Force iptables to log messages to a different log file

By default, Iptables log message to a /var/log/messages file. However you can change this location. I will show you how to create a new logfile called /var/log/iptables.log. Changing or using a new file allows you to create better statistics and/or allows you to analyze the attacks.

Procedure to log the iptables messages to a different log file

Open your /etc/syslog.conf file:
# vi /etc/syslog.conf
Append following line
kern.warning /var/log/iptables.log

Save and close the file.

Restart the syslogd (Debian / Ubuntu Linux):

# /etc/init.d/sysklogd restart

On the other hand, use following command to restart syslogd under Red Hat/Cent OS/Fedora Core Linux:

# /etc/init.d/syslog restart

Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
# DROP everything and Log it
iptables -A INPUT -j LOG --log-level 4
iptables -A INPUT -j DROP

For example, drop and log all connections from IP address 1.1.1.1 to your /var/log/iptables.log file:
iptables -A INPUT -s 1.1.1.1 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix '** HACKERS **'--log-level 4
iptables -A INPUT -s 1.1.1.1 -j DROP

Where,

• --log-level 4: Level of logging. The level # 4 is for warning.
• --log-prefix '*** TEXT ***': Prefix log messages with the specified prefix (TEXT); up to 29 letters long, and useful for distinguishing messages in the logs.

You can now see all iptables message logged to /var/log/iptables.log file:
# tail -f /var/log/iptables.log

Thanks : MG's Note


How To Use iptables for Linux Firewalls

How To Use iptables

You can start, stop, and restart iptables after booting by using the commands:
# service iptables start
# service iptables stop
# service iptables restart


To get iptables configured to start at boot, use the chkconfig command:.
# chkconfig iptables on

You can determine whether iptables is running or not via the service iptables status command. Fedora Core will give a simple status message. For example

# service iptables status

iptables Won't Start

# touch /etc/sysconfig/iptables
# chmod 600 /etc/sysconfig/iptables
# service iptables start

Example : Allowing WWW And SSH Access To Your Firewall

#---------------------------------------------------------------
# Allow previously established connections
# - Interface eth0 is the internet interface
#---------------------------------------------------------------

iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
 -j ACCEPT

#---------------------------------------------------------------
# Allow port 80 (www) and 22 (SSH) connections to the firewall
#---------------------------------------------------------------

iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 \
 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 \
 -m state --state NEW -j ACCEPT

And More at linuxhomenetworking.com

ฺBasic Firewall on iptables

เมื่อเรากำลัง ตรวจดู port ที่เปิดอยู่ของเครื่องของเราด้วย nmap localhost

ผลที่ได้ก็ประมาณนี้

*************************************************************
Starting Nmap 5.00 ( http://nmap.org ) at 2009-10-09 16:22 ICT
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 981 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
631/tcp open ipp
993/tcp open imaps
995/tcp open pop3s
5222/tcp open unknown
5269/tcp open unknown
5900/tcp open vnc
7025/tcp open unknown
7777/tcp open unknown
10024/tcp open unknown
10025/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

