This is my iptables script which i run in bash. The saving of the configurations is part of the script.
#!/bin/bash
#
# iptables-konfigurasjon
#
# Set default rule to ACCEPT to avoid being locked out
iptables -P INPUT ACCEPT
# Flush all excisting rules
iptables -F
# New default rules
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# localhost:
iptables -A INPUT -i lo -j ACCEPT
# Not entirely shure what this is about....:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH.
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow http traffic for tomcat:
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
# Save rules:
/sbin/service iptables save
But, after testing it seems that these rules have no effect after all.
Example: If I comment out the line for allowing traffic to my tomcat server, I can still reach my tomcat server from outside.... even after a reboot.
What's wrong with my script?
BTW: I'm using CentOS 6.
after saving the newly added rules to your iptables, you have to restart the service so that changes take effect.
/sbin/service iptables restart
or
/etc/rc.d/init.d/iptables restart
You can add this in the end of script (for the CentOS):
iptables-save > /etc/sysconfig/iptables
service iptables restart
Problem
Why this happens
iptables functionalities are used by some other services like ufw or firewalld (depending on the distro you are using), which are blocking the changes made by iptables cli.
Solution
All you have to do is just remove the package firewall pkg installed on your machine
for ubuntu (debian distros) using the following command to remove the package
sudo apt purge ufw -y
Related
I have installed turn server in my godaddy server. To see that my turn server is working or not i have used https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/.
ICE Trickle in chrome output:
Chrome Output
ICE Trickle in mozilla output (version-58.0.2(64bit)):
Mozilla output
Issues i am facing:
1.webrtc works only for chrome to chrome(webrtc doesnt work for mozilla to mozilla).
2.mozilla shows "ICE failed add STUN error".
3.why there is different ICE trickle output for both the browsers?
It seems to me that turn server is not working!!
Can anybody help me with these issue i dont know what i am doing wrong. I dont know if its NAT problem or godaddy server problem or anything else. Are godaddy servers behind NAT?
Configurations i have done:
Firewall changes:
iptables -A INPUT -p tcp --dport 3478 -j ACCEPT
iptables -A INPUT -p udp --dport 3478 -j ACCEPT
iptables -A INPUT -p tcp --dport 5349 -j ACCEPT
iptables -A INPUT -p udp --dport 5349 -j ACCEPT
iptables -A INPUT -p udp --dport 49152:65535 -j ACCEPT
service iptables save
Turnserver configuration:
listening-port=3478
listening-ip=1.2.3.4(example)
external-ip=same as listening ip i.e 1.2.3.4(example)
verbose
fingerprint
realm = mydomain.com
I am running turn server using these command :
turnserver -L listening-ip -o -a -f -r mydomain.com
Got a server exposed to the recent MongoDB ransom scam. https://www.bleepingcomputer.com/news/security/mongodb-databases-held-for-ransom-by-mysterious-attacker/
I closed it down until I fixed this.
What's the easiest way to fix this? Is to add a user?
mongo
use admin
db.createUser( { user: "root", pwd: "password", roles: [ "root" ] } )
Is this enough to avoid getting hacked?
Expanding on #Sammye's comment mongodb has often no password for a database user. This is especially problematic if the database is facing the public internet because, just by trying the right port on the ip adress of your server everyone in the internet could theoretically connect to the database server.
To prevent this it is always a good idea to limit the traffic that can reach your server and its ports by a firewall.
Here is a sample iptables configuration (for ubuntu):
the following commands allow all traffic to localhost and to the ports 22 (ssh), 80 (http) and 443 (https)
# accept local traffic
sudo iptables -A INPUT -i lo -j ACCEPT
# allow established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# allow connections to ports 22, 80, 443
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
these commands block the rest of the traffic:
# drops the rest of the traffic to the server
# sudo iptables -P INPUT DROP
# disables the possibility to route traffic through the server (you may or may not want to use this)
# sudo iptables -P FORWARD DROP
# makes it possible to send data from the server
# sudo iptables -P OUTPUT ACCEPT
Before running any of these iptables commands it is always a good idea to set up a cronjob that resets your iptables configuration every 5 minutes. In that case if something goes wrong (you lock yourself out of the server for example because you forgot to enable port 22 in your firewall) the rules get reset and you can fix the issue.
this is a script from the iptables ubunt wiki to reset the firewall:
https://help.ubuntu.com/community/IptablesHowTo
echo "Stopping firewall and allowing everyone..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
when everything is finished and seems to be working do not forget to install the package iptables-persistent (by default the iptables rules only exist until the server is restarted)
sudo apt-get install iptables-persistent
this is by far not a complete guide on how to secure your server with iptables as firewall but I hope that it can get you started.
Now the database is only reachable from the server on not from the public internet anymore. To access your database from the public internet anyways you will have to create a ssh tunnel to your server:
ssh youruser#yourdomain_or_ip_adress -f -N -L 27019:yourdomain_or_ip_adress:27019
-f -N -L 27019 <-- here you define the port that should be used on your machine for the database traffic
yourdomain_or_ip_adress:27019 <-- this is the port that the database runs on on your server
When this is done you should be able to access the database from your server at your local machine at 127.0.0.1:27019.
