1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. If you had a PIAF Forum account in the vBulletin days, log in with your old credentials. Otherwise, sign up again and we'll get you back in business as soon as we can.
  3. A serious FreePBX vulnerability has been reported. Update your Framework Module immediately. Click here for details.

Linux Gurus: HELP!

Discussion in 'Help' started by wardmundy, Aug 26, 2009.

  1. wardmundy Nerd Uno

    We need a little Linux compiling expertise. We're trying to get this article implemented for country-based IP filtering with IPtables on PIAF. See this Nerd Vittles article for background. We get as far as you see in the code below, then it blows up apparently because there is no ip_conntrack_standalone module. Any ideas :confused5:

    wget ftp://ftp.isu.edu.tw/pub/Linux/CentOS/5.3/os/SRPMS/iptables-1.3.5-4.el5.src.rpm

    cd /root/ipcountry
    mkdir geoip
    wget ftp://ftp.isu.edu.tw/pub/Linux/CentOS/5.3/os/SRPMS/iptables-1.3.5-4.el5.src.rpm
    cd geoip
    rpm2cpio ../iptables-1.3.5-4.el5.src.rpm | cpio -idv
    tar jxvf iptables-1.3.5.tar.bz2

    wget http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20070414.tar.bz2
    tar xjf patch-o-matic-ng-20070414.tar.bz2

    wget http://people.netfilter.org/peejix/patchlets/geoip.tar.gz


    cd patch-o-matic-ng-20070414/

    KERNEL_DIR=/usr/src/kernels/2.6.18-128.el5-i686/ IPTABLES_DIR=~/ipcountry/geoip/iptables-1.3.5/ ./runme geoip

    y to apply patch

    cd /usr/src/kernels/2.6.18-128.el5-i686/
    make oldconfig
    m
    make modules_prepare
    make -C $(pwd) M=net/ipv4/netfilter/ modules


    No rule to make target `net/ipv4/netfilter/ip_conntrack_standalone.o', needed by `net/ipv4/netfilter/ip_conntrack.o'. Stop.

  2. wardmundy Nerd Uno

    bumpety bump
  3. vcallaway Guru

    You do know that by default pbxiaf has the setting:

    exclude=kernel*

    in the /etc/yum.repos.d/CentOS-Base.repo file.

    You need to remove that line and do "yum install kernel-devel" to get the development files.

    If this does not get you down the right path I will spend some time on it later today.
  4. jroper Guru

    Hi

    Kernel-devel is installed by default and has to be to compile zaptel/dahdi.

    I'm nervous about the direction of this because of the need to recompile the kernel - and recompile if it is ever upgraded. However, this project looks interesting\;-

    http://xtables-addons.sourceforge.net/

    However, I've not had too much luck with that either, the later versions will not compile against the kernel centos uses,, becasue of the conservative upgrade path of centos (RHEL) but version 1.12 is compatible with our kernel, but fails on the "make"

    The objective is to get to a system that will only allow hosts from a certain country using iptables, and without causing more than a percentage point or two of load on the processor.

    Joe
  5. wardmundy Nerd Uno

  6. vcallaway Guru

    Did a little digging around.

    xtables is the way to go but you have upgrade both the kernel and iptables.

    Best setup is kernel 2.6.30 + iptables 1.4.4 + xtables-addons 1.17.

    xtables requires iptables >= 1.4.3

    Those versions are not yet released for Centos. I loaded up a Fedora server, installed the RPM's and off we go. Don't know what else will break because of it though.

    Ubuntu is currently at kernel 2.6.28, iptables 1.4.1 so even it is behind the curve. Personally I think it is too early to adopt this bit of technology.

    I will also play devils advocate on this. I think it is a bad idea. One of the advantages of SIP is the ability to place calls to and from anywhere in the world. If someone wants to block that access then they are better of just placing a filter in their router to only allow inbound from their provider. This solution is like using a sledge hammer to swat a fly.

    Feel free to change my mind :)
  7. Linetux Guru

    I'm not so sure the concept is a bad idea. I don't think recompiling stuff in the kernel is a good idea... but sometimes it can be made 'invisible'.

    Anyway, the concept is solid because sometimes you don't want to put this stuff on your firewall. Other times you can't - there's a lot of consumer routers that you don't even have this option on.

    Other devices would require a ton of manual labor just to get this functionality, and if something changes, may the force be with you.

