TALLAFOCS

Implementacions

• Maquinari
• Programari (Linux Box, firewalls personals)

Tipus de Firewall

• Filtrat de Paquets (nivell 3 xarxa)
  • Stateless firewall
  • Stateful firewalls (tenen memòria sobre les connexions) --> Iptables
• Nivell d'aplicació (TCP Wrappers) i d'aplicació (proxies)
• Firewalls personals

Gairebé sempre s'ubiquen als llindars entre la xarxa local i la xarxa exterior 
però també es poden col·locar per separar dues subxarxes internes

Nivells

COMPTE!!! El firewall no capa contingut, el que ho capa es el proxy de contingut!!! Posar les captures

Nivell 1. Interfície de xarxa (Ethernet)

• Filtratge per MAC

Nivell 2. Internet. IP

• Filtratge per IP

Nivell 3. Transport. TCP

• Filtratge per ports (similar amb UDP)

NetFilter/iptables

• Els sistemes Linux porten un sistema integrat en el seu kernel anomenat iptables.
  • Successor d'ipchains.

• Seguretat per defecte (en el nucli del sistema operatiu).
  • No és cap servei. Menys vulnerable.

• Té un elaborat, complet i complexe sistema de passos pels quals passa un paquet.
  • El més important per entendre iptables és conèixer la seva semàntica i les capçaleres dels protocols TCP/IP.

http://acacha.org/mediawiki/index.php/Iptables

Conceptes

• RULES: condició + target. Les condicions poden ser:

•ip d'origen o destinació, protocol, port, MAC, etc.

•Normes,un paquet abans d'entrar ha de passar totes les normes

• TARGETS: accions per dur a terme amb els paquets (llençar,acceptar)

•ACCEPT, DROP, QUEUE, RETURN, REJECT, LOG, ULOG, DNAT,SNAT, MASQUERADE

•Amb IPv4 podem acceptar,tirar-lo, similar al drop però avisa, cues, funcions (serie de normes que s'agrupen), logs (syslog perexemple), DNAT,SNAT

• CHAINS: grups de normes (ruleset) aplicables en cert moment del “cicle de vida” del paquet a iptables

•INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING

•Són punts del sistema operatiu, abans de enrutar podem fer filtratges (es pot fer input (t'entra a tu), output (generat per tu), en transit (cap a un altre roter o equip))

• TABLES: separació de conceptes (filtrar, manipular, NAT)

•RAW, FILTER, MANGLE, NAT

•Obliguen a treballar en grups (tables) hi ha 4 tipus.

•FILTER: Flitrar--> Este si, este no (passa o no passa), no es pot modificar els paquets.

•Tota la resta són modificacions:

•RAW: "Crú", mode "SUPERMACHO" modifiques el paquet (programadors)

•MANGLE: "Destrossar" permet modificar, com per exemple el "time to life". Modificar amb ajuda.

•NAT: Per modificar la destinació.

• POLICIES: són les regles per defecte:

•DROP, ACCEPT

•Una vegada un paquet a passat totes les normes, llavors ha de passar per les polítiques per defecte

Firewall no router

INPUT/OUTPUT

• Només filtra els paquets que tenen origen o destinació en la màquina on estem utilitzant iptables
• Només filtra els paquets que tenen origen o destinació en la màquina on estem utilitzant iptables

FILTER

• Bàsicament utilitzarem iptables com a filtre (firewall pur)

Firewall Router

FORWARDING

• Només s'utilitza en encaminadors i passarel·les (ip_forwarding activat)
• No l'utilitzarem en tallafocs personals o servidors
• Permet distingir entre els paquets dirigits al firewall i els paquets dirigits a la xarxa

Local Processes

• Aplicacions de la màquina que té instal·lat iptables (Per exemple proxy web)
• L'encaminador pot processar un paquet entrant (log, web proxy) i després encaminar-lo cap a la xarxa local
• O pot simplement encaminar el paquet

Pràctiques Iptables

• Si introduïm només la comanda iptables "a seques" observem que ens faltem paràmetres:

[email protected]:~$ sudo iptables
[sudo] password for rafel: 
iptables v1.4.12: no command specified
Try `iptables -h' or 'iptables --help' for more information.

• Manual:
  • Tal com ens ha indicat anteriorment introduïm la comanda:

[email protected]:~$ sudo iptables -h
iptables v1.4.12

Usage: iptables -[ACD] chain rule-specification [options]
       iptables -I chain [rulenum] rule-specification [options]
       iptables -R chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LS] [chain [rulenum]] [options]
       iptables -[FZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands:
Either long or short options are allowed.
  --append  -A chain            Append to chain
  --check   -C chain            Check for the existence of a rule
  --delete  -D chain            Delete matching rule from chain
  --delete  -D chain rulenum
                                Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
                                Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
                                Replace rule rulenum (1 = first) in chain
  --list    -L [chain [rulenum]]
                                List the rules in a chain or all chains
  --list-rules -S [chain [rulenum]]
                                Print the rules in a chain or all chains
  --flush   -F [chain]          Delete all rules in  chain or all chains
  --zero    -Z [chain [rulenum]]
                                Zero counters in chain or all chains
  --new     -N chain            Create a new user-defined chain
  --delete-chain
            -X [chain]          Delete a user-defined chain
  --policy  -P chain target
                                Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
                                Change chain name, (moving any references)
Options:
    --ipv4      -4              Nothing (line is ignored by ip6tables-restore)
    --ipv6      -6              Error (line is ignored by iptables-restore)
[!] --proto     -p proto        protocol: by number or name, eg. `tcp'
[!] --source    -s address[/mask][...]
                                source specification
[!] --destination -d address[/mask][...]
                                destination specification
[!] --in-interface -i input name[+]
                                network interface name ([+] for wildcard)
 --jump -j target
                                target for rule (may load target extension)
  --goto      -g chain
                              jump to chain with no return
  --match       -m match
                                extended match (may load extension)
  --numeric     -n              numeric output of addresses and ports
[!] --out-interface -o output name[+]
                                network interface name ([+] for wildcard)
  --table       -t table        table to manipulate (default: `filter')
  --verbose     -v              verbose mode
  --line-numbers                print line numbers when listing
  --exact       -x              expand numbers (display exact values)
[!] --fragment  -f              match second or further fragments only
  --modprobe=<command>          try to insert modules using this command
  --set-counters PKTS BYTES     set the counter during insert/append
[!] --version   -V              print package version.

• Per veure la configuració de l'iptables amb valors (v) numèrics (n):
  • Podem observar que no hi han regles configurades, "FULLY OPEN", ho accepta tot tant d'entrada,sortida com a través.

[email protected]:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

• Per veure les configuració de les taules nat (modificació destinació):
  • Com ja tracta de modificació de paquets ens apareixen els conceptes de Prerouting i Postrouting. (-t i tipus de taula.nat,raw etc...)