*************************************************************


แล้วเราจะป้องกันเครื่องของเราได้อย่างไรหล่ะที่นี้ ลองมาดูกันนะ

1. ไปที่ iptables ซึ่งเป็น firewall ของเครื่องกันเลย

# vim /etc/sysconfig/iptables


-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited



หรือ ไม่ก็ลองดูว่า port นี้ process ตัวไหน เป็นคนทำงานอยู่ ก็ปิดมันซะ

# netstat -tanp

หรือ จะดูข้อมูลอย่างละเีอียด

# nmap -A -T4 localhost


ผลที่ได้ก็ประมาณนี้

****************************************************************
Starting Nmap 5.00 ( http://nmap.org ) at 2009-10-09 16:17 ICT
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Stats: 0:01:59 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 92.31% done; ETC: 16:19 (0:00:02 remaining)
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 981 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.2 (protocol 2.0)
| ssh-hostkey: 1024 a6:1c:7d:c7:44:bf:fc:9e:29:a0:6b:a5:ae:ea:b5:d4 (DSA)
|_ 2048 4f:ee:5e:2e:e3:40:45:ef:ed:57:90:a5:b4:52:da:29 (RSA)
25/tcp open smtp Postfix smtpd
|_ smtp-commands: EHLO zimbra.agss.com, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open http?
|_ html-title: Did not follow redirect to https://localhost/zimbra/?zinitmode=http and no page was returned.
110/tcp open pop3 Zimbra pop3d
|_ pop3-capabilities: USER STLS EXPIRE(31 USER) UIDL IMPLEMENTATION(ZimbraInc) XOIP TOP SASL
111/tcp open rpcbind
| rpcinfo:
| 100000 2,3,4 111/udp rpcbind
| 100024 1 42604/udp status
| 100000 2,3,4 111/tcp rpcbind
|_ 100024 1 58036/tcp status
143/tcp open imap Zimbra imapd
|_ imap-capabilities: CONDSTORE THREAD=ORDEREDSUBJECT ESEARCH STARTTLS BINARY UNSELECT LOGINDISABLED UIDPLUS SORT SEARCHRES ID SASL-IR WITHIN AUTH=X-ZIMBRA LIST-EXTENDED QUOTA QRESYNC CHILDREN ENABLE LOGIN-REFERRALS I18NLEVEL=1 RIGHTS=ektx ACL IDLE CATENATE IMAP4rev1 LITERAL+ ESORT NAMESPACE MULTIAPPEND
443/tcp open ssl/http Zimbra http config
|_ html-title: Zimbra Collaboration Suite Log In
465/tcp open ssl/smtp Postfix smtpd
|_ smtp-commands: EHLO zimbra.agss.com, PIPELINING, SIZE 10240000, VRFY, ETRN, AUTH PLAIN LOGIN, AUTH=PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
587/tcp open smtp Postfix smtpd
|_ smtp-commands: EHLO zimbra.agss.com, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
631/tcp open ipp CUPS 1.4
993/tcp open ssl/imap Zimbra imapd
|_ imap-capabilities: CONDSTORE THREAD=ORDEREDSUBJECT ESEARCH AUTH=PLAIN SASL-IR IMAP4rev1 UNSELECT UIDPLUS SORT ID SEARCHRES WITHIN AUTH=X-ZIMBRA LIST-EXTENDED BINARY QUOTA QRESYNC CATENATE CHILDREN LOGIN-REFERRALS RIGHTS=ektx ACL I18NLEVEL=1 ENABLE IDLE LITERAL+ ESORT NAMESPACE MULTIAPPEND
995/tcp open ssl/pop3 Zimbra pop3d
|_ pop3-capabilities: USER EXPIRE(31 USER) UIDL IMPLEMENTATION(ZimbraInc) XOIP TOP SASL(PLAIN X-ZIMBRA)
5222/tcp open unknown
5269/tcp open unknown
5900/tcp open vnc VNC (protocol 3.7)
7025/tcp open lmtp Zimbra lmtpd
7777/tcp open socks5 (No authentication; connection not allowed by ruleset)
10024/tcp open smtp amavisd smtpd
| smtp-commands: EHLO [127.0.0.1], VRFY, PIPELINING, SIZE, ENHANCEDSTATUSCODES, 8BITMIME, DSN, XFORWARD NAME ADDR PORT PROTO HELO SOURCE
|_ HELP 2.0.0 See amavisd-new home page at: 2.0.0 http://www.ijs.si/software/amavisd/
10025/tcp open smtp Postfix smtpd
|_ smtp-commands: EHLO zimbra.agss.com, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=5.00%I=7%D=10/9%Time=4ACEFFAF%P=i386-redhat-linux-gnu%r(Ge
SF:tRequest,117,"HTTP/1\.1\x20302\x20Found\r\nExpires:\x20Tue,\x2024\x20Ja
SF:n\x202000\x2020:46:50\x20GMT\r\nCache-Control:\x20no-store,\x20no-cache
SF:,\x20must-revalidate,\x20max-age=0\r\nPragma:\x20no-cache\r\nContent-Ty
SF:pe:\x20text/html;\x20charset=utf-8\r\nContent-Language:\x20en-US\r\nLoc
SF:ation:\x20https://127\.0\.0\.1/zimbra/\?zinitmode=http\r\nContent-Lengt
SF:h:\x200\r\n\r\n")%r(HTTPOptions,C7,"HTTP/1\.1\x20200\x20OK\r\nExpires:\
SF:x20Tue,\x2024\x20Jan\x202000\x2020:46:50\x20GMT\r\nCache-Control:\x20no
SF:-store,\x20no-cache,\x20must-revalidate,\x20max-age=0\r\nPragma:\x20no-
SF:cache\r\nAllow:\x20GET,\x20HEAD,\x20POST,\x20TRACE,\x20OPTIONS\r\nConte
SF:nt-Length:\x200\r\n\r\n")%r(RTSPRequest,2F,"HTTP/1\.1\x20400\x20Bad\x20
SF:Request\r\nConnection:\x20close\r\n\r\n")%r(X11Probe,2F,"HTTP/1\.1\x204
SF:00\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r(FourOhFourRequ
SF:est,5BD,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Type:\x20text/html
SF:;\x20charset=utf-8\r\nContent-Language:\x20en-US\r\nContent-Length:\x20
SF:1356\r\n\r\n\n\n\n\n\n\n\n\n\nSF:ML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01\x20Transitional//EN\">\n
SF:\n\n\n\n\n\n\n\n\n\n\n\x20\x20\x20\x20SF:"Content-Type\"\x20content=\"text/html;charset=utf-8\">\n\x20\x20\x20\x
SF:20\n\x20\x20\x20\x20SF:e=\"viewport\"\x20content=\"width=320;\x20initial-scale=1\.0;\x20maximu
SF:m-scale=8\.0;\x20user-scalable=1;\">\n\x20\x20\x20\x20SF:escription\"\x20content=\"Zimbra\x20provides\x20open\x20source\x20serve
SF:r\x20and\x20client\x20software\x20for\x20messaging\x20and\x20collaborat
SF:ion\.\x20To\x20find\x20out\x20more\x20visit\x20http://www\.zimbra\.com\
SF:.\">\n\x20\x20\x20\x20SF:s\"\x20href=\"/zimbra/css/common,login,zhtml,skin\.css\?skin=&v=0909111
SF:85028\">\n\t\n\t\n\t\x20\x20\x20\x20\n\t\n\x20\x20\x20\x20SF:\"SHORTCUT\x20ICON\"\x20href=\"/zimbra/img/logo/favicon\.ico\">\nSF:>\n\n\n

