Archive

Archives pour la catégorie ‘Sécurité’

Configure IPtables to allow Plex Media Server

22/02/2019 Aucun commentaire

Source:

I could write quite a lengthy post about configuring and setting up the Plex Media Server (PMS), however I’ve decided that this post will be short and sweet. To get Plex working properly you will need to allow incoming packets on the the following ports on your server machine. I have also provided the Plex part of my IPtables configuration in case that would be useful for a reader.

TCP UDP
32400 32400
32410
32412
32414
1900

Here is the Plex part of my IPtables configuration file from CentOS6.5. It’s location on the server is: /etc/sysconfig/iptables

#  Plex
-A INPUT -m state --state NEW -m tcp -p tcp --dport 32400 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 32400 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 32410 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 32412 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 32414 -j ACCEPT

#  UPnP Disabled in router open for the sake of science
-A INPUT -m state --state NEW -m udp -p udp --dport 1900  -j ACCEPT
This configuration is confirmed working on following devices both through the Plex app or via DLNA:
  • Google Nexus 7 2013 (Android)
  • Samsung smart TV
  • Any machine with a browser

Hopefully that will save someone a few hours work trying to figure it out themselves. Happy new year! Jack. I’ve had a few requests for the entire IPtables script i use on my Plex server – So here it is:

# Generated by iptables-save v1.4.7 on Thu Jan  9 11:05:53 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 32400 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 32400 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 32410 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 32412 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 32414 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1900 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 --dport 513:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jan  9 11:05:53 2014
Categories: Réseau, Sécurité Tags: ,

Troubleshooting iptables

22/02/2019 Aucun commentaire

Source: microhowto.info

Content

Objective

To ensure that iptables has been correctly configured.

Background

iptables is a component of the Linux kernel that allows IPv4 traffic to be manipulated as it traverses the network stack. Its two main uses are:

  • packet filtering (firewalling) and
  • network address translation (NAT).

The behaviour of iptables is controlled by rules, each of which specifies the action to be taken if a packet meets a particular set of conditions. The rules are organised into chains, and the chains into tables. Chains may be either built-in or user-defined.

For more information about the architecture and configuration of iptables see:

Symptoms

The most likely symptoms of an iptables configuration error are:

  • traffic being dropped or rejected,
  • traffic not being NATted when it should have been,
  • traffic being NATted when it shouldn’t have been, or
  • traffic being NATted to the wrong address.

A wide variety of other effects are possible, but unlikely unless the configuration is an unusual one.

Scenario

Suppose that a machine has been configured to act as a boundary router between a local area network (connected to interface eth0 with the address 192.168.0.1/24) and the public Internet (connected to interface ppp0 with the address 203.0.113.144/32). The default gateway is 203.0.113.1. Because the local area network uses a private address range, iptables on the boundary router has been configured to SNAT them to its public IP address.

In order to test this configuration you have attempted to ping a machine on the public Internet (198.51.100.1) from a machine on the local area network (192.168.0.2), but this has failed.

Lire la suite…

Control Network Traffic with iptables

21/02/2019 Aucun commentaire

Packet filtering using network rules such as NAT (network address translation) can be accomplished by using iptables. Iptables utilize ports and protocols and may also be used as a firewall.

Using iptables for IPv4

By default, the iptables tool is included with your Linode supplied distribution. In order to use iptables, you will have to have root privileges to make changes. The location of the iptables files is in the /sbin directory. However, you will make changes to these files by invoking commands, not with a text editor.

The iptables Command

There are a number of options that can be used with iptables. Before you begin, you need to understand how iptables work. As stated above, iptables are used to set the rules governing network traffic. You can define different tables to handle these rules. The table contains a variety of built-in chains, but you can add your own chains. A chain is a list of rules that match a set of packets.

Basic iptables Parameters

In order to start using iptables, you will need to understand some basics about the command syntax. For example:

iptables -I INPUT -s 12.34.56.78 -j DROP

In the sample above you are invoking iptables by its name. The -I option is for insertion. Using a rule with the insertion option will add it at the beginning of a chain, it will also be the rule that is applied first. You may also use a number with -I option to indicate its placement in the chain. The -s parameter along with the IP address (12.34.56.78) indicates the source. Finally the -j parameter is for jump. It specifies the target of the rule i.e. what action it is to perform if the packet is a match.

For example, the rule above is added to the beginning of the chain, and it will drop all packets from the address 12.34.56.78 received from anywhere.

Parameter Description
-p, -- protocol The rule, such as TCP, UDP, etc.
-s, -- source Can be an address, network name, hostname, etc.
-d, -- destination An address, hostname, network name, etc.
-j, -- jump Specifies the target of the rule; i.e. what to do if the packet matches.
-g, --goto chain Specifies that the processing will continue in a user specified chain.
-i, --in-interface Names the interface from where packets are received.
-o, --out-interface Name of the interface by which a packet is being sent.
-f, --fragment The rule will only be applied to the second and further fragments of fragmented packets.
-c, --set-counters Enables the admin to initialize the packet and byte counters of a rule.