[email protected]:~$ sudo iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

• Per veure les configuració de la taula raw (modificació del paquet):

[email protected]:~$ sudo iptables -nvL -t raw
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

• Per veure les configuració de la taula mangle("destrucció" del paquet):

[email protected]:~$ sudo iptables -nvL -t mangle
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination          

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination          

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination          

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

• Per fer un verbose-numèric de la configuració del iptables en IPv6:

[email protected]:~$ sudo ip6tables -nvL 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination          

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

• Recordar que no existeix el nat en IPv6. Per comprovar-ho fem:

[email protected]:~$ sudo ip6tables -nvL -t nat
ip6tables v1.4.12: can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

• Per veure la configuració raw (rules) en IPv6:
  • Llevat en nat tot és més o menys igual..

[email protected]:~$ sudo ip6tables -nvL -t raw
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination          

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

• Per veure la configuració mangle en IPv6:

[email protected]:~$ sudo ip6tables -nvL -t mangle
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination          

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination          

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination          

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

• Amb la següent comanda annexem al grup de normes dels paquets entrants,l'ordre de tirar-los (DROP) a tots.

[email protected]:~$ sudo iptables -A INPUT -j DROP

•Fem un ping per comprovar que realment fa el DROP. Podem observar que no realitza el ping i no ens dona cap tipus de missatge
•Intenta realitzar el ping fins que s'esgota el temps d'operació, el qual assenyala que el DROP annexat a tots els INPUTS funciona correctament

[email protected]:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3024ms 
 
•Visualitzem l'iptables per veure l'estat del DROP - INPUT
•Observem que "tira" descarta totes les entrades.

[email protected]:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   26  5063 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination          

Chain OUTPUT (policy ACCEPT 6 packets, 678 bytes)
 pkts bytes target     prot opt in     out     source               destination         

• Si inserim un watch al d'avant de la comada iptables el veurem millor les "rules" de les taules,(paquets rebutjats, bytes, etc..)
  • Com que anteriorment en seleccionat DROP a totes les entrades, veurem ela paquets llençats com els bytes...

[email protected]:~$ sudo watch iptables -nvL
------------------------------------------------------------------------------------------------------------------------
Every 2,0s: iptables -nvL                                                                        Wed Jan 30 18:19:44 2013

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   15  2906 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain 'OUTPUT (policy ACCEPT 1 packets, 62 bytes)
 pkts bytes target     prot opt in     out     source               destination

• També podem consultar l'iptables amb un -L, però aquesta ens proporcionarà menys informació

[email protected]:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  

• Podem eliminar les normes de dues maneres.

•Especificant la norma que volem explicar:
[email protected]:~$ sudo iptables -D INPUT -j DROP

•O esborrant la primera regla de la taula que figura al Index
[email protected]:~$ sudo iptables -D INPUT 1
iptables: Index of deletion too big. -->Ens alerta que el valor de l'index especificat a esborra s'ha excedit(ja que s'han esborrat les normes)

•Per ampliar aquest concepte a continuació es mostre dos exemples però en lloc de bloquejar totes les entrades,no deixarà passar els paquets amb el
 protocol icmp de certes IP.
[email protected]:~$ sudo iptables -A INPUT -s 192.168.204.115 -p icmp -j DROP (-s = adress || -p = protocol)
[email protected]:~$ sudo iptables -A INPUT -s 192.168.204.102 -p icmp -j DROP
•Visualitzem iptables, veurem que com a política per defecte és acceptar les entrades, però s'ha configurat per rebutjar paquets icmp de certes IP's 
[email protected]:~$ sudo iptables -nvL
[sudo] password for rafel: 
Chain INPUT (policy ACCEPT 844 packets, 186K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       icmp --  *      *       192.168.204.115      0.0.0.0/0           
    0     0 DROP       icmp --  *      *       192.168.204.102      0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination          

Chain OUTPUT (policy ACCEPT 435 packets, 127K bytes)
 pkts bytes target     prot opt in     out     source               destination 
  
•Podem esborrar les regles d'una en una individualment (esborrat selectiu):  
[email protected]:~$ sudo iptables -D INPUT -s 192.168.204.115 -p icmp -j DROP
[email protected]:~$ sudo iptables -D INPUT -s 192.168.204.102 -p icmp -j DROP

•o esborrar la regla que figuri en la posició "X" del iptables (en el cas de l'exemple,la primera posició): 
[email protected]:~$ sudo iptables -D INPUT 1

[email protected]:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 8 packets, 1598 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       icmp --  *      *       192.168.204.102      0.0.0.0/0   --> Veiem que s'ha esborrat la que figurava en la posició 1

• Podem insertar una regla en la posició de la cadena de regles que vulguem. És a dir que regla es situï en la posició de la cadena de regles que desitgem. Per exemple en aquest cas Hem fet una inserció d'una per a que accepti tots el paquets icmp que s'executarà en primer lloc (1), i desprès d'aquesta s'executaran les la resta (d'això és dedueix que podem ordenar la cadena de regles)

[email protected]:~$ sudo iptables -I INPUT 1 -p icmp -j ACCEPT
[email protected]:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 11 packets, 1309 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0     --->En 1 lloc, si haguessin regles anteriors, les desplaçaria.      

• Podem provar-ho en OUTPUT per exemple a la IP 8.8.8.8 i amb DROP i desprès REJECT

DROP:

[email protected]:~$ sudo iptables -A OUTPUT -d 8.8.8.8 -p icmp -j DROP
[email protected]:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       icmp --  *      *       0.0.0.0/0            8.8.8.8   

[email protected]:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2016ms

REJECT:
 
[email protected]:~$ sudo iptables -A OUTPUT -d 8.8.8.8 -p icmp -j REJECT

[email protected]:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 9 packets, 2166 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 8 packets, 2134 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     icmp --  *      *       0.0.0.0/0            8.8.8.8              reject-with icmp-port-unreachable

[email protected]:~$ ping 8.8.8.8
From 192.168.204.118 icmp_seq=1 Destination Port Unreachable
From 192.168.204.118 icmp_seq=1 Destination Port Unreachable
From 192.168.204.118 icmp_seq=1 Destination Port Unreachable
From 192.168.204.118 icmp_seq=1 Destination Port Unreachable

--- 8.8.8.8 ping statistics ---
0 packets transmitted, 0 received, +111025 errors

DROP LLENÇA EL PAQUET DIRECTAMENT (Operació no permesa)
REJECT "suposo" envia el SYN però es desfà del SYN-ACK i ens avisa que el port es inassolible

• EXERCICI:
  • Per Parelles configurar unes regles (DROP/REJECT,et..)per practicar amb les comandes del iptables:

[email protected]:~$ ping 192.168.204.115  --> IP de Jordi
PING 192.168.204.115 (192.168.204.115) 56(84) bytes of data.
64 bytes from 192.168.204.115: icmp_req=10 ttl=64 time=0.165 ms
64 bytes from 192.168.204.115: icmp_req=11 ttl=64 time=0.170 ms
64 bytes from 192.168.204.115: icmp_req=12 ttl=64 time=0.158 ms   --> El ping Funciona
^C
--- 192.168.204.115 ping statistics ---
12 packets transmitted,' 3 received, 75% packet loss, time 11070ms -->A partir del 3º paquet ja ha activat el DROP
rtt min/avg/max/mdev = 0.158/0.164/0.170/0.011 ms

•Configuro la regla d'entrada com a DROP de tots els paquets icmp de la ip de Jordi
•Faig un $ sudo watch iptables -nvL per veure els paquets que rebutja quan Jordi faci el ping
•Jordi m'avisa de l'inici del ping i aquest és veu reflexat al la terminal amb el watch iptables'
[email protected]:~$ sudo iptables -A INPUT -s 192.168.204.115 -p icmp -j DROP
[email protected]:~$ sudo watch iptables -nvL
------------------------------------------------------------------------------------------------------------------------
Every 2,0s: iptables -nvL                                                                        Wed Jan 30 18:19:44 2013

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   15  2906 DROP       icmp --  *      *       192.168.204.115      0.0.0.0/0

•Ara Jo li faig un ping a Jordi però com te configurada la regla DROP, aquest no és realitza, ni em dóna cap avís'
[email protected]:~$ ping 192.168.204.115
PING 192.168.204.115 (192.168.204.115) 56(84) bytes of data.
^C
--- 192.168.204.115 ping statistics ---
12 packets transmitted, 0 received, 100% packet loss, time 11088ms
  
[email protected]:~$ sudo iptables -D INPUT 1 --> Esborrem DROP.
 
•Ara realitzarem el mateix però amb REJECT en lloc de DROP'
[email protected]:~$ sudo iptables -A INPUT -s 192.168.204.115 -p icmp -j REJECT --> Jordi fà un ping i l'avisa que és Inabastable.
 
•Ara afegirem una regla DROP i REJECT però només per al port 22 (ssh), i una vegada configurat intentarem connectar-nos' 
[email protected]:~$ sudo iptables -A INPUT -s 192.168.204.115/30 -p tcp --dport 22 -j DROP --> Conf. INPUT|DROP port22 de la IP de Jordi
[email protected]:~$ sudo ssh 192.168.204.115 --> Jordi a configurat el mateix però amb la meva IP, intento fer-li ping però ens rebutja
ssh: connect to host 192.168.204.115 port 22: Connection refused -->Jordi em comunica que li passa el mateix

[email protected]:~$ sudo iptables -D INPUT 1 --> Esborrem la regla.

[email protected]:~$ sudo iptables -A INPUT -s 192.168.204.115/30 -p tcp --dport 22 -j REJECT  -> Conf. INPUT|REJECT port22 de la IP de Jordi 
(Ens avisa que el port és inabastable)

[email protected]:~$ sudo iptables -D INPUT 1 --> Esborrem la regla.

[email protected]:~$ sudo iptables -A INPUT -s 192.168.204.115/30 -p tcp --dport 22 -j ACCEPT  --> Conf. INPUT|REJECT tcp port22 de la IP Jordi
(Ara ja li és possible realitzar la connexió per ssh)

[email protected]:~$ sudo ssh 192.168.204.115  --> Provo de fer ssh amb la seva màquina i accepta la connexió
The authenticity of host '192.168.204.115 (192.168.204.115)' can't be established.
ECDSA key fingerprint is c1:63:8c:e3:78:57:24:5a:94:a2:65:ba:6d:62:15:53.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '192.168.204.115' (ECDSA) to the list of known hosts.
[email protected]'s password:

• També podem rebutjar els paquets icmp del PC15 de l'aula 204 de l'ies

[email protected]:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       icmp --  a204PC15.aula204.iesebre.com  anywhere             

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination          

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  

PRÀCTICA EINA NMAP

• nmap és una eina molt pràctica per escanejar rets,ips,protocols etc.. Ens permet escoltar detectar màquines propres

MANUAL:

[email protected]:~$ nmap
Nmap 5.21 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sP: Ping Scan - go no further than determining if host is online
  -PN: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of 
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take  are in milliseconds, unless you append 's'
  (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <time>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
  --adler32: Use deprecated Adler32 instead of CRC32C for SCTP checksums
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use twice or more for greater effect)
  -d[level]: Set or increase debugging level (Up to 9 is meaningful)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --log-errors: Log errors/warnings to the normal-format output file
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enables OS detection and Version detection, Script scanning and Traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sP 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -PN -p 80
SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES 

• Fem un nmap a l'aula 204 del port 0. Això ens detectarà les màquines de l'aula 204 i l'estat del port, entre d'altres paràmetres com la MAC..

[email protected]:~$ sudo nmap -p0 192.168.204.0-255

Starting Nmap 5.21 ( http://nmap.org ) at 2013-01-29 20:48 CET
Nmap scan report for 192.168.204.1
Host is up (0.00014s latency).
PORT  STATE  SERVICE
0/tcp closed unknown
MAC Address: D4:CA:6D:20:8F:7F (Unknown)

Nmap scan report for ns1.aula204.iesebre.com (192.168.204.2)
Host is up (0.00026s latency).
PORT  STATE  SERVICE
0/tcp closed unknown
MAC Address: B6:2B:74:E5:3D:12 (Unknown)

Nmap scan report for 192.168.204.94
Host is up (0.0068s latency).
PORT  STATE SERVICE
0/tcp open  unknown
MAC Address: 00:08:54:A6:7A:6C (Netronix)

Nmap scan report for a204pcprofe.aula204.iesebre.com (192.168.204.100)
Host is up (0.00018s latency).
PORT  STATE  SERVICE
0/tcp closed unknown
MAC Address: 6C:62:6D:82:D3:78 (Unknown) 

Nmap scan report for a204PC02.aula204.iesebre.com (192.168.204.102)
Host is up (0.00010s latency).
PORT  STATE  SERVICE
0/tcp closed unknown
MAC Address: 00:30:05:EB:3B:17 (Fujitsu Siemens Computers)

Nmap scan report for a204PC15.aula204.iesebre.com (192.168.204.115)
Host is up (0.000068s latency).
PORT  STATE  SERVICE
0/tcp closed unknown
MAC Address: 00:30:05:EB:37:F4 (Fujitsu Siemens Computers)

Nmap scan report for a204PC18.aula204.iesebre.com (192.168.204.118)
Host is up (0.00017s latency).
PORT  STATE  SERVICE
0/tcp closed unknown 

Nmap scan report for 192.168.204.203
Host is up (0.071s latency).
PORT  STATE  SERVICE
0/tcp closed unknown
MAC Address: 30:39:26:EF:5C:E0 (Unknown) 