\n<
SF:tr>\n==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5222-TCP:V=5.00%I=7%D=10/9%Time=4ACEFFD2%P=i386-redhat-linux-gnu%r(
SF:Help,10,"")%r(X11Probe,10,"")%r(LPDStri
SF:ng,10,"")%r(TerminalServer,10,"");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5269-TCP:V=5.00%I=7%D=10/9%Time=4ACEFFD2%P=i386-redhat-linux-gnu%r(
SF:Help,10,"")%r(X11Probe,10,"")%r(LPDStri
SF:ng,10,"")%r(TerminalServer,10,"");
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.15 - 2.6.27
Network Distance: 0 hops
Service Info: Hosts: zimbra.agss.com, 127.0.0.1

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 127.55 seconds

*******************************************************************

Thanks : thaiadmin.org

Firewall configuration for Zimbra server

Example Configuration Files

RedHat Advanced Server

The following iptables configuration file will block all ports on a clustered zimbra server except those used by zimbra, the cluster suite, ssh, and snmp. This assumes that your local network is 10.10.3.0/255.255.255.0.

/etc/sysconfig/iptables

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# enable ssh and snmp
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT -s 10.10.3.0/24
# enable zimbra ports
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -j ACCEPT -s 10.10.3.0/24
# enable cluster communications
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41966 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41967 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41968 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 41969 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50006 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 50007 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50008 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 50009 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21064 -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 6809  -j ACCEPT -s 10.10.3.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 14567 -j ACCEPT -s 10.10.3.0/24
# reject everything else
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


Thanks : wiki.zimbra.com