Wise people learn when they can; fools learn when they must - Arthur Wellesley

Saturday, 14 July 2018

RHEL6–44– IP TABLES IN LINUX -P6



                         RHEL6–44– IP TABLES IN LINUX -P6
IP Tables digging deeper,

Other Posts under IPTABLES series,


CONFIGURE IPTABLE LOGGING-1:

We already learned there is a target called LOG. Now time to use it,

So, what it will do? Let’s configure and find out ourselves…

I want to know what firewall is doing with ssh,


[root@rhel6-server ~]# iptables -A INPUT -p tcp --dport 22 -j LOG

Then I did ssh from client to server,

[root@rhel6-client1 ~]# ssh 192.168.135.142
root@192.168.135.142's password:
Last login: Mon Jul  9 14:31:21 IST 2018 from 192.168.135.1 on pts/3
Last login: Mon Jul  9 14:32:33 2018 from 192.168.135.157
[root@rhel6-server ~]# exit
exit
Connection to 192.168.135.142 closed.

Logs should capture at /var/log/messages,

[root@rhel6-server ~]# tail -f /var/log/messages

Eeeeeeeee … nothing at logs about above try

WHY?

Let’s check……

[root@rhel6-server ~]# iptables -L --line-numbers
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    DROP       all  --  anywhere             anywhere            state INVALID
2    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
3    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
4    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW,ESTABLISHED
5    ACCEPT     icmp --  anywhere             anywhere            length 1:200
6    ACCEPT     tcp  --  anywhere             anywhere            multiport ports ftp-data,ftp
7    ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
8    LOG        tcp  --  anywhere             anywhere            tcp dpt:ssh LOG level warning

Got it, have you noticed?

ssh is already allowed at line no 2, and rule for log is at 8th line. This LOG target should must be above any rule. By default, IPTables run in sequential manner, and once the rule matched it will left the table by nature. Here we allowed ssh in 2nd line hence iptables does not search anymore after line 2.

Let’s insert it at line 1,
** If a packet matches to LOG target, then will search next lines for ACTION on those packets as well.

[root@rhel6-server ~]# iptables -I INPUT 1 -p tcp --dport 22 -j LOG

[root@rhel6-server ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

[root@rhel6-server ~]# service iptables restart

[root@rhel6-server ~]# iptables -L --line-numbers
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    LOG        tcp  --  anywhere             anywhere            tcp dpt:ssh LOG level warning
2    DROP       all  --  anywhere             anywhere            state INVALID
3    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

Now checking again,

[root@rhel6-server ~]# tail -5 /var/log/messages
Jul  9 14:55:45 rhel6-server kernel: IN=eth1 OUT= MAC=00:0c:29:16:08:65:00:50:56:c0:00:08:08:00 SRC=192.168.135.1 DST=192.168.135.142 LEN=92 TOS=0x00 PREC=0x00 TTL=128 ID=15783 DF PROTO=TCP SPT=8072 DPT=22 WINDOW=254 RES=0x00 ACK PSH URGP=0
Jul  9 14:55:45 rhel6-server kernel: IN=eth1 OUT= MAC=00:0c:29:16:08:65:00:50:56:c0:00:08:08:00 SRC=192.168.135.1 DST=192.168.135.142 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=15784 DF PROTO=TCP SPT=8072 DPT=22 WINDOW=254 RES=0x00 ACK URGP=0
Jul  9 14:55:46 rhel6-server kernel: IN=eth1 OUT= MAC=00:0c:29:16:08:65:00:50:56:c0:00:08:08:00 SRC=192.168.135.1 DST=192.168.135.142 LEN=92 TOS=0x00 PREC=0x00 TTL=128 ID=15785 DF PROTO=TCP SPT=8072 DPT=22 WINDOW=254 RES=0x00 ACK PSH URGP=0
Jul  9 14:55:47 rhel6-server kernel: IN=eth1 OUT= MAC=00:0c:29:16:08:65:00:50:56:c0:00:08:08:00 SRC=192.168.135.1 DST=192.168.135.142 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=15786 DF PROTO=TCP SPT=8072 DPT=22 WINDOW=253 RES=0x00 ACK URGP=0
Jul  9 14:55:47 rhel6-server kernel: IN=eth1 OUT= MAC=00:0c:29:16:08:65:00:50:56:c0:00:08:08:00 SRC=192.168.135.1 DST=192.168.135.142 LEN=92 TOS=0x00 PREC=0x00 TTL=128 ID=15787 DF PROTO=TCP SPT=8072 DPT=22 WINDOW=253 RES=0x00 ACK PSH URGP=0


Great, giving info about each packet.