    So I don't think it's inappropriate to put this kind of security in PiaF. But it might take some effort to get it right.
  8. wardmundy Nerd Uno

    Well, here's my $.02. We provided a simple way to protect your extensions and trunks with this new setup. And there's a method to also screen incoming calls. That's about as far as we plan to go for now. Introducing a bunch of bleeding edge products just to make this work with IPtables would undoubtedly cause more problems than it solves. When we're done, we've protected your (already protected) web server and SSH (which your root password and Fail2Ban should already be protecting). ;)
  9. jroper Guru

    I'd say that things were pretty secure as they were, but Racist routing does have some atrractions previously outlined.

    In respect of the dependencies, I've found that xtables-addons version 1.12 does not need an upgraded Kernel, but still not got it working as I would like.

    Joe
  10. wardmundy Nerd Uno

    There are a number of folks wrestling with this independently. The more, the merrier. We'll see what we see. :wink5:
  11. KUMARULLAL Guru

    I have compiled a fairly secure IPtables script with Psad for port scanning

    I have compiled a fairly secure IPtables script with Psad for protection against port scanning
    This also does country based IP filtering.
    You will have to install and configure psad.
    I am using Debian, so it was easy for me. You may have to look up instructions for Centos.
    Here is the scripts.
    I take no responsibilty in any security issues if you use this script.
    With others here (Linux Gurus), we can make it even better.
    Here is the script:
    Code:
    #!/bin/bash
    
    # IPTABLES
    iptables -F
    
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i lo -p all -j ACCEPT  
    iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 4445 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
    iptables -A INPUT -p udp -m udp --dport 4520 -j ACCEPT
    iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
    iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
    iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
    iptables -A INPUT -p udp -m udp --dport 123 -j ACCEPT
    iptables -A INPUT -p udp -m udp --dport 69 -j ACCEPT
    iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
    iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    
    #[B][I]- Deny packets which claim to be from your loopback interface.[/I][/B]
    iptables -A INPUT -p all -s localhost  -i eth0 -j DROP
    
    iptables -A INPUT -j REJECT
    iptables -A FORWARD -j REJECT
    
    # Reject packets from RFC1918 class networks (i.e., spoofed)
    iptables -A INPUT -s 10.0.0.0/8     -j DROP
    iptables -A INPUT -s 169.254.0.0/16 -j DROP
    iptables -A INPUT -s 172.16.0.0/12  -j DROP
    iptables -A INPUT -s 127.0.0.0/8    -j DROP
    
    iptables -A INPUT -s 224.0.0.0/4      -j DROP
    iptables -A INPUT -d 224.0.0.0/4      -j DROP
    iptables -A INPUT -s 240.0.0.0/5      -j DROP
    iptables -A INPUT -d 240.0.0.0/5      -j DROP
    iptables -A INPUT -s 0.0.0.0/8        -j DROP
    iptables -A INPUT -d 0.0.0.0/8        -j DROP
    iptables -A INPUT -d 239.255.255.0/24 -j DROP
    iptables -A INPUT -d 255.255.255.255  -j DROP
    
    # GEO-IP Drops. Country based Filtering.
    
    # US
    iptables -A INPUT -s 139.55.62.0/24 -j DROP
    iptables -A INPUT -s 139.55.82.0/24 -j DROP
    iptables -A INPUT -s 139.55.113.0/24 -j DROP
    
    
    # Asia
    iptables -A INPUT -s 220.0.0.0/8 -j DROP
    iptables -A INPUT -s 58.0.0.0/8 -j DROP
    iptables -A INPUT -s 59.0.0.0/8 -j DROP
    iptables -A INPUT -s 61.0.0.0/8 -j DROP
    iptables -A INPUT -s 110.0.0.0/8 -j DROP
    iptables -A INPUT -s 111.0.0.0/8 -j DROP
    iptables -A INPUT -s 115.0.0.0/8 -j DROP
    iptables -A INPUT -s 116.0.0.0/8 -j DROP
    iptables -A INPUT -s 218.0.0.0/8 -j DROP
    iptables -A INPUT -s 124.0.0.0/8 -j DROP
    iptables -A INPUT -s 126.0.0.0/8 -j DROP
    iptables -A INPUT -s 168.208.0/16 -j DROP
    iptables -A INPUT -s 196.192.0/16 -j DROP
    iptables -A INPUT -s 202.0.0.0/8 -j DROP
    iptables -A INPUT -s 210.0.0.0/8 -j DROP
    iptables -A INPUT -s 218.0.0.0/8 -j DROP
    iptables -A INPUT -s 222.0.0.0/8 -j DROP
    
