Wednesday, July 12, 2006

Install IPTablesrock

IPtables adalah salah satu program firewall di linux yang dapat dikatakan cukup tangguh. Setting yang cukup mudah untuk dapat melindungi sistem kita. Nah yang merepotkan adalah setelah memasang iptables tentunya kita ingin memantau kerja iptables itu, apa saja yang terjadi di port-port yang sedang open maupun yang close. Lucky ada orang-orang yang smart membantu kita dengan membuatkan program untuk memantau iptables kita. Nah kali ini saya menggunakan versi setting iptables dari iptablesrock (www.iptablesrock.org). Silakan mengikuti step-step yang saya berikan.

1. Check dulu apakah iptables sudah terinstall di linux box anda, rpm -q iptables
2. ubah setting syslog,
vi /etc/syslog.conf
tambahkan di line berikut :
#IPTables logging
# kernel messages.
kern.debug;kern.info /var/log/firewall
3. restart service syslog, service syslog restart
4. masuk folder /lib/modules/2.6.15-1.2054_FC5/kernel/net/ipv4/netfilter/ (karena saya pakai FC5 loh ya)
5. insmod ip_conntrack.ko (perintah ini agar jika computer linux anda dapat membuka connection FTP)
6. vi firewall_reset, ketik :
# Iptables firewall reset script
*filter
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
COMMIT
*mangle
:PREROUTING ACCEPT [164:15203]
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
:POSTROUTING ACCEPT [147:63028]
COMMIT
*nat
:PREROUTING ACCEPT [14:672]
:POSTROUTING ACCEPT [9:684]
:OUTPUT ACCEPT [9:684]
COMMIT
7. ketik iptables-restore < /root/firewall_reset
8. simpan, service iptables save
9. restart,service iptables restart
10. lihat hasil iptables, iptables -L, maka iptables anda akan nampak reset semua.
11. jalankan script diatas jika anda menginginkan jika dalam waktu tertentu iptables mengjiinkan semua traffic yang masuk (pengaturan waktu menggunakan cron)
12. berikut script untuk pembatasan traffic.
13. vi primary_firewall, ketik :
#The NAT portion of the ruleset. Used for Network Address Transalation.
#Usually not needed on a typical web server, but it's there if you need it.
*nat
:PREROUTING ACCEPT [127173:7033011]
:POSTROUTING ACCEPT [31583:2332178]
:OUTPUT ACCEPT [32021:2375633]
COMMIT
#The Mangle portion of the ruleset. Here is where unwanted packet types get dropped.
#This helps in making port scans against your server a bit more time consuming and difficult, but not impossible.
*mangle
:PREROUTING ACCEPT [444:43563]
:INPUT ACCEPT [444:43563]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:144198]
:POSTROUTING ACCEPT [402:144198]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT
#The FILTER section of the ruleset is where we initially drop all packets and then selectively open certain ports.
#We will also enable logging of all dropped requests.
*filter
:INPUT DROP [1:242]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LOG_DROP - [0:0]
:LOG_ACCEPT - [0:0]
:icmp_packets - [0:0]
#First, we cover the INPUT rules, or the rules for incoming requests.
#Note how at the end we log any incoming packets that are not accepted.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j LOG_ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j LOG_ACCEPT
-A INPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
#uncomment the next line if you are running Spamassassin on your server
#-A INPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p icmp -j icmp_packets
-A INPUT -j LOG_DROP
#Next, we cover the OUTPUT rules, or the rules for all outgoing traffic.
#Note how at the end we log any outbound packets that are not accepted.
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
#uncomment the next line if you are running Spamassassin on your server
#-A OUTPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p icmp -j icmp_packets
-A OUTPUT -j LOG_DROP
#Here we have 2 sets of logging rules. One for dropped packets to log all dropped requests and one for accepted packets, should we wish
to log any accepted requesets.
-A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-tcp-options --log-ip-options
-A LOG_DROP -j DROP
-A LOG_ACCEPT -j LOG --log-prefix "[IPTABLES ACCEPT] : " --log-tcp-options --log-ip-options
-A LOG_ACCEPT -j ACCEPT
#And finally, a rule to deal with ICMP requests. We drop all ping requests except from our own server.
# Make sure you replace 1.2.3.4 with the IP address of your server.
-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A icmp_packets -s 1.2.3.4 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
COMMIT
14. ketik iptables-restore < /root/primary_firewall
15. simpan, service iptables save
16. restart,service iptables restart
17. lihat hasil iptables, iptables -L, maka iptables anda akan nampak sudah mengaktifkan filter traffic.
18. untuk dapat melihat log dari iptables tersebut gunakan tail -f /var/log/firewall
19. langkah berikutnya adalah membuat program untuk memantau log dari iptables melalui web
20. tar zxvf iptables_logger_v0.4.tar.gz
21. mysql -u root -p
22. create database iptables;
23. grant all privileges on iptables.* to iptables_admin@localhost identified by 'xxxxx'; (ganti xxx dengan password yang anda inginkan)
24. grant all privileges on iptables.* to iptables_user@localhost identified by 'xxxxx'; (ganti xxx dengan password yang anda inginkan)
25. keluar dari mysql
26. masuk folder iptables/sql (dari hasil extract)
27. cat db.sql | mysql -u iptables_admin -p iptables
28. masuk folder iptables lagi
29. cp -R web /var/www/html/firewall
30. vi /var/www/html/firewall/config.php
31. modify $db_password="xxxxxx"; harus sama dengan step 23
32. masuk folder iptables/scripts
32. vi feed_db.pl
33. modify my $log_file = '/var/log/syslog'; menjadi my $log_file = '/var/log/firewall'; jangan lupa ubah juga line my $db_password = 'xxxxx'; seperti step no. 31
34. cp feed_db.pl /usr/local/bin/
35. vi iptablelog
36. change all iptablelog :
#!/bin/sh
#
# System V init script for iptables logfile analyzer
#
# (c) Thomas Vallaitis <bonewood@gm...>
#
# pid isn"t saved by iptables logfile analyzer (afaik)
# we have two processes -> more difficult
#

PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
LONGNAME="iptables logfile analyzer"
NAME="iptablelog"
DAEMON="/usr/local/bin/feed_db.pl"

set -e

# Main Loop
case $1 in
start)
echo -n "Starting $LONGNAME: ";
#$DAEMON --background
nohup $DAEMON & > /var/log/iptablelog.log 2>&1
echo $NAME;
;;
stop)
echo -n "Stopping $LONGNAME: "
#/var/run/$NAME.pid || true
kill $(cat /var/run/$NAME.pid )
rm -f /var/run/$NAME.pid > /dev/null
echo $NAME
;;
*)
N=/etc/init.d/$NAME
# echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
echo "Usage: $N {start|stop}" >&2
exit 1
;;
esac

exit 0

# EOF
37. cp iptablelog /etc/rc.d/init.d/
38. jalankan program, /etc/init.d/iptablelog start
39. agar file /var/log/firewall tidak membesar terus menerus,masukkan file tersebut ke dalam logrotate
40. cd /etc/logrotate.d/
41. vi syslog
42. di line pertama, tambahkan di akhir line sebelum tanda { seperti berikut hasilnya :
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron /var/log/firewall
43. refresh logrotate, logrotate -f syslog
44. agar program berjalan otomatis,masukkan ke dalam /etc/rc.local step no. 38
45. test program, http://localhost/firewall, nah kalau muncul berarti success

silakan mencoba
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)