But greatness will definitely ruin in some time… ☹☹

Just check the speed of log capture, it amazing and if someone flood you ping and it will get a supersonic speed to capture all packets.

[root@rhel6-server ~]# ls -lh /var/log/messages
-rw-------. 1 root root 3.8M Jul  9 15:02 /var/log/messages
[root@rhel6-server ~]# ls -lh /var/log/messages
-rw-------. 1 root root 6.4M Jul  9 15:03 /var/log/messages
[root@rhel6-server ~]# ls -lh /var/log/messages
-rw-------. 1 root root 9.7M Jul  9 15:03 /var/log/messages
[root@rhel6-server ~]# ls -lh /var/log/messages
-rw-------. 1 root root 12M Jul  9 15:03 /var/log/messages

Let’s do something to limit before it’s too late,

This is itself DoS (DENIEL OF SERVICE) attack,

Limit the packets to 1 per second.

# iptables -I INPUT -p tcp --dport 22 -m limit --limit 1/s -j LOG

I checked the above rule and its working as expected.


One more thing need to be consider, if I am enabling collection of logs then why not to collect all logs instead of ssh only.

#iptables -A INPUT -m limit --limit 1/s -j LOG --log-level 6

**Log level 6 means “info” which contains all information.

After that we need to apply DROP so that it will not search any further,

[root@rhel6-server ~]# iptables -A INPUT -j DROP

Will it work?

In my case it didn’t. Hence, I added the LOG rule at top and DROP in last.

#iptables -I INPUT -m limit --limit 1/s -j LOG --log-level 6
#iptables -A INPUT -j DROP

[root@rhel6-server ~]# iptables -L --line-numbers
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    LOG        all  --  anywhere             anywhere            limit: avg 1/sec burst 5 LOG level info prefix `INPUT:DROP:REJECT'
2    REJECT     tcp  --  anywhere             anywhere            multiport dports ftp-data,ftp reject-with icmp-port-unreachable
3    DROP       all  --  anywhere             anywhere            state INVALID
4    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
5    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
6    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW,ESTABLISHED
7    ACCEPT     icmp --  anywhere             anywhere            length 1:200
8    ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
9    DROP       all  --  anywhere             anywhere

Now I want to check, is it working or not?

FTP is already blocked, and I will try FTP this machine (server) from client,

[root@ rhel6-client1 ~]# ftp 192.168.135.142
ftp: connect: Connection refused
ftp> bye
[root@ rhel6-client1 ~]# ftp 192.168.135.143
ftp: connect: Connection refused
ftp> bye
[root@ rhel6-client1 ~]# ftp 192.168.199.130
ftp: connect: Connection refused
ftp> bye

[root@rhel6-server ~]# grep DPT=21 /var/log/messages |tail -3
Jul  9 16:35:09 rhel6-server kernel: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.135.157 DST=192.168.135.143 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=36857 DF PROTO=TCP SPT=49344 DPT=21 WINDOW=32792 RES=0x00 SYN URGP=0
Jul  9 16:35:17 rhel6-server kernel: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.199.1 DST=192.168.199.130 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61215 DF PROTO=TCP SPT=34972 DPT=21 WINDOW=32792 RES=0x00 SYN URGP=0
Jul  9 16:36:51 rhel6-server kernel: IN=eth1 OUT= MAC=00:0c:29:16:08:65:00:0c:29:fb:78:a0:08:00 SRC=192.168.135.157 DST=192.168.135.142 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4761 DF PROTO=TCP SPT=36707 DPT=21 WINDOW=14600 RES=0x00 SYN URGP=0


Great, our requirement is fulfilled.


CONT………………………………………………………………




Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)