This is a more general way to secure any application that runs on a server that is exposed to the internet.
There is also an official guide on how to specifically secure mongodb internally you can find it here: https://docs.mongodb.com/manual/administration/security-checklist/
I would like to know your professional opinions on the following rule for iptables. I know it is possible to move cPanel's port but it's not so easy for WHM and some other services etc.
I needed something to route a new private port i.e. 1234 to the service while blocking the default port i.e. 2083. In my head, the following rule does this:
Marks the packets incoming on the private port
Redirects the packets to the actual port
Only accepts marked packets on the actual port
Note: The policies are defaulted to DROP all NEW connections
The rules below are working as expected, but before I go and get too excited that the job is done, I wanted a pro opinion on it first. The rules, and preceding context:
# Policy defaults
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Accept anything to/from localhost
iptables -A INPUT -i lo -j ACCEPT
# Accept anything established/related
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# --------------------------------------------------------------------
# Port forward and block (cPanel)
iptables -A PREROUTING -t mangle -p tcp --dport 1234 -j MARK --set-mark 0x400
iptables -A PREROUTING -t nat -p tcp --dport 1234 -j REDIRECT --to-ports 2083
iptables -A INPUT -p tcp --dport 2083 -m mark --mark 0x400/0x400 -m state --state NEW -j ACCEPT -m comment --comment "cPanel (Secure)"
Im no iptables wizzkid but it seems to work, Is this fairly secure?
Thanks in advance
I am trying to open up port on my Ubuntu machine to allow me to connect the Mongo using an external program. I ran this which is the command line to open a new port:
sudo iptables -A INPUT -p tcp --dport 27017 -j ACCEPT
but when I ran this to check if the new rule was there...
sudo netstat -ntlp | grep LISTEN
...the new port wasn't in the list - any ideas?
I think the mangodb instance was not started, apart from that ,sudo netstat -ntlp | grep LISTEN gives the list ports that are active are being used now, first start your Mango instance sudo service mongodb start , then run this command sudo netstat -ntlp | grep LISTEN if you find 27017 in the list, then sudo iptables -L chack your iptable rule is added or not. If it is in that list good else, sudo iptables -A INPUT -p tcp --dport 27017 -j ACCEPT
you can get more details on mangodb port and traffic # http://docs.mongodb.org/manual/tutorial/configure-linux-iptables-firewall/
In this case the Mongo config file needed updating to use port 27017. Once I had done this and restarted the service, the new port change was visible on in the list.
I know you can limit number of connections per ip, per time interval etc, but what I am wanting is amount of data.
I'm hosting a socket server, and I thought rather than making it do the processing to check for flooding - offload it to the firewall. I know you can guard against syn flooding attacks, like mentioned here:
http://www.cyberciti.biz/tips/howto-limit-linux-syn-attacks.html
For example:
# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
#Limiting the incoming icmp ping request:
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT
I'm not sure what iptables can do, so the question is a bit vague. But since web-sockets use tcp I should be able to limit number of bytes per second. And flag connections exceeding that limit or just drop them, whatever.
I can't seem to find a good reference on this, as they are all about tracking connections etc, not data transfer. Does anyone know of a good reference or how to do this? Is iptables not a good firewall for this? if not what is?
The kernel-side firewall is the fastest and the most secure software solution (difficult to kill the kernel isn't it?). Using it have also the advantage to use the hardware firewall found on some network controllers.
Iptables is the primary tool for controlling it, but there are many others frontends with easier syntax.
If you want to configure easier, you should use this :.
Keep in mind tracking byte count for each IP can use lot of memory.
In your case I would install ipset, which is developed by the same team of iptables :
#create ipset for accounting with default lifetime 300 secs
ipset create IP_QUOTA_SET hash:ip timeout 300 counters
#create separated rule chain
iptables --new-chain PER_IP_QOUTING
#send packets to chain
iptables -t filter -A INPUT \
-i <in-iface> --dst <ip> \
-p tcp --dport <dstport> \
-j PER_IP_QUOTING
#if ip doesn't exist in the set, add it
iptables -t filter -A PER_IP_QUOTING \
-m set ! --match-set IP_QUOTA_SET src \
-j SET --add-set IP_QUOTA_SET src --timeout 300
#if packet exists in the set, check bytes
#if byte counter > quota then drop packet
iptables -t filter -A PER_IP_QUOTING \
-m set --match-set IP_QUOTA_SET src \
--bytes-gr 1000 -j DROP
#pass other packets (for debug purpose)
iptables -t filter -A PER_IP_QUOTING \
-j RETURN
In this case you can check the list and edit it by ipset command.
To show current list with counters and timeouts :ipset list IP_QUOTA_SET.
STRONG NOTE : iptables is Linux specific and is available since linux 2.4. The kernel implementation along the userspace tools did change in 2.0 and 2.2 previously.
The 3.13 version introduced a new change which will replace ipset; arptables; ebtables; ip6tables, and iptables with a single tool.
As with previous versions, their will be a transition period where frontends like vuurmuur will remain compatible with the kernel, but don't expect to use iptables in the future.
You can try the iptable command mark together with tc (traffic-shaping):http://www.amiryan.org/2009/02/16/traffic-shaping-under-linux-with-tc-and-iptables/.