Sunday, August 26, 2012

Part 2: Adding the firewall rules

In part two of this series we're going to discuss adding firewall rules to the router.  Everyone knows that adding ingress (or incoming) firewall rules is important to securing your network.  However, the same can be said for adding egress rules for traffic leaving your network.  For instance, aside from an email server, no client should ever send traffic to the Internet via TCP port 25.  If you see traffic like this, it could mean that you have an infected computer within your network.  Egress firewall rules, along with logging of those rules, will help track down problems before it gets out of hand.  

First lets up the ingress rules to protect the router from incoming traffic we do not want.
    iptables -A INPUT -m state --state INVALID -j DROP
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -s 192.168.2.0/24 -p icmp -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -s 192.168.2.0/24 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    iptables -A INPUT -i eth0 -j LOG --log-prefix " *** IPTABLES DENY IN *** "
    iptables -A INPUT -j REJECT

The first rule allows us to configure the stateful firewall.  Any connections that are already established on the server is allowed through, new connections will not be allowed by this line.  The second rule allows for internal clients to ping their default gateway.  Third rule is VERY IMPORTANT as it allows server traffic to be allowed on the loopback interface.  Most Linux communication including X and service daemons use the loopback for internal communication.  If you do not allow this rule then you could kill everything.  The fourth line allows internal traffic to connect through SSH for remote administration.  We can further restrict SSH by only allowing SSH keys, or if you have a monitor hooked up to the router you could skip this rule altogether.  And the last rule blocks all other incoming traffic to the router.

Now lets setup the egress rules on the router.  To do this, we will use the forward table in iptables.  This is used to forward traffic from one interface to another.
    iptables -A FORWARD -m state --state INVALID -j DROP
    iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
    iptables -A FORWARD -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
    iptables -A FORWARD -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
    iptables -A FORWARD -i eth1 -p tcp -m tcp --dport 465 -j ACCEPT
    iptables -A FORWARD -i eth1 -p tcp -m tcp --dport 587 -j ACCEPT
    iptables -A FORWARD -i eth1 -p tcp -m tcp --dport 993 -j ACCEPT
    iptables -A FORWARD -i eth1 -j LOG --log-prefix " *** IPTABLES DENY OUT *** "
    iptables -A FORWARD -j REJECT
    iptables -A FORWARD -s 192.168.2.0/24 -i eth0 -j DROP

The first rule for this is similar to the first rule to the last set.  The next set of rules allow internal clients to connect to any server on the Internet using SSH, HTTP/HTTPS, and email.  The last few lines are important as first we log dropped packets, then drop packets that do not meet the lines above, and then an anti-spoofing line.  We will talk about logging in a minute, I just want to point out one additional thing.  Be extremely careful when creating egress firewall rules as this will break things.  For instance, if someone needs to establish an outgoing VPN connection then you will need to add those rules in or it will not work.

To get IPTABLES to log dropped packets to a log file, we use rsyslog.  In the /etc/rsyslog.conf file add the following lines:
    :msg,startswith," *** IPTABLES DENY OUT *** " /var/log/iptables-egress
    :msg,startswith," *** IPTABLES DENY IN *** " /var/log/iptables-ingress
    &~
Now start the rsyslog daemon and restart iptables and you'll be all set.

PyMyDB Backup 0.5.1

The first version of PyMyDB Backup has been released and is based on Python 2.4.3. This is a Python script that will back up your MySQL databases, calculate the size of the backed up files, tarball and compress the contents, then email the results.
To use:
    Download the EPEL RPM which can be found at: http://download.fedora.redhat.com/pub/epel/
     Install pymydb-0.5.1-1.noarch.rpm which can be found at: GitHub
         This script creates the necessary directories and user account
     After installation, there will be two scripts placed in /usr/local/bin which are pymydb.py and setup.py
     Run the setup.py script, this will configure the pymydb.py script
         Logs into the MySQL server
         Creates the backup user, sets a password, and gives him select and lock tables privileges
         Configures the email settings
     Change the permissions on the pymydb.py script
         chown root.pymydb pymydb.py
     Add the pymydb.py script into cron and make sure to add a password for the system user
 You can download it at my GitHub page

Friday, August 3, 2012

Setting up NAT with CentOS/Red Hat 6

​This will be part 1 in a series of configuring CentOS/Red Hat 6 as a secured firewall. Though I am a huge fan of pfSense (which can be found here pfSense), I wanted to build my own from scratch. So, the first part of this series will consist of setting up PAT (or NAT overload for the Cisco geeks) on Linux.
The first step is to configure the network cards.  In this scenario we will use eth0 as the WAN connection and eth1 as the LAN connection.  Refer to the diagram below
 | ISP - 192.168.1.1/30 | <--- | eth0(WAN) - 192.168.1.2/30 | --- NAT Server --- | eth1(LAN) - 192.168.2.1/24 | ---> Internal Network
Edit both the ifcfg-eth0 and the ifcfg-eth1 files located in /etc/sysconfig/network-scripts/, make sure both of the network cards are set to BOOTPROTO="static".
The second step is to setup IP forwarding which can be done by editing the /etc/sysctl.conf file and adding
    net.ipv4.ip_forward = 1
You can then either reload the server or issue the 'sysctl -p' command. Once that command is run, you will see the output of the command and you should see 'net.ipv4.ip_forward = 1' in the output. You can also verify by running 'cat /proc/sys/net/ipv4/ip_forward' and it will return a '1'. If it returns a 0 then the command did not run correctly and you need to try again.
The last step is to set up masquerade with IPTABLES. As eth0 is your outside (or WAN) connection, run
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Connect a laptop to the eth1 NIC with a crossover cable, and statically set the IP address to 192.168.2.2/24 with the default gateway of 192.168.2.1.  You should now be able to ping out of the LAN to the Internet. If successful run,
    service iptables save
which will save the command to the /etc/sysconfig/iptables file when either the service or the server is reloaded.