Nmap scan report for 192.168.204.220
Host is up (0.058s latency).
PORT  STATE  SERVICE
0/tcp closed unknown
MAC Address: D8:B3:77:13:85:75 (Unknown)

Nmap scan report for 192.168.204.228
Host is up (0.00025s latency).
PORT  STATE  SERVICE
0/tcp closed unknown
MAC Address: B8:70:F4:F8:83:3A (Unknown) 

Nmap scan report for 192.168.204.229
Host is up (0.081s latency).
PORT  STATE  SERVICE
0/tcp closed unknown
MAC Address: 94:DB:C9:00:0C:C7 (Unknown) 

Nmap scan report for 192.168.204.231
Host is up (0.043s latency).
PORT  STATE    SERVICE
0/tcp filtered unknown
MAC Address: 84:00:D2:4F:42:2D (Unknown)

Nmap scan report for 192.168.204.240
Host is up (0.00027s latency).
PORT  STATE  SERVICE
0/tcp closed unknown
MAC Address: C8:60:00:11:C2:DD (Unknown) 

Nmap scan report for 192.168.204.245
Host is up (0.044s latency).
PORT  STATE    SERVICE
0/tcp filtered unknown
MAC Address: F4:6D:E2:B3:14:13 (Unknown)

Nmap scan report for 192.168.204.254
Host is up (0.00092s latency).
PORT  STATE  SERVICE
0/tcp closed unknown
MAC Address: 90:F6:52:AF:64:3E (Unknown)

Nmap done: 256 IP addresses (15 hosts up) scanned in 8.15 seconds

• Realitzem ara un nmap general a l'aula 204. (Ens mostra el nº de ports tancats i els oberts, IP,MAC)

[email protected]:~$ sudo nmap 192.168.204.0-255

Starting Nmap 5.21 ( http://nmap.org ) at 2013-01-29 20:49 CET
Nmap scan report for 192.168.204.1
Host is up (0.00017s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
23/tcp   open  telnet
53/tcp   open  domain
2000/tcp open  cisco-sccp
8081/tcp open  blackice-icecap
8291/tcp open  unknown
MAC Address: D4:CA:6D:20:8F:7F (Unknown)

Nmap scan report for ns1.aula204.iesebre.com (192.168.204.2)
Host is up (0.00018s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
389/tcp  open  ldap
3128/tcp open  squid-http
5666/tcp open  nrpe
MAC Address: B6:2B:74:E5:3D:12 (Unknown)

Nmap scan report for 192.168.204.94
Host is up (0.0058s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:08:54:A6:7A:6C (Netronix) 

Nmap scan report for a204pcprofe.aula204.iesebre.com (192.168.204.100)
Host is up (0.00014s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
23/tcp open  telnet
MAC Address: 6C:62:6D:82:D3:78 (Unknown) 

Nmap scan report for a204PC02.aula204.iesebre.com (192.168.204.102)
Host is up (0.000072s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:30:05:EB:3B:17 (Fujitsu Siemens Computers) 

Nmap scan report for a204PC15.aula204.iesebre.com (192.168.204.115)
Host is up (0.000082s latency).
Not shown: 996 closed ports
PORT    STATE    SERVICE
22/tcp  filtered ssh
80/tcp  open     http
139/tcp open     netbios-ssn
445/tcp open     microsoft-ds
MAC Address: 00:30:05:EB:37:F4 (Fujitsu Siemens Computers)

Nmap scan report for a204PC18.aula204.iesebre.com (192.168.204.118)
Host is up (0.000015s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
3128/tcp open  squid-http

Nmap scan report for 192.168.204.203
Host is up (0.011s latency).
All 1000 scanned ports on 192.168.204.203 are closed
MAC Address: 30:39:26:EF:5C:E0 (Unknown) 

Nmap scan report for 192.168.204.220
Host is up (0.048s latency).
All 1000 scanned ports on 192.168.204.220 are closed
MAC Address: D8:B3:77:13:85:75 (Unknown) 

Nmap scan report for 192.168.204.228
Host is up (0.00032s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: B8:70:F4:F8:83:3A (Unknown) 

Nmap scan report for 192.168.204.229
Host is up (0.0075s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 94:DB:C9:00:0C:C7 (Unknown) 

Nmap scan report for 192.168.204.231
Host is up (0.031s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE
5001/tcp open  commplex-link
MAC Address: 84:00:D2:4F:42:2D (Unknown)

Nmap scan report for 192.168.204.240
Host is up (0.00028s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
23/tcp open  telnet
80/tcp open  http
MAC Address: C8:60:00:11:C2:DD (Unknown)
 
Nmap scan report for 192.168.204.245
Host is up (0.028s latency).
All 1000 scanned ports on 192.168.204.245 are closed
MAC Address: F4:6D:E2:B3:14:13 (Unknown)

Nmap scan report for 192.168.204.254
Host is up (0.00053s latency).
Not shown: 998 closed ports
PORT      STATE SERVICE
80/tcp    open  http
49152/tcp open  unknown
MAC Address: 90:F6:52:AF:64:3E (Unknown)
 
Nmap done: 256 IP addresses (15 hosts up) scanned in 35.64 seconds

Resum Exemples comandes iptables

$ sudo iptables -h

$ sudo iptables -nvL

$ sudo iptables -nvL -t nat

$ sudo iptables -nvL -t raw

$ sudo iptables -nvL -t mangle

$ sudo ip6tables -nvL

$ sudo ip6tables -nvL -t nat

$ sudo ip6tables -nvL -t raw

$ sudo ip6tables -nvL -t mangle

$ sudo iptables -A INPUT -j DROP

$ sudo iptables -D -J ACCEPT

$ sudo iptables -A INPUT -j DROP

$ sudo iptables -I INPUT 1 -p icmp -j ACCEPT

$ sudo watch iptables -nvL

$ sudo watch -n 1 iptables -nvL

$ sudo iptables -A INPUT -s 192.168.204.115 -p icmp -j DROP

$ sudo iptables -A INPUT -s 192.168.204.115/30 -p tcp --dport 22 -j ACCEPT

$ sudo iptables -A INPUT -s 192.168.204.115/30 -p tcp --dport 22 -j REJECT

$ sudo iptables -A INPUT -s 192.168.204.115/30 -p tcp --dport 22 -j DROP

$ sudo iptables -D INPUT 1 ---> Esborra el primer INPUT del IPTABLES

EXERCICIS .v2

Bloqueig de Pings

• Bloquejar exclusivament els pings, enlloc de tots els paquets icmp (apartat 3.6.4-iptables).
  • Per realitzar un filtratge exclusiu de paquets ping (protocol icmp), explicitarem el 'tipus' de paquets dintre del protocol icmp (echo-request)

[email protected]:~$ sudo iptables -A INPUT -s 127.0.0.1 -p icmp --icmp-type echo-request -j DROP

[email protected]:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP      icmp --  localhost           anywhere             icmp echo-request

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
 
[email protected]:~$ ping -c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
 
 [email protected]:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 1643 packets, 542K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    84 DROP       icmp --  *      *       127.0.0.1            0.0.0.0/0            icmptype 8

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination          

Chain OUTPUT (policy ACCEPT 1227 packets, 254K bytes)
 pkts bytes target     prot opt in     out     source               destination

Bloquejar una Mac

• Com bloquejar una mac? (apertat 3.6.13-iptables) (si podem, filtrar per ip i mac, per complicar-ho una mica més).
  • Simplement cal especificar la mac que desitgem rebutjar.

