How to configure the basic iptables script

This is the most basic iptables configuration one would set on a CentOS/RHEL gateway (eth0 = WAN, eth1 = LAN)
/etc/sysconfig/iptables :

01. *filter
02. :INPUT DROP [0:0]
03. :FORWARD DROP [0:0]
04. :OUTPUT ACCEPT [0:0]
05. -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
06. -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
07. -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
08. -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
09. -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
10. -A INPUT -i lo -j ACCEPT
11. -A INPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
12. -A INPUT -p tcp -m tcp --syn -j REJECT
13. -A INPUT -p udp -m udp -j REJECT
14. COMMIT

Explanations :

Anything in INPUT will be dropped, except for :
- line 06 : we will accept any input traffic in relation to traffic generated by the gateway to the internet (useful for passive ftp)
- line 09 : we will accept connections on port 22 at anytime
- line 11 : pings to the gateway will be allowed at a rate of 1 per second
- line 10 : anything generated in input on the local interface will be allowed, the localhost should be considered safe by definition

FORWARD traffic will be dropped, except for :
- line 07 : anything flowing from the LAN to the internet will be allowed
- line 08 : anything related to the traffic generated by the internal network will be considered safe and be allowed

The OUTPUT traffic will be considered safe (not always a good thing, think about it)

Any other TCP and UDP traffic will be rejected with an icmp-port-unreachable response

“iptables -L -n -v” output :

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 7412  656K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  132  7908 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED icmp type 8 limit: avg 1/sec burst 5
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x16/0x02 reject-with icmp-port-unreachable
 3093  391K REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp reject-with icmp-port-unreachable 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x16/0x02 limit: avg 1/sec burst 5 

    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

Chain OUTPUT (policy ACCEPT 11347 packets, 12M bytes)
 pkts bytes target     prot opt in     out     source               destination

More...

How to Block MSN and other messengers using squid proxy

I'm not sure if this way work but It is reported at many places that the following squid rules are working.. I have tried them and they do NOT work for me.. If they do for you, let me know

acl mi_intranet src 192.168.1.0/255.255.255.0
acl msn req_mime_type -i ^application/x-msn-messenger
http_access deny mi_intranet msn
http_access allow mi_intranet

This is a working Squid ACL blocking a bunch of web messenger :

http://.*e-messenger.net/.*
http://193\.238\.160\.*
http://.*meebo.com/.*
http://.*messenger.msn.com/.*
http://.*clientless.net/.*
http://.*wbmsn.net/.*
http://.*msn2go.com/.*
http://64\.92\.173\.*
http://.*iloveim.com/.*
http://info.sytes.net/.*
http://chatenabled.mail.google.com/.*

More...

How to Block MSN and other messengers using iptables

This is my iptables config stored under /etc/sysconfig/iptables :
(eth0 = WAN interface, eth1 = LAN interface)

You’ll notice 10.10.0.250 is allowed to connect to any services

You’ll also notice that the default stance for output traffic is ACCEPT.
You can of course set it to DROP and only accept what you specifically define.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Basic protections against syn floods and other stuff
-A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
-A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Block MSN
-I FORWARD -s 10.10.0.0/24 -p tcp -m tcp --dport 1863 -j DROP
-I FORWARD -s 10.10.0.0/24 -p tcp -m tcp --dport 1863 -j LOG --log-prefix "MESSENGER MSN > "
-I FORWARD -s 10.10.0.250 -p tcp -m tcp --dport 1863 -j ACCEPT

# Block AIM/ICQ
-I FORWARD -s 10.10.0.0/24 -d 64.12.25.0/22 -j DROP
-I FORWARD -s 10.10.0.0/24 -d 64.12.25.0/22 -j LOG --log-prefix "MESSENGER ICQ/AIM > "
-I FORWARD -s 10.10.0.250 -d 64.12.25.0/22 -j ACCEPT

# Block Yahoo IM
-I FORWARD -s 10.10.0.0/24 -d 216.155.193.0/22 -j DROP
-I FORWARD -s 10.10.0.0/24 -d 216.155.193.0/22 -j LOG --log-prefix "MESSENGER YIM > "
-I FORWARD -s 10.10.0.250 -d 216.155.193.0/22 -j ACCEPT

# Allowing anything else
-A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

More...

