Saturday, July 26, 2008

Creating tmpfs and swap space after partitions have already been written

This how-to describes a process of creating a tmpfs and swap file system on your existing server, after the partition table has been written. I'll start off with a little history first. I was presented with a production server where there was only a / root partition and 500MB of swap allocated. We need to bump up RAM to 1GB, and I wanted to allocate more swap space. Also, I wanted to add an extra layer of security by making the /tmp directory noexec,nosuid. This is a nice method to counter script-kiddie attacks. It's by no means 'rock-solid', but can really help you on automated attacks. The solution is to use some disk space and create a file system. Once the file system has been created, you would mount it with special privileges.

First let's work on swap

dd if=/dev/zero of=/.swap bs=1024 count=500000
mkswap /.swap
swapon /.swap

This created a 500 MB file using dd. Once our .swap file has been created we make the swap file system and activated the swap space.

The original /etc/fstab looked like this:

/dev/hda1 /boot ext3 noauto,noatime 1 2
/dev/hda3 / reiserfs noatime 0 1
/dev/hda2 none swap sw 0 0

Now, we're going to add our additional swap space to /etc/fstab

/.swap swap swap defaults 0 0

Issuing a `top` command, we can see our swap now has: 1006028k (1GB).

Next, we're going to create a tmpfs file system

dd if=/dev/zero of=/.tmpfs bs=1024 count=250000
mkfs -t ext3 /.tmpfs
mount -o loop,noexec,nosuid,rw /.tmpfs /tmp
chmod 0777 /tmp
chmod +t /tmp

This created a 250 MB file using dd, and mounted it to our /tmp mount point. Also, we added our permissions (noexec, nosuid) options. Now, no programs can be executed in /tmp. All we need to do now is adjust /etc/fstab

/.tmpfs /tmp ext3 loop,rw,nosuid,noexec 0 0

This isn't the ideal solution, but since this was a production box, rebuilding the partition table from scratch was an extremely ugly option.

Tuesday, July 8, 2008

iptables tutorial for beginners


Iptables is a Linux based packet filtering firewall. Iptables interfaces to the Linux netfilter module to perform filtering of network packets. This can be to deny/allow traffic filter or perform Network Address Translation (NAT). With careful configuration iptables can be a very cost effective, powerful and flexible firewall or gateway solution. Iptables is available from or via your Linux distribution.

In short, iptables is a packet filtering tool which allows system administrator to define incoming and outgoing packets to and from the system using certain rules. Iptables can be confusing it's pretty straightforward once you get the hang of it.

Rules, Chains, and Tables

Iptables rules are grouped into chains. A chain is a set of rules used to determine what to do with a packet. These chains are grouped into tables. Iptables has three built in tables filter, NAT, mangle. More tables can be added through iptables extensions.

Filter Table

The filter table is used to allow and block traffic, and contains three chains INPUT, OUTPUT, FORWARD. The input chain is used to filter packets destined for the local system. The output chain is used to filter packets created by the local system. The forward chain is used for packets passing through the system, mainly used for gateways/routers.

There are three real "chains" which iptables uses:

Which is used to grant or deny incoming connections to your machine.
Which is used to grant or deny outgoing connections from your machine.
Which is used for forwarding packages across interfaces, only really needed (in general) when you're setting up a gateway machine.

NAT Table

The NAT table is used to setup the rules to rewrite packets allowing NAT to happen. This table also has 3 chains, PREROUTING, POSTROUTING, and OUTPUT. The prerouting chain is where packets come to prior to being parsed by the local routing table. The postrouting chain is where packets are sent after going through the local routing table.

The general form of an IP tables rule is:

iptables -A CHAIN -p tcp [options] -j ACTION

The CHAIN we've briefly covered before, "INPUT", "OUTPUT", "FORWARD", etc. Here "-A INPUT" means "append this rule to the input chain".

The "-p tcp" means this rule applies only to TCP connections, not UDP. (To specify UDP connections you'd use "-p udp" instead.)

"[options]" is where you specify what you wish to match against.

Finally "-j ACTION" is used to specify what to do to packets which match your rule. Usually an action will be one of "-j DROP" to drop the package, "-j ACCEPT", to accept the packet or "-j LOG" to log it.


The first step is to know iptables commands.

Main commands

* -A --append : Add the rule a the end of the specified chain

iptables -A INPUT ...

* -D --delete : Allow to delete a chain.
There's 2 way to use it, you can specify the number of the chain to delete or specify the rule to delete

iptables -D INPUT 1
iptables -D INPUT --dport 80 -j DROP

* -R --replace : Allow to replace the specified chain

iptables -R INPUT 1 -s -j DROP

* -I --insert : Allow to add a chain in a specific area of the global chain

iptables -I INPUT 1 --dport 80 -j ACCEPT

* -L --list : Display the rules

iptables -L # Display all the rules of the FILTER chains
iptables -L INPUT # Display all the INPUT rules (FILTER)

* -F --flush : Delete all the rules of a chain

iptables -F INPUT # Delete all the rules of the INPUT chain
iptables -F # Delete all the rules

* -N --new-chain : Allow to create a new chain

iptables -N LOG_DROP

* -X --delete-chain : Allow to delete a chain

iptables -X LOG_DROP # Delete the LOG_DROP chain
iptables -X # Delete the chains

* -P --policy : Allow to specify to the kernel the default policy of a chain ACCEPT, REJECT, DROP ...
iptables -P INPUT DROP

Basic Uses

The most common use of iptables is to simply block and allow traffic.