[email protected]:~$ sudo nmap 192.168.204.0-255
[sudo] password for rafel: 

Starting Nmap 5.21 ( http://nmap.org ) at 2013-02-04 18:53 CET
Nmap scan report for 192.168.204.1
Host is up (0.00013s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
23/tcp   open  telnet
53/tcp   open  domain
2000/tcp open  cisco-sccp
8081/tcp open  blackice-icecap
8291/tcp open  unknown
MAC Address: D4:CA:6D:20:8F:7F (Unknown)

Nmap scan report for a204PC02.aula204.iesebre.com (192.168.204.102)
Host is up (0.000067s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:30:05:EB:3B:17 (Fujitsu Siemens Computers)

Nmap scan report for a204PC03.aula204.iesebre.com (192.168.204.103)
Host is up (0.000055s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3128/tcp open  squid-http
6000/tcp open  X11
MAC Address: 00:30:05:EB:3E:2A (Fujitsu Siemens Computers)

Nmap scan report for a204PC15.aula204.iesebre.com (192.168.204.115)
Host is up (0.000057s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:30:05:EB:37:F4 (Fujitsu Siemens Computers)  --> Mac màquina de Jordi

[email protected]:~$ sudo iptables -I INPUT -p icmp -m mac --mac-source 00:30:05:EB:37:F4 -j DROP  -->Bloquegem la MAC de Jordi
[email protected]:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 16 packets, 3140 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            MAC 00:30:05:EB:37:F4

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3 packets, 394 bytes)
 pkts bytes target     prot opt in     out     source               destination

Jordi intenta fer ping des de la seva màquina però aquest no es realitza. OK 

Ara bloquejarem les entrades icmp provinents de la IP de l'ordinador de Joel i de la MAC de Jordi

[email protected]:~$ sudo iptables -I INPUT -s 192.168.204.112 -p icmp -m mac --mac-source 00:30:05:EB:37:F4 -j DROP
[email protected]:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 6 packets, 470 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       icmp --  *      *       192.168.204.112      0.0.0.0/0            MAC 00:30:05:EB:37:F4

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Els 2 intenten realitzar un ping però a Joel li apareix un missatge conforme el port és inabastable i Jordi no pot realitzar el ping. 

Creació d'un log de paquets

• Apartat 3.6.22-iptables (fitxer sys.log). Si ho fiquem just abans, en lloc del target, fixa el log (exemple log de paquets o firewall).

[email protected]:~$ sudo iptables -A INPUT -p icmp -d 127.0.0.1 -j DROP
[email protected]:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 2 packets, 316 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       icmp --  *      *       0.0.0.0/0            127.0.0.1           
 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2 packets, 124 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Creem un log amb el prefix "firewall" (visualitzat al syslog) en el que quedarà registrat cada vegada que entri un paquet icmp, enviat des de el localhost. 
Aquest log s'haurà d'inserir (amb -I en lloc de -A) avanç del DROP introduït anteriorment a l'iptables , si no fos així el DROP llençaria el paquet en primer lloc i el log no registraria l'entrada d'aquest.  
 
[email protected]:~$ sudo iptables -I INPUT 1 -p icmp -d 127.0.0.1 -j LOG --log-prefix "[firewall ]: "

Com podem observar en primer lloog registrarà l'entrada del paquet icmp al log i desprès llençarà el paquet

[email protected]:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 5 packets, 830 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        icmp --  *      *       0.0.0.0/0            127.0.0.1            LOG flags 0 level 4 prefix "[firewall ]: "
    0     0 DROP       icmp --  *      *       0.0.0.0/0            127.0.0.1           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

[email protected]:~$ ping localhost 
PING localhost (127.0.0.1) 56(84) bytes of data.
^C
--- localhost ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4030ms
 
[email protected]:/$ sudo tail -f /var/log/syslog  --> Visualitzem el final de syslog i comprovem que aquest registra les incidències "firewall"
Feb  4 20:09:01 Asmodeus CRON[17338]: (root) CMD (  [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete)
Feb  4 20:17:01 Asmodeus CRON[17409]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Feb  4 20:39:01 Asmodeus CRON[17446]: (root) CMD (  [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete)
Feb  4 21:09:01 Asmodeus CRON[17517]: (root) CMD (  [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete)
Feb  4 21:16:36 Asmodeus kernel: [16565.247698] [firewall ]: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1  LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=17572 SEQ=1 
Feb  4 21:16:37 Asmodeus kernel: [16566.254177] [firewall ]: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1  LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=17572 SEQ=2 
Feb  4 21:16:38 Asmodeus kernel: [16567.262170] [firewall ]: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=17572 SEQ=3 
Feb  4 21:16:39 Asmodeus kernel: [16568.270170] [firewall ]: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=17572 SEQ=4 
Feb  4 21:16:40 Asmodeus kernel: [16569.278183] [firewall ]: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=17572 SEQ=5 
Feb  4 21:17:01 Asmodeus CRON[17575]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)

Bloqueig d'atacs SSH

• BLOQUEJAR ATACS, Quan ataquen X vegades un port, bloquejar la IP de l'atacant. (apartat 3.6.16 i 3.6.20).

•Fem un ifconfig a la màquina 1 (la que rebrà els atacs)

[email protected]:~$ ifconfig 
eth2      Link encap:Ethernet  HWaddr 08:00:27:74:3a:da  
          inet addr:192.168.1.35  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe74:3ada/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:250 errors:0 dropped:0 overruns:0 frame:0
          TX packets:324 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:113695 (113.6 KB)  TX bytes:41646 (41.6 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:58 errors:0 dropped:0 overruns:0 frame:0
          TX packets:58 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:5588 (5.5 KB)  TX bytes:5588 (5.5 KB)

[email protected]:~$ sudo iptables -nvL  -->Comprovem que encarà no em introduït cap regla (filtre específic).
[sudo] password for rafel: 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

•Fem un ifconfig a la màquina 2 (la que realitzarà l'atac)

[email protected]:~$ ifconfig 
eth2      Link encap:Ethernet  HWaddr 08:00:27:db:7f:10  
          inet addr:192.168.1.38  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fedb:7f10/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:82 errors:0 dropped:0 overruns:0 frame:0
          TX packets:69 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:14715 (14.7 KB)  TX bytes:11265 (11.2 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

•Intentem connectar de la MK1 a la MK2.Connecten. En el cas d'introduir una clau errònia ens denega la connexió.(Tot correcte)

[email protected]:~$ sudo ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 12.10 (GNU/Linux 3.5.0-21-generic i686)

 * Documentation:  https://help.ubuntu.com/

Last login: Thu Feb  7 23:16:20 2013 from sgbd-virtual1.local
[email protected]:~$ exit
logout
Connection to 192.168.1.35 closed.

