Pages: [1]

Author Topic: IPtables practice firewall  (Read 1401 times)

0 Members and 1 Guest are viewing this topic.

Offline lucid

  • #Underground
  • Titan
  • **
  • Posts: 2683
  • Cookies: 243
  • psychonaut
    • View Profile
IPtables practice firewall
« on: June 28, 2014, 11:43:26 pm »
I'm looking to set up an iptables firewall. The purpose of this particular firewall is for testing. I'm not using this to secure my network. It's extremely frustrating to try to google for "firewalls for penetration practice" or something like that, because all you find it "impenetrable firewalls"

So I'm looking for ideas on a good realistic firewall ruleset that I can practice bypassing. Suggestions?
Report to moderator   Logged
"Hacking is at least as much about ideas as about computers and technology. We use our skills to open doors that should never have been shut. We open these doors not only for our own benefit but for the benefit of others, too." - Brian the Hacker

Quote
15:04  @Phage : I'm bored of Python

Offline iTpHo3NiX

  • EZ's Pirate Captain
  • Administrator
  • Titan
  • *
  • Posts: 2920
  • Cookies: 328
    • View Profile
    • EvilZone
Re: IPtables practice firewall
« Reply #1 on: June 29, 2014, 12:04:47 am »
Why not search for setups that people will Google to employ and then setup your firewall that way. Since you know the ruleset you can attempt to break it.

https://www.digitalocean.com/community/tutorials/how-to-setup-a-basic-ip-tables-configuration-on-centos-6
Report to moderator   Logged
[09:27] (+lenoch) iTpHo3NiX can even manipulate me to suck dick
[09:27] (+lenoch) oh no that's voluntary
[09:27] (+lenoch) sorry

Offline voodoo

  • Serf
  • *
  • Posts: 42
  • Cookies: 4
  • Try Harder
    • View Profile
    • Security Voodoo
Re: IPtables practice firewall
« Reply #2 on: June 29, 2014, 12:14:31 am »
You can try starting with a simple stateful firewall.

Code: [Select]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

Then modify it to suit your needs.  Allow some services through, implement some egress filtering.
Report to moderator   Logged
keep it simple

Offline lucid

  • #Underground
  • Titan
  • **
  • Posts: 2683
  • Cookies: 243
  • psychonaut
    • View Profile
Re: IPtables practice firewall
« Reply #3 on: July 10, 2014, 04:01:45 am »
I guess this was kind of a low quality post, as the answer is obvious. Thanks for the responses regardless. My bad for the dumb question. I've built a simple stateful firewall of my own and am going to do exactly as recommended.

Thanks.
Report to moderator   Logged
"Hacking is at least as much about ideas as about computers and technology. We use our skills to open doors that should never have been shut. We open these doors not only for our own benefit but for the benefit of others, too." - Brian the Hacker

Quote
15:04  @Phage : I'm bored of Python

Offline lucid

  • #Underground
  • Titan
  • **
  • Posts: 2683
  • Cookies: 243
  • psychonaut
    • View Profile
Re: IPtables practice firewall
« Reply #4 on: July 10, 2014, 04:35:11 am »
Interestingly enough I had recently set up my Arch box as a gateway for a bunch of VMs. So I'm sort of already doing exactly that. I will look into smoothwall though, thanks.
Report to moderator   Logged
"Hacking is at least as much about ideas as about computers and technology. We use our skills to open doors that should never have been shut. We open these doors not only for our own benefit but for the benefit of others, too." - Brian the Hacker

Quote
15:04  @Phage : I'm bored of Python

Offline voodoo

  • Serf
  • *
  • Posts: 42
  • Cookies: 4
  • Try Harder
    • View Profile
    • Security Voodoo
Re: IPtables practice firewall
« Reply #5 on: July 11, 2014, 06:17:43 am »
There is also shorewall which is actually something we use occasionally in enterprise solutions.

Code: [Select]
www.shorewall.net
Report to moderator   Logged
keep it simple

Offline lucid

  • #Underground
  • Titan
  • **
  • Posts: 2683
  • Cookies: 243
  • psychonaut
    • View Profile
Re: IPtables practice firewall
« Reply #6 on: July 12, 2014, 09:33:00 am »
Set up and configured Smoothwall on a VM as a gateway for the host computer.. and soon other VMs. Thanks for the suggestion. Will post if anything interesting and worth discussing happens.  :P
Report to moderator   Logged
"Hacking is at least as much about ideas as about computers and technology. We use our skills to open doors that should never have been shut. We open these doors not only for our own benefit but for the benefit of others, too." - Brian the Hacker

Quote
15:04  @Phage : I'm bored of Python

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: IPtables practice firewall
« Reply #7 on: July 16, 2014, 09:09:07 am »
Report to moderator   Logged
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline lucid

  • #Underground
  • Titan
  • **
  • Posts: 2683
  • Cookies: 243
  • psychonaut
    • View Profile
Re: IPtables practice firewall
« Reply #8 on: July 16, 2014, 06:00:52 pm »
Thanks buddy  ;D
Report to moderator   Logged
"Hacking is at least as much about ideas as about computers and technology. We use our skills to open doors that should never have been shut. We open these doors not only for our own benefit but for the benefit of others, too." - Brian the Hacker

Quote
15:04  @Phage : I'm bored of Python
Pages: [1]