Linux – Page 2 – Technical 411

This is just a simple open setup with a block drop on eth0, I am using this as a simple gateway for my vmware "Host-Only" network to get out to the real world, but not allowing traffic back in that wasnt requested for..

First off make sure you turn on forwarding in the /etc/sysctl.conf:

net.ipv4.ip_forward = 1

Then execute a sysctl -p

sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296

Then here is the ruleset that i am currently using:

/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F

/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A INPUT -i eth0 -p tcp -s 0/0 -d 0/0 –dport 22 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp -s 0/0 -d 0/0 –dport 1:65535 -j DROP
/sbin/iptables -A INPUT -i eth0 -p udp -s 0/0 -d 0/0 –dport 1:65535 -j DROP

This allows ssh back in on the outside interface but blocks everything else, and still allows internal traffic to freely flow out…

Save the iptables commands into a file and then execute the file and it will apply the rules. If on a redhat base, you can issue a iptables-save > /etc/sysconfig/iptables then you will be able to use the "service iptables start"/"service iptables stop" commands to start and stop the firewall for future use.

Obviously you would need the audit package installed…

Lets say I wanted to audit "test.file" for read, write, execute, and access:

auditctl -w /root/test.file -k test-file -p rwxa

-w: adds the "watch" rule
-k: is the key that you can use to filter the audit logs on
-p: is the permissions that you would like to audit

If you would like this to be a permanent rule .. then you must add it to /etc/audit/audit.rules in the following format:

-w /root/test.file -k test-file -p rwxa

Now we can take a look at the rules:

auditctl -l

LIST_RULES: exit,always watch=/root/test.file perm=rwxa key=test-file

Now i am going to add some text to test.file and see what the audit says.. I run the ausearch tool to find this out:

ausearch -k test-file
or
ausearch -f test.file

Here are the results:

—-
time->Thu May 1 15:04:33 2008
type=PATH msg=audit(1209679473.817:1252): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679473.817:1252): cwd="/root"
type=SYSCALL msg=audit(1209679473.817:1252): arch=c000003e syscall=191 success=no exit=-61 a0=7fff2baf6ba0 a1=3872404d67 a2=0 a3=0 items=1 ppid=16271 pid=16881 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="ls" exe="/bin/ls" key="test-file"
—-
time->Thu May 1 15:04:33 2008
type=PATH msg=audit(1209679473.817:1253): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679473.817:1253): cwd="/root"
type=SYSCALL msg=audit(1209679473.817:1253): arch=c000003e syscall=191 success=no exit=-61 a0=7fff2baf6ba0 a1=3872404d38 a2=0 a3=0 items=1 ppid=16271 pid=16881 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="ls" exe="/bin/ls" key="test-file"
—-
time->Thu May 1 15:04:39 2008
type=PATH msg=audit(1209679479.812:1254): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679479.812:1254): cwd="/root"
type=SYSCALL msg=audit(1209679479.812:1254): arch=c000003e syscall=2 success=yes exit=3 a0=1d6cb910 a1=0 a2=0 a3=0 items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
—-
time->Thu May 1 15:04:39 2008
type=PATH msg=audit(1209679479.813:1255): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679479.813:1255): cwd="/root"
type=SYSCALL msg=audit(1209679479.813:1255): arch=c000003e syscall=89 success=no exit=-22 a0=7fff0814a7f0 a1=7fff0814abf0 a2=3ff a3=1 items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
—-
time->Thu May 1 15:04:45 2008
type=PATH msg=audit(1209679485.992:1256): item=0 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679485.992:1256): cwd="/root"
type=SYSCALL msg=audit(1209679485.992:1256): arch=c000003e syscall=191 success=no exit=-61 a0=1d6cb910 a1=3872404d67 a2=7fff0814aff0 a3=84 items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
—-
time->Thu May 1 15:04:45 2008
type=PATH msg=audit(1209679485.992:1258): item=3 name="test.file~" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1209679485.992:1258): item=2 name="test.file" inode=84869203 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1209679485.992:1258): item=1 name="/root" inode=84869121 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1209679485.992:1258): item=0 name="/root" inode=84869121 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679485.992:1258): cwd="/root"
type=SYSCALL msg=audit(1209679485.992:1258): arch=c000003e syscall=82 success=yes exit=0 a0=1d6cb910 a1=1d6f6d80 a2=2 a3=1 items=4 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
—-
time->Thu May 1 15:04:45 2008
type=PATH msg=audit(1209679485.992:1260): item=1 name="test.file" inode=84869202 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1209679485.992:1260): item=0 name="/root" inode=84869121 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679485.992:1260): cwd="/root"
type=SYSCALL msg=audit(1209679485.992:1260): arch=c000003e syscall=2 success=yes exit=3 a0=1d6cb910 a1=241 a2=1a4 a3=0 items=2 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
—-
time->Thu May 1 15:04:45 2008
type=PATH msg=audit(1209679485.996:1261): item=0 name="test.file" inode=84869202 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679485.996:1261): cwd="/root"
type=SYSCALL msg=audit(1209679485.996:1261): arch=c000003e syscall=90 success=yes exit=0 a0=1d6cb910 a1=81a4 a2=0 a3=0 items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"
—-
time->Thu May 1 15:04:45 2008
type=PATH msg=audit(1209679485.997:1262): item=0 name="test.file" inode=84869202 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1209679485.997:1262): cwd="/root"
type=SYSCALL msg=audit(1209679485.997:1262): arch=c000003e syscall=188 success=yes exit=0 a0=1d6cb910 a1=3872404d67 a2=1d6f6da0 a3=1c items=1 ppid=16271 pid=16882 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="vi" exe="/bin/vi" key="test-file"

Also aureport will give us a report of activity:

Summary Report
======================
Range of time in logs: 05/01/2008 15:04:33.817 – 05/01/2008 15:04:45.997
Selected time for report: 05/01/2008 15:04:33 – 05/01/2008 15:04:45.997
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 0
Number of authentications: 0
Number of failed authentications: 0
Number of users: 1
Number of terminals: 1
Number of host names: 0
Number of executables: 2
Number of files: 3
Number of AVC’s: 0
Number of MAC events: 0
Number of failed syscalls: 4
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of process IDs: 2
Number of events: 9