[email protected]:~$ sudo ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied (publickey,password).
[email protected]:~$

•Inserim, en primer lloc, un filtre filtre que simplement "registri" els paquets tcp  dirigits al port 22 (ssh) (intents de connexió) 
•En segona instància, crearem una regla, la qual si s'intenten més de 5 intents de connexió al port 22, es llencin els paquets provinents de la IP d'orígen dels mateixos
•El comptador s'actualitzarà cada 50 segons,

[email protected]:~$ sudo iptables -A INPUT -i eth2 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
[email protected]:~$ sudo iptables -A INPUT -i eth2 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 50 --hitcount 5 --rttl --name SSH -j DROP

[email protected]:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0            tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW recent: SET name: SSH side: source
    0     0 DROP       tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW recent: UPDATE seconds: 50 hit_count: 5 TTL-Match name: SSH side: source

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

•Una vegada introduït el filtre amb el màxim d'intents de connexió al port 22, intentem accedir per ssh a la màquina 1 amb una clau incorrecta

[email protected]:~$ sudo ssh 192.168.1.35
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied (publickey,password).
[email protected]:~$ sudo ssh 192.168.1.35
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied (publickey,password).

[email protected]:~$ sudo ssh 192.168.1.35
..... --> Passats 50s ....

QUAN ES PASSEN ELS 5 INTENTS SE QUEDA PENJAT (DROP)

•Mirem ara els paquets rebutjats

[email protected]:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 195 packets, 27497 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   15   900            tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW recent: SET name: SSH side: source
    7   420 DROP       tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW recent: UPDATE seconds: 50 hit_count: 5 TTL-Match name: SSH side: source

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 187 packets, 24757 bytes)
 pkts bytes target     prot opt in     out     source               destination

Creació d'un log mode "xivato" (camí TCP E/S)

• '3.6.30 Exercici relacionat amb el nc (mirar exemple pas a pas) , farem un fitxer log a mode de xivato per seguir el camí que segueix una connexió TCP d'entrada/sortda. Amb nc obrim una connexió, (a més podem triar un port : port 5000)

[email protected]:~$ sudo nc -l -p 5000  --> Activem un terminal en mode listen al port 5000

[email protected]:~$ sudo nc localhost 5000 ---> Amb l'altre terminal ens connectem al port 5000

•Fem un tcpdump per veure si la connexió tcp s'ha realitzat correctament

[email protected]:~$ sudo tcpdump -x -i lo port 5000
[sudo] password for rafel: 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
13:50:26.864766 IP localhost.37387 > localhost.5000: Flags [S], seq 2104794594, win 32792, options [mss 16396,sackOK,TS val 953440 ecr 0,nop,wscale 7], length 0
        0x0000:  4500 003c 1182 4000 4006 2b38 7f00 0001
        0x0010:  7f00 0001 920b 1388 7d74 9de2 0000 0000
        0x0020:  a002 8018 fe30 0000 0204 400c 0402 080a
        0x0030:  000e 8c60 0000 0000 0103 0307
13:50:26.865807 IP localhost.5000 > localhost.37387: Flags [S.], seq 2870318896, ack 2104794595, win 32768, options [mss 16396,sackOK,TS val 953440 ecr 953440,nop,wscale 7], length 0
        0x0000:  4500 003c 0000 4000 4006 3cba 7f00 0001
        0x0010:  7f00 0001 1388 920b ab15 9730 7d74 9de3
        0x0020:  a012 8000 fe30 0000 0204 400c 0402 080a
        0x0030:  000e 8c60 000e 8c60 0103 0307
13:50:26.866094 IP localhost.37387 > localhost.5000: Flags [.], ack 1, win 257, options [nop,nop,TS val 953441 ecr 953440], length 0
        0x0000:  4500 0034 1183 4000 4006 2b3f 7f00 0001
        0x0010:  7f00 0001 920b 1388 7d74 9de3 ab15 9731
        0x0020:  8010 0101 fe28 0000 0101 080a 000e 8c61
        0x0030:  000e 8c60
^C
3 packets captured
6 packets received by filter
0 packets dropped by kernel


CONSTRUCCIÓ DEL LOG DE PAQUETS D'ENTRADA:

raf[email protected]:~$ sudo iptables -t raw -A PREROUTING -p tcp --dport 5000 --syn -j LOG --log-prefix "[FW] Paquet SYN entrant: "
[email protected]:~$ sudo iptables -t raw -A PREROUTING -p tcp --dport 5000 --syn -j LOG --log-prefix "[FW] RAW PREROUTING: "
[email protected]:~$ sudo iptables -t mangle -A PREROUTING -p tcp --dport 5000 --syn -j LOG --log-prefix "[FW] MANGLE PREROUTING: "
[email protected]:~$ sudo iptables -t mangle -A PREROUTING -p tcp --dport 5000 --syn -j LOG --log-prefix "[FW] entregat a rutes: "
[email protected]:~$ sudo iptables -t nat -A PREROUTING -p tcp --dport 5000 --syn -j LOG --log-prefix "[FW] NAT PREROUTING: " -> No fa falta
[email protected]:~$ sudo iptables -t mangle -A INPUT -p tcp --dport 5000 --syn -j LOG --log-prefix "[FW] MANGLE INPUT: "
[email protected]:~$ sudo iptables -t filter -A INPUT -p tcp --dport 5000 --syn -j LOG --log-prefix "[FW] FILTER INPUT: "
[email protected]:~$ sudo iptables -t filter -A INPUT -p tcp --dport 5000 --syn -j LOG --log-prefix "[FW] SYN entregat local: 

•Fem un iptables per veure com a quedat i si s'han introduït regles al iptables correctament:

[email protected]:~$ sudo iptables -nvL  --> FILTRES
[sudo] password for rafel: 
Chain INPUT (policy ACCEPT 125 packets, 31936 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5000flags: 0x17/0x02 LOG flags 0 level 4 prefix "[FW] FILTER INPUT: "
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5000flags: 0x17/0x02 LOG flags 0 level 4 prefix "[FW] SYN entregat local: "

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 27 packets, 1885 bytes)
 pkts bytes target     prot opt in     out     source               destination         