Default Tables

A root or sudo user can create tables. Tables are comprised of built-in chains and may also contain user-defined chains. The built-in tables present will depend on the kernel configuration and the installed modules. Below is a list of the tables available.

The default tables are as follows:

  • Filter – this is the default table. Its built-in chains are:
    • Input – is for packets going to local sockets
    • Forward – is for packets routed through the server
    • Output – is for locally-generated packets
  • Nat – when a packet creates a new connection this is the table that is used. Its built-in chains are Prerouting, Output, and Postrouting
    • Prerouting is for packets when they come in
    • Output is for locally-generated packets before routing takes place
    • Postrouting is for altering packets on the way out
  • Mangle – is used for special altering of packets. Its chains are Pre/Post routing, Forward, Input, and Output
    • Prerouting is for incoming packets
    • Postrouting is for packets going out
    • Output is for locally generated packets that are being altered.
    • Input is for packets coming directly into the server
    • Forward is for packets being routed through the server
  • Raw – is used primarily for configuring exemptions from connection tracking. The built-in chains are Prerouting and Output.
    • Prerouting is for packets that arrive by the network interface
    • Output is for processes that are locally generated
  • Security – is used for Mandatory Access Control (MAC) rules. After the filter table, the security table is accessed next. The built-in chains are Input, Output, and Forward.
    • Input pertains to packets entering the server
    • Output is for locally-generated packets
    • Forward is for packet passing through the server

Lire la suite…

Preventing a DDoS from China, a Great Firewall of China gone rogue?

21/02/2019 Aucun commentaire

Source: defendagainstddos.wordpress.com

On the 25th of January one of my sites was struggling to stay up, my “Dos Deflate” emails were popping into my inbox at a great frequency.

A quick run of the following command:

netstat -tn 2>/dev/null | grep :80 | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr | awk ‘{print $2}’

Gave me a list of addresses connected to the site. The number of addresses was way way above the number normally connected to the site.  A site which although modestly doing 100,000s of page views per day will normally have only 300-500 port 80 connections at any one instance.  This time however we had a 2 or 3 thousand.

A quick copy and paste into the following tool http://software77.net/geo-ip/multi-lookup/ (max 2000 ips per lookup) which is very usefully for bulk ip address to location lookups, yielded the following

1.26.199.253 # CN China
 1.81.157.62 # CN China
 1.83.168.34 # CN China
 1.180.57.96 # CN China
 1.26.201.167 # CN China
 1.62.140.66 # CN China
 1.189.82.78 # CN China
 1.193.76.146 # CN China
 1.26.241.209 # CN China
 1.190.209.36 # CN China
 1.189.162.213 # CN China
 1.31.57.105 # CN China
 1.62.17.196 # CN China
 1.58.137.111 # CN China
 1.83.229.4 # CN China
 1.180.10.45 # CN China
 1.180.5.200 # CN China
 1.26.169.201 # CN China
 1.180.187.10 # CN China
 1.190.2.102 # CN China
 1.25.134.125 # CN China
 1.62.161.233 # CN China
 1.182.28.181 # CN China
 (And on and on)

We clearly had an issue with China, but a quick log in to Google Analytics indicated almost no real-time traffic visiting the site.

Due to the sheer volume of connections for the next 45 mins, I was regularly running this command pasting into excel, then bulk iptabling the the ip address as well as the 65,000 neighbouring addresses.

sudo iptables -A INPUT -s 59.56.0.0/16 -m comment –comment “China IP” -j DROP
sudo iptables -A INPUT -s 1.26.0.0/16 -m comment –comment “China IP” -j DROP

etc etc.

Lire la suite…

IPTABLES – better version for webserver like wordpress

20/02/2019 Aucun commentaire

IPTABLES for WordPress

Thanks to:
http://bencane.com/2012/09/17/iptables-linux-firewall-rules-for-a-basic-web-server/
http://www.linux.org/threads/base-iptables-rules-that-will-apply-to-virtually-any-web-server.10/ (used this script with modifications)

NOTES:

Here is a simple script that allows all outbound connections and the inbound connections coming back from those outbound connections (conntrack). Also port 80 and port 22 and port 443 are allowed in. A few more rules as well. Some rules are commented out for your use. Make sure you have an alternate connection because if you block yourself out of ssh, you might be out of luck (restarting the pc/server will clear the rules, unless you have a setting that says on boot read these iptables)

CLEAR ALL:

Clear all rules (this is good to keep handy, maybe save it as a script called iptables-clear-all.sh):

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
 
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Lire la suite…