Axa Assurance Maroc - Insurer Innovation Award 2024
How to convert your Linux box into Security Gateway - Part 1
1. Convert your Linux box in to
security Gateway Part-1
By
Murtuja Bharmal
void@null.co.in
2. About Me
• Now Work Busy Man….
• Unemployed….
• Interest…. /dev/random….
• Co-founder of null…. :-D
• X-IBMer’s …..
• Dal, Roti ka jugad, Security Consulting/Training
3. Prerequisites
• Basic concept of networking/routing/natting.
• Knowledge of TCP/IP model & communication
protocol IP, TCP, UDP, ICMP, DNS, HTTP/S,
SMTP, FTP etc.
• How to Install and use Linux OS
• Some hands on Linux command line
4. Full Picture
• Security Features of Linux..
• Hardening OS
• Firewall Concept/Configuration
• VPN Concept/Configuration
• IDS/IPS Concept/Configuration
• Proxy Concept/Configuration
• Antivirus Concept/Configuration
• Hardening Services i.e. Web Server/Mail
Server/Database etc.
5. Agenda for Today
• Hardening OS
– Minimizing Services
– Kernel Parameters
– Password Policies
– No Login Shell for System accounts
– Disable Core dumps
– Securing SSH login
7. Minimizing Services
• 1. portmap – Used with Remote procedure call services. Listens on port 111.
• 2. nfslock – Used with Network File Sharing services. Listens on random registered ports.
• 3. avahi-daemon – Multicast DNS service. Listens on (Multicast) UDP port 5353.
• 4. cups – Printer service. Listens on port 631.
• 5. gpm: Cut/Paste utility for virtual consoles.
• 6. hidd: Bluetooth HID service.
• 7. mcstrans – required By SELinux.
• 8. xfs – X Font server for X windows system.
• 9. netfs – Automounting of shared network file space such as NFS, Samba, etc on bootup.
• 10. setroubleshoot – SELinux Troubleshooting Daemon.
• 11. pcscd – Provides support for Smart Cards and Smart Card Readers.
• 12. rpcidmapd – Used for Net File Sharing V4.
• 13. restorecond – Complementary service to SELinux.
• 14. rpcgssd – Used for Net File Sharing V4.
• 15. mdmonitor – A monitoring Software RAID or LVM information.
• 16. microcode_ctl – A microcode utility for use with Intel IA32 processors.
14. Standard Network Architecture (Scenario 1)
Web Server
172.16.1.2
Local Lan
192.168.1.0/24
Linux Based
Firewall/IDS/IPS/Proxy
/Antivirus/VPN
Mail Server
172.16.1.3
Switch
Switch
eth0
eth2
eth1
0.0.0.0/0
1.2.3.4192.168.1.1
172.16.1.1
LAN WAN
DMZ
1.2.3.5
15. Server @ Data Center (Scenario 2)
Linux Based Web
Server/Mail Server
0.0.0.0/0
1.2.3.4
eth0
20. Basic Operations
• -I number Insert a new rule before rule number
• -A Append a new rule at end of chain
• -R number Replace rule number with new rule
• -D number Delete rule number
• -F Flush the chain (delete all rules)
• -N chain New chain (specify name)
• -X chain Delete user-defined chain
• -P chain target (Set target for specify chain)
• -L chain List the rules in chain
Note: Rule “1” is the first rule in each chain
21. Iptables Parameters
• -p protocol Matches specified protocol
• -s source Matches source address
• -d destination Matches destination address
• -i incoming interface Packets arriving on this
interface
• -o outgoing interface Packets departing on this
interface
• --sport Matches source port of the Packet
• --dport Matches destination port of the Packet
Note: Most of the parameters can precede with “!”
to invert match.