[email protected]:~$ sudo iptables -nvL -t nat  --> NAT (no és necessari)
Chain PREROUTING (policy ACCEPT 59 packets, 13404 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5000flags: 0x17/0x02 LOG flags 0 level 4 prefix "[FW] NAT PREROUTING: "

Chain INPUT (policy ACCEPT 35 packets, 7644 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 7 packets, 460 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 7 packets, 460 bytes)
 pkts bytes target     prot opt in     out     source               destination          

[email protected]:~$ sudo iptables -nvL -t raw  --> RAW
Chain PREROUTING (policy ACCEPT 155 packets, 38414 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5000flags: 0x17/0x02 LOG flags 0 level 4 prefix "[FW] Paquet SYN entrant: "
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5000flags: 0x17/0x02 LOG flags 0 level 4 prefix "[FW] RAW PREROUTING: "

Chain OUTPUT (policy ACCEPT 27 packets, 1885 bytes)
 pkts bytes target     prot opt in     out     source               destination         

[email protected]:~$ sudo iptables -nvL -t mangle  --> MANGLE
Chain PREROUTING (policy ACCEPT 165 packets, 39194 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5000flags: 0x17/0x02 LOG flags 0 level 4 prefix "[FW] MANGLE PREROUTING: "
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5000flags: 0x17/0x02 LOG flags 0 level 4 prefix "[FW] entregat a rutes: "

Chain INPUT (policy ACCEPT 141 packets, 33434 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5000flags: 0x17/0x02 LOG flags 0 level 4 prefix "[FW] MANGLE INPUT: "

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 27 packets, 1885 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 27 packets, 1885 bytes)
 pkts bytes target     prot opt in     out     source               destination         

•Observem que s'han introduït correctament.


CONSTRUCCIÓ DEL LOG DELS PAQUETS DE SORTIDA:

[email protected]:~$ sudo iptables -t raw -A OUTPUT -p tcp --sport 5000 --tcp-flags ALL ACK -j LOG --log-prefix "[FW] Paquet ACK sortint: "
[email protected]:~$ sudo iptables -t raw -A OUTPUT -p tcp --sport 5000 --tcp-flags ALL ACK -j LOG --log-prefix "[FW] RAW OUTPUT: "
[email protected]:~$ sudo iptables -t mangle -A OUTPUT -p tcp --sport 5000 --tcp-flags ALL ACK -j LOG --log-prefix "[FW] MANGLE OUTPUT: "
[email protected]:~$ sudo iptables -t nat -A OUTPUT -p tcp --sport 5000 --tcp-flags ALL ACK -j LOG --log-prefix "[FW] NAT OUTPUT: " -> No fa falta
[email protected]:~$ sudo iptables -t filter -A OUTPUT -p tcp --sport 5000 --tcp-flags ALL ACK -j LOG --log-prefix "[FW] FILTER OUTPUT: "
[email protected]:~$ sudo iptables -t filter -A OUTPUT -p tcp --sport 5000 --tcp-flags ALL ACK -j LOG --log-prefix "[FW] ACK entregat a rutes: "
[email protected]:~$ sudo iptables -t mangle -A POSTROUTING -p tcp --sport 5000 --tcp-flags ALL ACK -j LOG --log-prefix "[FW] MANGLE POSTROUTING: "
[email protected]:~$ sudo iptables -t nat -A POSTROUTING -p tcp --sport 5000 --tcp-flags ALL ACK -j LOG --log-prefix "[Fw] NAT POSTROUTING: " 


MIREM COM HAN QUEDAT TOTS ELS IPTABLES, TANT D'ENTRADA COM DE SORTIDA:

[email protected]:~$ sudo iptables -nvL  --> FILTRES
Chain INPUT (policy ACCEPT 8 packets, 1412 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5000flags: 0x17/0x02 LOG flags 0 level 4 prefix "[FW] FILTER INPUT: "
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5000flags: 0x17/0x02 LOG flags 0 level 4 prefix "[FW] SYN entregat local: "

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:5000flags: 0x3F/0x10 LOG flags 0 level 4 prefix "[FW] FILTER OUTPUT: "
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:5000flags: 0x3F/0x10 LOG flags 0 level 4 prefix "[FW] ACK entregat a rutes: "

[email protected]:~$ sudo iptables -nvL -t nat  --> NAT (no és necessari)
Chain PREROUTING (policy ACCEPT 6 packets, 1268 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5000flags: 0x17/0x02 LOG flags 0 level 4 prefix "[FW] NAT PREROUTING: "

Chain INPUT (policy ACCEPT 3 packets, 548 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:5000flags: 0x3F/0x10 LOG flags 0 level 4 prefix "[FW] NAT OUTPUT: "

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:5000flags: 0x3F/0x10 LOG flags 0 level 4 prefix "[Fw] NAT POSTROUTING: "

[email protected]:~$ sudo iptables -nvL -t raw  --> RAW
Chain PREROUTING (policy ACCEPT 11 packets, 2132 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5000flags: 0x17/0x02 LOG flags 0 level 4 prefix "[FW] Paquet SYN entrant: "
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5000flags: 0x17/0x02 LOG flags 0 level 4 prefix "[FW] RAW PREROUTING: "

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:5000flags: 0x3F/0x10 LOG flags 0 level 4 prefix "[FW] Paquet ACK sortint: "
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:5000flags: 0x3F/0x10 LOG flags 0 level 4 prefix "[FW] RAW OUTPUT: "

[email protected]:~$ sudo iptables -nvL -t mangle  --> MANGLE
Chain PREROUTING (policy ACCEPT 11 packets, 2132 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5000flags: 0x17/0x02 LOG flags 0 level 4 prefix "[FW] MANGLE PREROUTING: "
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5000flags: 0x17/0x02 LOG flags 0 level 4 prefix "[FW] entregat a rutes: "

Chain INPUT (policy ACCEPT 8 packets, 1412 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5000flags: 0x17/0x02 LOG flags 0 level 4 prefix "[FW] MANGLE INPUT: "

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:5000flags: 0x3F/0x10 LOG flags 0 level 4 prefix "[FW] MANGLE OUTPUT: "

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:5000flags: 0x3F/0x10 LOG flags 0 level 4 prefix "[FW] MANGLE POSTROUTING: "


•La configuració del firewall ha de quedar:

[email protected]:~$ sudo iptables-save
[sudo] password for rafel: 
# Generated by iptables-save v1.4.12 on Sun Feb 10 16:13:31 2013
*nat  -->NAT
:PREROUTING ACCEPT [11:2458]
:INPUT ACCEPT [5:1018]
:OUTPUT ACCEPT [45:2943]
:POSTROUTING ACCEPT [45:2943]
-A PREROUTING -p tcp -m tcp --dport 5000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "[FW] NAT PREROUTING: "
-A OUTPUT -p tcp -m tcp --sport 5000 --tcp-flags FIN,SYN,RST,PSH,ACK,URG ACK -j LOG --log-prefix "[FW] NAT OUTPUT: "
-A POSTROUTING -p tcp -m tcp --sport 5000 --tcp-flags FIN,SYN,RST,PSH,ACK,URG ACK -j LOG --log-prefix "[Fw] NAT POSTROUTING: "
COMMIT
# Completed on Sun Feb 10 16:13:31 2013
# Generated by iptables-save v1.4.12 on Sun Feb 10 16:13:31 2013
*mangle  -->MANGLE
:PREROUTING ACCEPT [11798:17193327]
:INPUT ACCEPT [11792:17191887]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6378:399500]
:POSTROUTING ACCEPT [6378:399500]
-A PREROUTING -p tcp -m tcp --dport 5000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "[FW] MANGLE PREROUTING: "
-A PREROUTING -p tcp -m tcp --dport 5000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "[FW] entregat a rutes: "
-A INPUT -p tcp -m tcp --dport 5000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "[FW] MANGLE INPUT: "
-A OUTPUT -p tcp -m tcp --sport 5000 --tcp-flags FIN,SYN,RST,PSH,ACK,URG ACK -j LOG --log-prefix "[FW] MANGLE OUTPUT: "
-A POSTROUTING -p tcp -m tcp --sport 5000 --tcp-flags FIN,SYN,RST,PSH,ACK,URG ACK -j LOG --log-prefix "[FW] MANGLE POSTROUTING: "
COMMIT
# Completed on Sun Feb 10 16:13:31 2013
# Generated by iptables-save v1.4.12 on Sun Feb 10 16:13:31 2013
*raw  -->RAW
:PREROUTING ACCEPT [11798:17193327]
:OUTPUT ACCEPT [6378:399500]
-A PREROUTING -p tcp -m tcp --dport 5000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "[FW] Paquet SYN entrant: "
-A PREROUTING -p tcp -m tcp --dport 5000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "[FW] RAW PREROUTING: "
-A OUTPUT -p tcp -m tcp --sport 5000 --tcp-flags FIN,SYN,RST,PSH,ACK,URG ACK -j LOG --log-prefix "[FW] Paquet ACK sortint: "
-A OUTPUT -p tcp -m tcp --sport 5000 --tcp-flags FIN,SYN,RST,PSH,ACK,URG ACK -j LOG --log-prefix "[FW] RAW OUTPUT: "
COMMIT
# Completed on Sun Feb 10 16:13:31 2013
# Generated by iptables-save v1.4.12 on Sun Feb 10 16:13:31 2013
*filter  -->FILTER
:INPUT ACCEPT [11792:17191887]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6378:399500]
-A INPUT -p tcp -m tcp --dport 5000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "[FW] FILTER INPUT: "
-A INPUT -p tcp -m tcp --dport 5000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "[FW] SYN entregat local: "
-A OUTPUT -p tcp -m tcp --sport 5000 --tcp-flags FIN,SYN,RST,PSH,ACK,URG ACK -j LOG --log-prefix "[FW] FILTER OUTPUT: "
-A OUTPUT -p tcp -m tcp --sport 5000 --tcp-flags FIN,SYN,RST,PSH,ACK,URG ACK -j LOG --log-prefix "[FW] ACK entregat a rutes: "
COMMIT
# Completed on Sun Feb 10 16:13:31 2013


•Tornem a simular una connexió amb el netcat i posteriorment realitzem un tail al fitxer syslog

[email protected]:~$  nc -l -p 5000

[email protected]:~$ nc localhost 5000

[email protected]:~$ sudo tail -f /var/log/syslog
[sudo] password for rafel: 

Feb 10 16:47:14 MP09 kernel: [14721.752855] [FW] Paquet SYN entrant: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23212 DF PROTO=TCP SPT=37406 DPT=5000 WINDOW=32792 RES=0x00 SYN URGP=0 
Feb 10 16:47:14 MP09 kernel: [14721.752897] [FW] RAW PREROUTING: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23212 DF PROTO=TCP SPT=37406 DPT=5000 WINDOW=32792 RES=0x00 SYN URGP=0 
Feb 10 16:47:14 MP09 kernel: [14721.752915] [FW] MANGLE PREROUTING: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23212 DF PROTO=TCP SPT=37406 DPT=5000 WINDOW=32792 RES=0x00 SYN URGP=0 
Feb 10 16:47:14 MP09 kernel: [14721.752931] [FW] entregat a rutes: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23212 DF PROTO=TCP SPT=37406 DPT=5000 WINDOW=32792 RES=0x00 SYN URGP=0 
Feb 10 16:47:14 MP09 kernel: [14721.752948] [FW] MANGLE INPUT: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23212 DF PROTO=TCP SPT=37406 DPT=5000 WINDOW=32792 RES=0x00 SYN URGP=0 
Feb 10 16:47:14 MP09 kernel: [14721.752965] [FW] FILTER INPUT: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23212 DF PROTO=TCP SPT=37406 DPT=5000 WINDOW=32792 RES=0x00 SYN URGP=0 
Feb 10 16:47:14 MP09 kernel: [14721.753003] [FW] SYN entregat local: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=23212 DF PROTO=TCP SPT=37406 DPT=5000 WINDOW=32792 RES=0x00 SYN URGP=0 
Feb 10 16:51:02 MP09 kernel: [14949.709958] [FW] Paquet SYN entrant: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60255 DF PROTO=TCP SPT=37407 DPT=5000 WINDOW=32792 RES=0x00 SYN URGP=0 
Feb 10 16:51:02 MP09 kernel: [14949.709984] [FW] RAW PREROUTING: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60255 DF PROTO=TCP SPT=37407 DPT=5000 WINDOW=32792 RES=0x00 SYN URGP=0 
Feb 10 16:51:02 MP09 kernel: [14949.710007] [FW] MANGLE PREROUTING: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60255 DF PROTO=TCP SPT=37407 DPT=5000 WINDOW=32792 RES=0x00 SYN URGP=0 
Feb 10 16:51:02 MP09 kernel: [14949.710023] [FW] entregat a rutes: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60255 DF PROTO=TCP SPT=37407 DPT=5000 WINDOW=32792 RES=0x00 SYN URGP=0 
Feb 10 16:51:02 MP09 kernel: [14949.710041] [FW] MANGLE INPUT: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60255 DF PROTO=TCP SPT=37407 DPT=5000 WINDOW=32792 RES=0x00 SYN URGP=0 
Feb 10 16:51:02 MP09 kernel: [14949.710059] [FW] FILTER INPUT: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60255 DF PROTO=TCP SPT=37407 DPT=5000 WINDOW=32792 RES=0x00 SYN URGP=0 
Feb 10 16:51:02 MP09 kernel: [14949.710075] [FW] SYN entregat local: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60255 DF PROTO=TCP SPT=37407 DPT=5000 WINDOW=32792 RES=0x00 SYN URGP=0