Linux comes with a host based firewall called Netfilter. According to the official project site:
netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.
This Linux based firewall is controlled by the program called iptables to handles filtering for IPv4, and ip6tables handles filtering for IPv6. I strongly recommend that you first read our quick tutorial that explains how to configure a host-based firewall called Netfilter (iptables) under CentOS / RHEL / Fedora / Redhat Enterprise Linux. This post list most common iptables solutions required by a new Linux user to secure his or her Linux operating system from intruders.
Linux
IPTABLES Rules Example
Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell. Do not type commands on remote system as it will disconnect your access.
For demonstration purpose I’ve used RHEL 6.x, but the following command should work with any modern Linux distro.
This is NOT a tutorial on how to set iptables. See tutorial here. It is a quick cheat sheet to common iptables commands.
In this example hping3 will behave like a normal ping utility, sending ICMP-echo und receiving ICMP-reply
hping3 -1 0daysecurity.com
2. Traceroute using ICMP:
This example is similar to famous utilities like tracert (Windows) or traceroute (Linux) who uses ICMP packets increasing every time in 1 its TTL value.
hping3 --traceroute -V -1 0daysecurity.com
3. Checking port:
Here hping3 will send a SYN packet to a specified port (80 in our example). We can control also from which local port will start the scan (5050).
hping is a free packet generator and analyzer for the TCP/IP protocol distributed by Salvatore Sanfilippo (also known as Antirez). Hping is one of the de facto tools for security auditing and testing of firewalls and networks, and was used to exploit the idle scan scanning technique (also invented by the hping author), and now implemented in the Nmap Security Scanner. The new version of hping, hping3, is scriptable using the Tcl language and implements an engine for string based, human readable description of TCP/IP packets, so that the programmer can write scripts related to low level TCP/IP packet manipulation and analysis in very short time.
On ubuntu hping can be installed from synaptic manager.
$ sudo apt-get install hping3
Syn flood
To send syn packets use the following command at terminal
$ sudo hping3 -i u1 -S -p 80 192.168.1.1
The above command would send TCP SYN packets to 192.168.1.1 sudo is necessary since the hping3 create raw packets for the task , for raw sockets/packets root privilege is necessary on Linux.
S – indicates SYN flag p 80 – Target port 80 i u1 – Wait for 1 micro second between each packet
Following list summaries the common attack on any type of Linux computer:
Syn-flood protection
In this attack system is floods with a series of SYN packets. Each packets causes system to issue a SYN-ACK responses. Then system waits for ACK that follows the SYN+ACK (3 way handshake). Since attack never sends back ACK again entire system resources get fulled aka backlog queue. Once the queue is full system will ignored incoming request from legitimate users for services (http/mail etc). Hence it is necessary to stop this attack with iptables.
Force SYN packets check
Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Force Fragments packets check
Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.
iptables -A INPUT -f -j DROP
XMAS packets
Incoming malformed XMAS packets drop them:
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