How To Configure RPMForge Repo

Centos 5.3 - x86_64.

Download the rpmforge-release package. Choose one of the two links below, depending on your architecture. If you are unsure of which one to use you can check your architecture with the command

# uname -i

then type following command

#rpm -Uhv http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

If you are using a different architecture check on https://rpmrepo.org/RPMforge/Using for the correct rpm

For Centos x86_64 use this link: http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm

use the following command...

#rpm -Uhv http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm

(You can find a complete list of rpmforge-release package packages at http://dag.wieers.com/packages/rpmforge-release/ but it is recommended that you use one of the two listed above).

Disable the repo (such that base packages not overwritten) edit /etc/yum.d/rpmforge.repo

#vim /etc/yum.repos.d/rpmforge.repo

and set the following option:

enabled = 0

Sources:

http://howtoforge.com/
http://centos.org/

More...

How To Create Password to Access SARG Report

Centos 5.2

If u want apache to ask password to allow squid reports, change dhcpd.conf:

httpd.conf :

<Directory /var/www/sarg>
deny from all
AllowOverride AuthConfig
Order deny,allow
</Directory>


....
....
NameVirtualHost *:80
....
....
<VirtualHost *:80>
ServerAdmin webmaster@domain.com
DocumentRoot /var/www/sarg
ServerName squid.example.com
</VirtualHost>
....
....

and here is my .htaccess file in /usr/local/apache2/htdocs/squid-reports directory

# cat /var/www/sarg/.htaccess

AuthType Basic
AuthUserFile /etc/httpd/conf/.htpasswd
AuthName Squid-logs
require valid-user
satisfy any

Code:

chmod 644 /var/www/sarg/.htaccess
chown apache /var/www/sarg/.htaccess

to create /etc/httpd/conf/.htpasswd file:

Code:

htpasswd -bc /etc/httpd/conf.htpasswd ffi sarg123
chmod 644 /etc/httpd/conf/.htpasswd

also u need a squid.domain.com record in your DNS server. it must point to ip of your apache server. if not, try ip of apache server instead of http://squid.example.com

More...

How To Set Up DHCP server for PC Router

Centos 5.2

My PC Router use DHCP server to distribute IPs to the clients.
If you intents to set up DHCP server you can use following configuration...
During this tutorial I'm logged in as root.

1. Install dhcp server.

#yum install dhcp

2. change the configuration file (/etc/dhcpd.conf)
My configuration file is simple, you can cut/paste the one I'm using, or just edit yours to suit your needs. A word of caution, your network might be different than mine. This file will give your internal computers a range of IP's from 10.10.0.50 to 10.10.0.200 with a subnet mask of 255.255.255.0, change to suit your needs. You'll also have to make the IP information match on eth1 static IP later if you use your own values here.

ddns-update-style interim;
ignore client-updates;

subnet 10.10.0.0 netmask 255.255.255.0 {

# --- default gateway
        option routers                  10.10.0.1;
        option subnet-mask              255.255.255.0;

        option nis-domain               "example.com";
        option domain-name              "example.com";
        option domain-name-servers      10.10.0.1;

        option time-offset              -18000; # Eastern Standard Time
#       option ntp-servers              10.10.0.2;
#       option netbios-name-servers     10.10.0.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
#       option netbios-node-type 2;

        range dynamic-bootp 10.10.0.50 10.10.0.200;
        default-lease-time 21600;
        max-lease-time 43200;

        # we want the nameserver to appear at a fixed address
#       host ns {
#               next-server marvin.redhat.com;
#               hardware ethernet 12:34:56:78:AB:CD;
#               fixed-address 207.175.42.254;
#       }
}

3. start the service

# service dhcpd start

4. if you want the service to start automatically when the system start at booting you can use the chkconfig.

#chkconfig dhcpd on

More...