22. Jump and Target
• Jump
-j target Jump to target(chain or predefined)
• targets include (among others)
–LOG Make a log entry (otherwise no-op)
–REJECT Send back an error response
–DROP Ignore packet without responding
–SNAT Source network address translation
–DNAT Destination network address translation
–MASQUERADE Source NAT in a dialup context
–REDIRECT Destination set to local (firewall) host
23. Iptables matches
• Stateful filtering parameters
-m state Causes matching on state of traffic
--state
NEW New communication request
ESTABLISHED Reply to previous packet
RELATED Like ESTABLISHED, but for
special cases where the packet is
not strictly a reply packet
24. Netfilter modules
• ip_conntrack.o Connection tracking
• ip_conntrack_ftp.o FTP connection tracking
• ip_conntrack_irc.o IRC connection tracking
• ip_tables.o IPTABLES support
• ipt_MASQUERADE.o MASQUERADE target
• ipt_REDIRECT.o REDIRECT target
• ipt_nat.o NAT support
• iptable_filter.o General filtering support
• ipt_nat_ftp.o NAT of FTP protocol
• ipt_nat_irc.o NAT of IRC protocol
• ipt_route.o Source Routing
• ipt_connmark.o Connect Marking
26. Policy
• Set filter table policy to DROP for INPUT chains
iptables -t filter -P INPUT DROP
• Set filter table policy to DROP for FORWARD
chanin
iptables -t filter -P INPUT DROP
• Set filter table policy to DROP for OUTPUT
chain
iptables -t filter -P INPUT DROP
27. Rules
• Write a rule to allow port 80 traffic from local lan to internet for scenario –
1 with Source natting
Outgoing rule (Request)
iptables -t filter -A FORWARD -i eth0 -o eth1 -m state --state NEW -s
192.168.1.0/24 -d 0.0.0.0/0 -p tcp --sport 1025:65535 --dport 80 -j ACCEPT
Incoming rule (Reply)
iptables -t filter -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED
-s 0.0.0.0/0 -d 192.168.1.0/24 -p tcp --sport 80 --dport 1025:65535 -j
ACCEPT
natting rule (source nat)
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d 0.0.0.0/0 -p
tcp --sport 1025:65535 --dport 80 -j SNAT --to-source 1.2.3.4
28. Rules
• Write a rule to allow port 80 traffic from local lan to internet for scenario –
1 with masquerading.
Outgoing rule (Request)
iptables -t filter -A FORWARD -i eth0 -o eth1 -m state --state NEW -s
192.168.1.0/24 -d 0.0.0.0/0 -p tcp --sport 1025:65535 --dport 80 -j ACCEPT
Incoming rule (Reply)
iptables -t filter -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED
-s 0.0.0.0/0 -d 192.168.1.0/24 -p tcp --sport 80 --dport 1025:65535 -j
ACCEPT
masquerading rule (source nat)
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d 0.0.0.0/0 -p
tcp --sport 1025:65535 --dport 80 -j MASQUERADE
29. Rules
• Write a rule to allow port 80 traffic from internet to web server at DMZ
with Destination natting for scenario 1.
Incoming rule (Request)
iptables -t filter -A FORWARD -i eth1 -o eth2 -m state --state NEW -s
0.0.0.0/0 -d 172.16.1.2 -p tcp --sport 1025:65535 --dport 80 -j ACCEPT
Outgoing rule (Reply)
iptables -t filter -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED
-s 172.16.1.2 -d 10.0.0.0/0 -p tcp --sport 80 --dport 1025:65535 -j ACCEPT
masquerading rule (source nat)
iptables -t nat -A PREROUTING -i eth1 -s 0.0.0.0/0 -d 1.2.3.4 -p tcp --sport
1025:65535 --dport 80 -j DNAT --to-destination 172.16.1.2
30. Rules
• Write a rule to allow port 80 traffic from web server to
internet for scenario-2
Outgoing rule (request)
iptables -t filter -A OUTPUT -o eth0 -m state --state
NEW -s 1.2.3.4 -d 0.0.0.0/0 -p tcp --sport 1025:65535 --
dport 80 -j ACCEPT
Incoming rule (reply)
iptables -t filter -A INPUT -i eth0 -m state --state
ESTABLISHED -s 0.0.0.0/0 -d 1.2.3.4 -p tcp --sport 80 --
dport 1025:65535 -j ACCEPT
31. Rules
• Write a rule to allow port 80 traffic from internet to
web server for scenario-2
Incoming rule (request)
iptables -t filter -A INPUT -i eth0 -m state --state NEW -
s 0.0.0.0/0 -d 1.2.3.4 -p tcp --sport 1025:65535 --dport
80 -j ACCEPT
Outgoing rule (reply)
iptables -t filter -A OUTPUT -o eth0 -m state --state
ESTABLISHED -s 1.2.3.4 -d 0.0.0.0/0 -p tcp --sport 80 --
dport 1025:65535 -j ACCEPT
32. Performance tunning
• iptables -t filter -A INPUT -m state --state
ESTABLISHE,RELATED -j ACCEPT
• iptables -t filter -A OUTPUT -m state --state
ESTABLISHE,RELATED -j ACCEPT
• iptables -t filter -A FORWARD -m state --state
ESTABLISHE,RELATED -j ACCEPT