    # Africa
    iptables -A INPUT -s 41.0.0.0/8 -j DROP
    iptables -A INPUT -s 196.0.0.0/8 -j DROP
    iptables -A INPUT -s 62.0.0.0/8 -j DROP
    iptables -A INPUT -s 80.0.0.0/8 -j DROP
    iptables -A INPUT -s 81.0.0.0/8 -j DROP
    iptables -A INPUT -s 82.0.0.0/8 -j DROP
    iptables -A INPUT -s 195.0.0.0/8 -j DROP
    iptables -A INPUT -s 212.0.0.0/8 -j DROP
    iptables -A INPUT -s 217.0.0.0/8 -j DROP
    
    # Brazil and Argentina
    iptables -A INPUT -s 189.0.0.0/8 -j DROP
    iptables -A INPUT -s 190.0.0.0/8 -j DROP
    iptables -A INPUT -s 200.0.0.0/8 -j DROP
    iptables -A INPUT -s 201.0.0.0/8 -j DROP
    
    # China
    iptables -A INPUT -s 62.0.0.0/8 -j DROP
    iptables -A INPUT -s 77.0.0.0/8 -j DROP
    iptables -A INPUT -s 78.0.0.0/8 -j DROP
    iptables -A INPUT -s 79.0.0.0/8 -j DROP
    iptables -A INPUT -s 130.0.0.0/8 -j DROP
    iptables -A INPUT -s 131.0.0.0/8 -j DROP
    iptables -A INPUT -s 137.0.0.0/8 -j DROP
    iptables -A INPUT -s 146.0.0.0/8 -j DROP
    iptables -A INPUT -s 147.0.0.0/8 -j DROP
    iptables -A INPUT -s 150.0.0.0/8 -j DROP
    iptables -A INPUT -s 151.0.0.0/8 -j DROP
    
    # Indonesia
    iptables -A INPUT -s 58.0.0.0/8 -j DROP
    iptables -A INPUT -s 60.0.0.0/8 -j DROP
    iptables -A INPUT -s 113.0.0.0/8 -j DROP
    iptables -A INPUT -s 114.0.0.0/8 -j DROP
    iptables -A INPUT -s 116.0.0.0/8 -j DROP
    iptables -A INPUT -s 117.0.0.0/8 -j DROP
    iptables -A INPUT -s 118.0.0.0/8 -j DROP
    iptables -A INPUT -s 119.0.0.0/8 -j DROP
    iptables -A INPUT -s 120.0.0.0/8 -j DROP
    iptables -A INPUT -s 121.0.0.0/8 -j DROP
    iptables -A INPUT -s 122.0.0.0/8 -j DROP
    iptables -A INPUT -s 123.0.0.0/8 -j DROP
    
    
    # Allow most ICMP packets to be received (so people can check our
    # presence), but restrict the flow to avoid ping flood attacks
    iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
    iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
    iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
    
    # Drop invalid packets immediately
    iptables -A INPUT   -m state --state INVALID -j DROP
    iptables -A FORWARD -m state --state INVALID -j DROP
    iptables -A OUTPUT  -m state --state INVALID -j DROP
    
    # Drop bogus TCP packets
    iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
    
    # Log tcp flags:FIN,SYN/FIN,SYN limit: avg 5/min burst 7 LOG level warning 
    iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
    
    # dpts:netbios-ns:netbios-ssn reject-with icmp-port-unreachable
    iptables -A INPUT -p tcp -i eth0 --dport 137:139 -j REJECT
    iptables -A INPUT -p udp -i eth0 --dport 137:139 -j REJECT
    
    
    # Drop excessive RST packets to avoid SMURF attacks, by given the
    # next real data packet in the sequence a better chance to arrive first.
    iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
    
    # Protect against SYN floods by rate limiting the number of new connections from any host
    # to 60 per second.  This does *not* do rate limiting overall, because then someone could
    # easily shut us down by saturating the limit.
    
    iptables -A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --set
    iptables -A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --update --seconds 1 --hitcount 60 -j DROP
    
    # Anyone who tried to portscan us is locked out for an entire day.
    iptables -A INPUT   -m recent --name portscan --rcheck --seconds 86400 -j DROP
    iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
    
    # Once the day has passed, remove them from the portscan list
    iptables -A INPUT   -m recent --name portscan --remove
    iptables -A FORWARD -m recent --name portscan --remove
    
    #These rules add scanners to the portscan list, and log the attempt.
    
    iptables -A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
    iptables -A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
    iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
    iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
    
    # Port Scan logs using psad
    iptables -A INPUT -j LOG
    iptables -A FORWARD -j LOG 
    
    

Share This Page