Monday, 20 December 2010

Example iptables firewall ruleset for Backtrack 4

When pen-testing, it is quite common to be placing your attack system in a hostile environment, on the internet side of a border-router for example.

During your testing it is likely that you will be holding some confidential information on your system. You need to make sure that your system is secure, otherwise you may learn what it is like to get pwned, the hard way.

However, you do need to strike a balance and be able to communicate with the target system, and allow some ports to be opened, just for services that are going to assist you in compromising that host or network.

Backtrack 4 (like many Linux platforms) has iptables, but some people forget to turn it on, thinking that they are sure to be protected if they don't run any vulnerable services. Take great care.

To ensure some degree of safety, I would recommend:
  • Change your root password to something strong (don't forget your default MySQL password also)
  • Make sure you don't install any services that automatically start each time you boot.
    • If you install any new services (vsftpd for example) prevent them from starting on boot by editing the links in /etc/rc2.d/...
    • Only start services when you need them
    • Watch what you keep in your FTP share and www root etc.
  • Use a firewall, with a restrictive rule-set
    • Only open ports when you need them
    • (Which is what I am going to discuss here...)
Useful guide to iptables

Here is a good article to show you the basics of iptables configuration.

Saving and retrieving firewall rule-sets

iptables rule-sets can be saved and retrieved with the following commands:


iptables-save > /etc/iptables.rules


iptables-restore < /etc/iptables.rules

Using this technique means that you can pre-build several rule-sets and switch between them easily, or have a file that you edit and reload to add, remove or change rules.

Here is an example which provides a reasonable level of protection. It also contains some useful rules, commented out, which could be quickly added.

# Example iptables firewall rule-set for Backtrack 4
# To use uncomment or add any relevant ports you need and run:
# iptables-restore < /etc/iptables.rules.shieldsup


# Established connections are allowed

# Connections from your local machine are allowed
-A INPUT -i lo -j ACCEPT

# Uncomment inbound connections to your own services, or create new ones here:
#-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT # HTTP port 80
#-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT # HTTPS port 443
#-A INPUT -i eth0 -p tcp -m tcp --dport 4444 -j ACCEPT # Standard reverse shell port
#-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT # FTP port 21
#-A INPUT -i eth0 -p udp -m udp --dport 69 -j ACCEPT # FTP port 69

# Drop everything else inbound

# Your own client-side-initiated connections are allowed outbound

# Drop everything else outbound

# For more info visit

More targeted rules bypass rules for the basic rule-set

In addition you may want to add more targeted rules, for example so that only a single host can access a payload that you have hosted on your web-server.

In that case you may want to add a more specific rule in the following way: 

iptables -I INPUT -p tcp -m tcp -s a.b.c.d/32 --dport 80 -j ACCEPT

So for example to add inbound rules so that a target can access your http server and a handler you have listening on port 443, type in the following rules:

iptables -I INPUT -p tcp -m tcp -s --dport 80 -j ACCEPT
iptables -I INPUT -p tcp -m tcp -s --dport 443 -j ACCEPT


Don't forget to test your rule-sets are working from an external host before you rely on them in a live situation!

Look after yourself ;o)

No comments:

Post a Comment