -A PREROUTING -d 255.255.255.255/32 -j LOG --log-prefix "IPTables:raw:DGBCast: " --log-level 6 iptables -t raw -A PREROUTING -d 255.255.255.255/32 -j DROP

Un Lugar Donde Confiar iptables -t raw -A PREROUTING -s 192.168.51.255/32 -j LOG --log-prefix "IPTables:raw:Se0BCast: " --log-level 6 iptables -t raw -A PREROUTING -s 192.168.51.255/32 -j DROP iptables -t raw -A PREROUTING -s 192.168.51.0/32 -j LOG --log-prefix "IPTables:raw:Se0Net: " --log-level 6 iptables -t raw -A PREROUTING -s 192.168.51.0/32 -j DROP iptables -t raw -A PREROUTING -s 192.168.69.255/32 -j LOG --log-prefix "IPTables:raw:Se1BCast: " --log-level 6 iptables -t raw -A PREROUTING -s 192.168.69.255/32 -j DROP iptables -t raw -A PREROUTING -s 192.168.69.0/32 -j LOG --log-prefix "IPTables:raw:Se1Net: " --log-level 6 iptables -t raw -A PREROUTING -s 192.168.69.0/32 -j DROP iptables -t raw -A PREROUTING -s 10.0.69.255/32 -j LOG --log-prefix "IPTables:raw:Se2BCast: " --log-level 6 iptables -t raw -A PREROUTING -s 10.0.69.255/32 -j DROP iptables -t raw -A PREROUTING -s 10.0.69.0/32 -j LOG --log-prefix "IPTables:raw:Se2Net: " --log-level 6 iptables -t raw -A PREROUTING -s 10.0.69.0/32 -j DROP

Un Lugar Donde Confiar iptables -t raw -A PREROUTING -m iprange --src-range 10.0.0.0-10.0.68.255 -j LOG --log-prefix "IPTables:raw:S10: " --log-level 6 iptables -t raw -A PREROUTING -m iprange --src-range 10.0.0.0-10.0.68.255 -j DROP iptables -t raw -A PREROUTING -m iprange --src-range 10.0.70.0-10.255.255.255 -j LOG --log-prefix "IPTables:raw:S10: " --log-level 6 iptables -t raw -A PREROUTING -m iprange --src-range 10.0.70.0-10.255.255.255 -j DROP iptables -t raw -A PREROUTING -m iprange --src-range 192.168.0.0-192.168.50.255 -j LOG --log-prefix "IPTables:raw:S192: " --log-level 6 iptables -t raw -A PREROUTING -m iprange --src-range 192.168.0.0-192.168.50.255 -j DROP iptables -t raw -A PREROUTING -m iprange --src-range 192.168.52.0-192.168.68.255 -j LOG --log-prefix "IPTables:raw:S192: " --log-level 6 iptables -t raw -A PREROUTING -m iprange --src-range 192.168.52.0-192.168.68.255 -j DROP iptables -t raw -A PREROUTING -m iprange --src-range 192.168.70.0-192.168.255.255 -j LOG --log-prefix "IPTables:raw:S192: " --log-level 6 iptables -t raw -A PREROUTING -m iprange --src-range 192.168.70.0-192.168.255.255 -j DROP iptables -t raw -A PREROUTING -s 0.0.0.0/32 -j LOG --log-prefix "IPTables:raw:SGNet: " --log-level 6 iptables -t raw -A PREROUTING -s 0.0.0.0/32 -j DROP iptables -t raw -A PREROUTING -s 255.255.255.255/32 -j LOG --log-prefix "IPTables:raw:SGBCast: " --log-level 6 iptables -t raw -A PREROUTING -s 255.255.255.255/32 -j DROP # microsoft-ds netbios-ns iptables -t raw -A PREROUTING -p udp -m multiport --dports 135,445 -j LOG --log-prefix "IPTables:raw:ms-ds: " --log-level 6 iptables -t raw -A PREROUTING -p udp -m multiport --dports 135,445 -j DROP iptables -t raw -A PREROUTING -p udp -m udp --dport 137:139 -j LOG --log-prefix "IPTables:raw:ms-ds: " --log-level 6 iptables -t raw -A PREROUTING -p udp -m udp --dport 137:139 -j DROP iptables -t raw -A PREROUTING -p udp -m udp --sport 137 --dport 1024:65535 -j LOG --log-prefix "IPTables:raw:ms-ds: " --log-level 6 iptables -t raw -A PREROUTING -p udp -m udp --sport 137 --dport 1024:65535 -j DROP iptables -t raw -A PREROUTING -p udp -m multiport --dports 135,139,445 -j LOG --log-prefix "IPTables:raw:ms-ds: " --log-level 6 iptables -t raw -A PREROUTING -p tcp -m multiport --dports 135,139,445 -j DROP

Un Lugar Donde Confiar # messenger "multicast" broadcast address for UPnP devices iptables -t raw -A PREROUTING -p udp -m udp --dport 1900 -j LOG --log-prefix "IPTables:raw:UPnP: " --log-level 6 iptables -t raw -A PREROUTING -p udp -m udp --dport 1900 -j DROP # UPnP Device Host service iptables -t raw -A PREROUTING -p udp -m udp --dport 5000 -j LOG --log-prefix "IPTables:raw:UPnP: " --log-level 6 iptables -t raw -A PREROUTING -p tcp -m tcp --dport 5000 -j DROP iptables -t raw -A PREROUTING -m pkttype --pkt-type broadcast -j LOG --log-prefix "IPTables:raw:GBCast: " --log-level 6 iptables -t raw -A PREROUTING -m pkttype --pkt-type broadcast -j DROP iptables -t raw -A PREROUTING -m pkttype --pkt-type multicast -j LOG --log-prefix "IPTables:raw:GMCast: " --log-level 6 iptables -t raw -A PREROUTING -m pkttype --pkt-type multicast -j DROP iptables -t raw -A PREROUTING -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix "IPTables:raw:SMCast: " --log-level 6 iptables -t raw -A PREROUTING -s 224.0.0.0/240.0.0.0 -j DROP

SysV/POSIX iptables-save > /etc/sysconfig/iptables Un Lugar Donde Confiar SysV/POSIX iptables-save > /etc/sysconfig/iptables chkconfig iptables on service iptables stop service iptables start service iptables restart service iptables reload service iptables status service iptables check

Un Lugar Donde Confiar ¿Preguntas?

Un Lugar Donde Confiar ¡JUGAMOS!