need remedial iptables info

We recently had a server root level hacked.
Migrating to two new servers, and I need to learn basic IPTABLES real
fast to help prevent more attacks.

I read, well, tried to read "man iptables", but I actually need
something one step more basic and "for dummies" than that. Looks like a
good resource for after I know the basics.

For example, I'm not even quite sure I get where to edit the iptables
in the first place! (RedHat ES2).

I did a newsgroup search, but I see a lot of posting asking specific
questions that assume knowledge of the very basics, which I know
nothing of.
For example, in threads like this:
http://groups.google.com/group/alt.o...db70a2382bbd9e
people post bits of IPTABLES, but I can't quite get how they even got
that display.
When I
# iptables -L
I get something that looks quite different.

Looking an an example like:

#Allow SMTP
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --sport 25 -j ACCEPT

I get that it's setting up a condition of incoming and outgoing TCP
port packets through port 25 should be accepted, and I'm guessing if I
replaced ACCEPT with DENY, that's prevent any packets from getting to
port 25.
But, I can't find how to do something like:

DROP _all_ packets by default, except for the SSH port when coming from
a specific IP address.

(Or would blocking ALL traffic in/out of a server save for ONLY two IP
addresses allowed to access it, be controlled in something like the
HOSTS file?
In any case, for the other server I would want to DROP all except 80
and 443... )

In any case, need some kind of tutorial explaining IPTABLES for the
COMPLETE beginner, and not for someone who already understands the MAN
reasonably well.

Thanks for any feedback!
Liam

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...

> In any case, need some kind of tutorial explaining IPTABLES for the
> COMPLETE beginner, and not for someone who already understands the MAN
> reasonably well.

http://iptables-tutorial.frozentux.n...-tutorial.html

(E-Mail Removed) wrote:
> We recently had a server root level hacked.
> Migrating to two new servers, and I need to learn basic IPTABLES real
> fast to help prevent more attacks.
>
> I read, well, tried to read "man iptables", but I actually need
> something one step more basic and "for dummies" than that. Looks like a
> good resource for after I know the basics.
>
> For example, I'm not even quite sure I get where to edit the iptables
> in the first place! (RedHat ES2).
>

Hum.. in your case maybe it's better to begin with the basic tools:
Run as root:
system-config-securitylevel

There you just have to check some boxes. For a basic configuration
that's probably enough.

About ssh: take care to:
a) disable ssh root access
b) make certain you do not have "system" account enabled with password.
Basically oracle, mysql etc .. make sure they do not have password.
Typically you'd better disable completely any password authentification
via ssh.

ynotssor wrote:
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) oups.com...
>
> > In any case, need some kind of tutorial explaining IPTABLES for the
> > COMPLETE beginner, and not for someone who already understands the MAN
> > reasonably well.
>
> http://iptables-tutorial.frozentux.n...-tutorial.html

Whoa! That's uhm, the COMPLETE guide, not the guide for the complete
beginner. *wink*
Seriously, looks like it probably has everything I could possibly need
to know... now I need a beginner's guide to NAT and TCP/IP and...
*grin* Or at least a "Cliff Notes" version of that site perhaps. =)
Thanks for the reply! I'll get to work reading it now.
Liam

On Tue, 08 Nov 2005 14:21:01 -0800, (E-Mail Removed) wrote:

>> http://iptables-tutorial.frozentux.n...-tutorial.html
>
> Whoa! That's uhm, the COMPLETE guide, not the guide for the complete
> beginner. *wink*
> Seriously, looks like it probably has everything I could possibly need
> to know... now I need a beginner's guide to NAT and TCP/IP and...
> *grin* Or at least a "Cliff Notes" version of that site perhaps. =)
> Thanks for the reply! I'll get to work reading it now.
> Liam

Perhaps you might find an iptables tool like Firehol or Shorewall useful?
Both of these allow you to describe what you want to do at a higher level
of abstraction and then take care of the underlying details for you. Of
course, with either tool you will want to understand and audit the rules
they configure.

- Nate >>

--

"The optimist proclaims that we live in the best of all possible worlds,
the pessimist fears this is true."

Olivier wrote:
> (E-Mail Removed) wrote:
> > We recently had a server root level hacked.
> > Migrating to two new servers, and I need to learn basic IPTABLES real
> > fast to help prevent more attacks.
> >
> > I read, well, tried to read "man iptables", but I actually need
> > something one step more basic and "for dummies" than that. Looks like a
> > good resource for after I know the basics.
> >
> > For example, I'm not even quite sure I get where to edit the iptables
> > in the first place! (RedHat ES2).
> >
>
> Hum.. in your case maybe it's better to begin with the basic tools:
> Run as root:
> system-config-securitylevel
>

Well, that works on my Fedora box. =) Way cool! Thanks.
ES2 doesn't have that. (It's a remote server anyway, so I don't have a
GUI for it. All my work on that box is at shell level.)

[..]
> About ssh: take care to:
> a) disable ssh root access

Hmm? What do you mean? Like chance /bin/bash in /etc/passwd to
/dev/null or something?
If I do that, can I still "su -" from another account OK?
If that's not what you mean, uhm, what do you mean? =) This sounds very
important.

> b) make certain you do not have "system" account enabled with password.

OK, also, you mean as an account in /etc/passwd?
I just looked, and there's no account named "system", so, all good
there, right?

> Basically oracle, mysql etc .. make sure they do not have password.

Again these are the accounts you're talking about, right?
In /etc/shadow I have:
mysql:!!:12161:0:99999:7:::
That !! in the second section is what you mean, right? This is OK,
meaning, it has no password, right?

> Typically you'd better disable completely any password authentification
> via ssh.

OK, this I have no idea about. How does login validation happen with
SSH then? I don't get it? I have to SSH into the box to manage it...

Thanks for the reply! I really appreciate the advice!
Liam

>DROP _all_ packets by default, except for the SSH port when coming
>from a specific IP address.

This could be realized by issuing the following commands:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

(iptables sets (-P)olicy for chain FORWARD to DROP)

If the ssh connects should go to the firewall box, the following
commands would enable the connects:

iptables -I INPUT -p tcp --dport 22 -j LOG --log-prefix 'ssh connection
attempt: '
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 22 -j ACCEPT

Same thing for udp, as far as i know, but not sure.

It comes handy to specify the NIC with options -i (
--incoming-interface) and -o (--outgoing-interface). e.g.

iptables -I INPUT -i externaldevice -o internaldevice --source
internalnetworkrange -j DROP

Keep in mind to specify the rules in every needed direction, and do not
test settings using ssh ;D, otherwise you'll have to run to the
firewall box and reset it, or plug a terminal to it. The --j LOG option
is not necessary but may be well informative. But take care of your
disk space. You might want to split the iptables logs into another file
by
using syslog-ng, it works very fine.

I suggest you pick up a default rc.firewall script, a file where those
commands are defined. Take care, that you pick up a well documented
one, thus understanding iptables should be easy enough.

Within the testing period, you might want to flush the iptables:

iptables -F (flushes all default chains)
iptables -X (deletes all user defined chains)

I hope that helped a bit.

Greetings
Ole