Allow Traffic

Iptables allows you to allow traffic based on a number of different conditions such as Ethernet adapter, IP Address, port, and protocol.

Allow incoming TCP traffic on port 22 (ssh) for adapter eth0
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

Allow incoming TCP traffic on port 80 (HTTP) for the IP range to
iptables -A INPUT -s -p tcp -m tcp --dport 80 -j ACCEPT

Block Traffic

Iptables can block traffic on the same conditions that traffic can be allowed.

Blocks inbound TCP traffic port 22 (ssh)
iptables -A INPUT -p tcp -m tcp --dport 22 -j DRROP

Blocks inbound TCP traffic on port 80 (HTTP) from the IP
iptables -A INPUT -s -p tcp -m tcp --dport 80 -j DRROP

Limit Traffic

Along with allowing and denying traffic IP tables can be used to limit the number of connections allowed over time thresholds.

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --update --seconds 60 --hitcount 4 -j DRROP

[:p:] this is a common set of rules used to block brute force ssh attacks. The first rule makes sure the IP connecting is added to the sshbrute list. The second rule tells iptables to check the sshbrute list and if the packet threshold is exceeded to drrop the traffic.

Common Options and Switches
-A -- adds a rule at the end of the chain
-I -- inserts the rule at the given rule number. If no rule number is given the rule is inserted at the head of the chain.
-p -- protocol of the rule
--dport the destination port to check on the rule
-i -- interface on which the packet was received.
-j -- what to do if the rule matches
-s -- source IP address of packet
-d -- destination IP address of packet

Examples :

Drop all inbound telnet traffic
iptables -I INPUT -p tcp --dport 23 -j DROP

Drop all outbound web traffic
iptables -I OUTPUT -p tcp --dport 80 -j DROP

Drop all outbound traffic to
iptables -I OUTPUT -p tcp --dest -j DROP

Allow all inbound web traffic
iptables -I INPUT -p tcp --dport 80 -j ACCEPT

Allow inbound HTTPS traffic from
iptables -I INPUT -s -p tcp -m tcp --dport 443 -j DROP

Deny outbound traffic to
iptables -I OUTPUT -d -j DROP

Allow incoming connections to port 21 from one IP address
iptables -A INPUT -p tcp -m state --state NEW --dport 21 --source

Deny all other incoming connections to port 21.
iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j DROP

We used the "-m state --state NEW --dport 21" to match against new connections to port 21. Other options allow you to match against different things.


Port Numbers

7/TCP,UDP Echo
20/TCP FTP—data
21/TCP FTP—control (command)
22/TCP,UDP Secure Shell (SSH)—used for secure logins, file transfers (scp, sftp) and port forwarding
23/TCP,UDP Telnet protocol
25/TCP,UDP Simple Mail Transfer Protocol (SMTP)
42/TCP,UDP nameserver, ARPA Host Name Server Protocol
43/TCP WHOIS protocol
53/TCP,UDP Domain Name System (DNS)
79/TCP Finger protocol
80/TCP Hypertext Transfer Protocol (HTTP)
110/TCP Post Office Protocol 3 (POP3)
115/TCP Simple File Transfer Protocol (SFTP)
143/TCP,UDP Internet Message Access Protocol (IMAP)
156/TCP,UDP SQL Service
443/TCP Hypertext Transfer Protocol over TLS/SSL (HTTPS)
514/TCP Shell
546/TCP,UDP DHCPv6 client
547/TCP,UDP DHCPv6 server
873/TCP rsync file synchronisation protocol
901/TCP Samba Web Administration Tool (SWAT)
902/TCP VMware Server Console[27]
904/TCP VMware Server Alternate
1025/TCP NFS-or-IIS
1194/TCP,UDP OpenVPN
1433/TCP,UDP Microsoft SQL Server database management system Server
2049/UDP Network File System
2082/TCP CPanel default
2083/TCP CPanel default SSL
2083/TCP CPanel default SSL
2083/TCP CPanel default SSL
2095/TCP CPanel default Web mail
2096/TCP CPanel default SSL Web mail
2096/TCP CPanel default SSL Web mail
3306/TCP,UDP MySQL database system
3690/TCP,UDP Subversion version control system
5050/TCP Yahoo! Messenger
5432/TCP,UDP PostgreSQL database system
8080/TCP Apache Tomcat
8086/TCP HELM Web Host Automation Windows Control Panel
8087/TCP SW Soft Plesk Control Panel
8443/TCP SW Soft Plesk Control Panel
33434/TCP,UDP traceroute