Linux comes with a host based firewall called Netfilter. According to the official project site:
netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.
This Linux based firewall is controlled by the program called iptables to handles filtering for IPv4, and ip6tables handles filtering for IPv6. I strongly recommend that you first read our quick tutorial that explains how to configure a host-based firewall called Netfilter (iptables) under CentOS / RHEL / Fedora / Redhat Enterprise Linux. This post list most common iptables solutions required by a new Linux user to secure his or her Linux operating system from intruders.
Linux
IPTABLES Rules Example
Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell. Do not type commands on remote system as it will disconnect your access.
For demonstration purpose I’ve used RHEL 6.x, but the following command should work with any modern Linux distro.
This is NOT a tutorial on how to set iptables. See tutorial here. It is a quick cheat sheet to common iptables commands.
In this example hping3 will behave like a normal ping utility, sending ICMP-echo und receiving ICMP-reply
hping3 -1 0daysecurity.com
2. Traceroute using ICMP:
This example is similar to famous utilities like tracert (Windows) or traceroute (Linux) who uses ICMP packets increasing every time in 1 its TTL value.
hping3 --traceroute -V -1 0daysecurity.com
3. Checking port:
Here hping3 will send a SYN packet to a specified port (80 in our example). We can control also from which local port will start the scan (5050).
hping is a free packet generator and analyzer for the TCP/IP protocol distributed by Salvatore Sanfilippo (also known as Antirez). Hping is one of the de facto tools for security auditing and testing of firewalls and networks, and was used to exploit the idle scan scanning technique (also invented by the hping author), and now implemented in the Nmap Security Scanner. The new version of hping, hping3, is scriptable using the Tcl language and implements an engine for string based, human readable description of TCP/IP packets, so that the programmer can write scripts related to low level TCP/IP packet manipulation and analysis in very short time.
On ubuntu hping can be installed from synaptic manager.
$ sudo apt-get install hping3
Syn flood
To send syn packets use the following command at terminal
$ sudo hping3 -i u1 -S -p 80 192.168.1.1
The above command would send TCP SYN packets to 192.168.1.1 sudo is necessary since the hping3 create raw packets for the task , for raw sockets/packets root privilege is necessary on Linux.
S – indicates SYN flag p 80 – Target port 80 i u1 – Wait for 1 micro second between each packet
Logs are a very important aspect of any firewall. In IPTables, linux provides such functionality as logging, but by default the logs go to a file /var/log/syslog or /var/log/messages . Sometimes it can be hard to find the information you need, as logs from the entire system are also found there.
If you want to change the file where IPTables logs into, you must configure IPTables rules to display the log prefix, next thing is configure RsysLog to get this prefix and send this to a custom log file that contains only iptables log information.
Check if you have RsysLog installed and running
root@dbsysnet:/home/olivier# dpkg -l | grep rsyslog
ii rsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon
root@dbsysnet:/home/olivier# systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-07-20 17:59:56 UTC; 16min ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 813 (rsyslogd)
Tasks: 4 (limit: 1111)
CGroup: /system.slice/rsyslog.service
└─813 /usr/sbin/rsyslogd -nJul 20 17:59:56 dbsysnet systemd[1]: Starting System Logging Service...
Jul 20 17:59:56 dbsysnet systemd[1]: Started System Logging Service.
Jul 20 17:59:56 dbsysnet rsyslogd[813]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.32.0 try http://www.
Jul 20 17:59:56 dbsysnet rsyslogd[813]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.32.0]
Jul 20 17:59:56 dbsysnet rsyslogd[813]: rsyslogd's groupid changed to 106
Jul 20 17:59:56 dbsysnet rsyslogd[813]: rsyslogd's userid changed to 102
Jul 20 17:59:56 dbsysnet rsyslogd[813]: [origin software="rsyslogd" swVersion="8.32.0" x-pid="813" x-info="http://www.rsyslog.com"] start