B981 3762 1D30 CA05 E2C1 CD7F 3C68 C8DB CBA783EF
IPTables
Firewalls are not just firewalls.
by Joel R. Voss Sept 5, 2018 Leviathan Security May 16, 2019 https://www.altsci.com/iptables/
B981 3762 1D30 CA05 E2C1 CD7F 3C68 C8DB CBA783EF
Turn on the firewalls quick!
- The image above is a threat model. Erect a firewall.
iptables -wtf
B981 3762 1D30 CA05 E2C1 CD7F 3C68 C8DB CBA783EF
Sorry, wrong!
- List the firewall rules first.
sudo iptables -L -n - Then add a firewall rule.
sudo iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT sudo iptables -A INPUT -p tcp -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
"Arkanoid Game Over"by get directly down is licensed under CC BY-NC 2.0
B981 3762 1D30 CA05 E2C1 CD7F 3C68 C8DB CBA783EF
Nice job!
- List the firewall rules first.
sudo iptables -L -n - Then add a firewall rule.
sudo iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT sudo iptables -A INPUT -p tcp -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
B981 3762 1D30 CA05 E2C1 CD7F 3C68 C8DB CBA783EF
Save and Restore
iptables-saveiptables-restore
B981 3762 1D30 CA05 E2C1 CD7F 3C68 C8DB CBA783EF
Man in the Middle - 2010
sudo iptables -t nat -N MIDDLERNAT sudo iptables -t nat -I MIDDLERNAT \ -p tcp --dport 80 -j REDIRECT \ --to-ports 1080 sudo iptables -t nat -A PREROUTING -j MIDDLERNAT echo 1 |sudo tee /proc/sys/net/ipv4/ip_forward sudo python dnsam1.py & sudo python arpam1.py & python -m http.server 1080 >~/logs/http_logs-"$(date "+%Y-%m-%dT%T")" 2>&1 &- See my 2010 LANrev talk
B981 3762 1D30 CA05 E2C1 CD7F 3C68 C8DB CBA783EF
NAT
sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward- Make your box a router.
B981 3762 1D30 CA05 E2C1 CD7F 3C68 C8DB CBA783EF
Regex?
(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])https://emailregex.com/
sudo iptables -A INPUT -m string --string "/f.ck.r[e3][g9].x/" --algo regex -p tcp -m tcp --dport 1080 -j DROPsudo iptables -A INPUT -m string --string "0123456789" --algo bm -p tcp -m tcp --dport 1080 -j DROP- Regex isn't available except as a 3rd party kernel module
- String matching is though.
- Linux Firewalls by Michael Rash, 2007
B981 3762 1D30 CA05 E2C1 CD7F 3C68 C8DB CBA783EF
BPF
./bpfgen dns -- '*.hack' 18,177 0 0 0,0 0 0 20,12 0 0 0,7 0 0 0,80 0 0 0, ...iptables -I INPUT 1 \ --wait -p udp --dport 53 \ -m bpf --bytecode "14,0 0 0 20,177 0 0 0,12..." \ -j DROP- Need code? Berkeley Packet Filters are in kernel.
- JIT optional.
B981 3762 1D30 CA05 E2C1 CD7F 3C68 C8DB CBA783EF
Touhou
IPTables are hard, Let's play Touhou!
https://netfilter.org/documentation/
B981 3762 1D30 CA05 E2C1 CD7F 3C68 C8DB CBA783EF
Questions?
My paper with downloads and links
https://www.altsci.com/iptables/
https://sono.us/iptables
JRSFuzz is open source, free, and supported.
jvoss@altsci.com
/