m0n0wall Vs PfSense embedded security systems

I’ve found a great report about this BSD based security distros. Enjoy it 😀

 http://www.bsdcan.org/2006/papers/BSD_Firewalling.pdf

Windows XP and WPA2 wireless cipher

Finally, i’ve installed DD-WRT in my Fonera :D. After this, i put a WPA2-AES key, but i tried to connect through a Windows XP (SP2) computer and i couldn’t connect!!!

After a google searchs, i found some information about the issue.Basically Windows XP need a patch to support the IEEE 802.11i which had the WPA2 instructions…

Just install it, and reboot your system.

Patch for Wi-Fi Protected Access 2 (WPA2) on Windows XP

Remember, you must get the patch in your OS language o it will not work.

How to: Telnet server

Today i’ve done a telnet server in one of my computers… I’m conscious that telnet isn’t a safe way to access a server through, but i just wanted to learn something about this application , furthermore i did it into my LAN. Ok, lets go install it! (You must login as root user)

apt-get install telnetd netkit-inetd

Maybe, the system ask you to install “openbsd-inetd” or “inetutils-inetd, i chose the second and it works fine.

Before this, you should start the server

/usr/sbin/in.telnetd

Now the telnet server is running and you can access it through a telnet cliente like ssh in linux or PuTTy in Windows.

Here we’ve a screen capture of a Telnet login in Ethereal/Wireshark. 😉

Redirecting a port to a local machine inside our network

If we want to redirect a port (Like the http port) to one of our network machine we should use this IPTables rule:

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 192.168.0.x

iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.x --dport 80 -j SNAT --to-source 192.168.0.y

Setting up a SSH tunnel

Hi again!

If we need a through our LAN to use, for example, a protocol which it’s locked by a BOFH 😉 or send some personal data through a insecure protocol, we would use a SSH Tunnel using a SSH client like PuTTy (On win32) or openSSH (*NIX systems).

Ok, We’re in a LAN which 80 port it’s closed and that really sucks!. We’ve the IP of a server without restriction over the 80 port. Then, we’re going to do a tunnel with this server and send the 80 port data encrypted through the SSH port (I suppose this port is open! [Default port 22]).

We must open PuTTy and go to this screen

 After this, we must connect to the server

When we’re connected to the server, we must login in and the tunnel has been stablished 😀

Ok, now we need to say to the internet browser that it needs to connect through the Tunnel, to this, open your favourite browser (Firefox 4ever ;’) ) and open the connection settings. A window like this will be opened.

 If you’ve made all the steps, your SSH Tunnel are running now :D.

Links: Firewall.cx a great networking webpage

I discovered this webpage, and have some networking stuff, from basic things to advanced. There’re some information about networking protocols, software and some things of Cisco Systems.

In conclusion, one of the greatest networking webpages i’ve ever seen 😀

(click over the logo to access)

IPTables: Deny Messenger access

We can use the next rule to deny MSN Messenger access in our LAN. You must have Kernel 2.6.14 with the IPTables STRING module:

iptables -I FORWARD -p tcp -m string --string "VER " --from 51 --to 56 --algo bm -j REJECT

The STRING module search into the packet a text string. The “from” “to” parameters means the TCP header end and end of data.

Source: VivaLinux!

IPTables: Filtering by MAC Address

If we want filter a MAC in our firewall, we can use IPTables to this. For example, if we want to filter a MAC like 00:12:8D:EE:6E:AB (Must type the MAC with this format -> HH:HH:HH:HH:HH:HH) and deny their access to our Firewall we can put type this:

iptables -A INPUT -m -mac --mac-source 00:12:8D:EE:6E:AB -j DROP

Also, we can use the ! operator, wich inverts the operation, for example, if we type:

iptables -A INPUT -m -mac --mac-source ! 00:12:8D:EE:6E:AB -j DROP

All the packets will be dropped, except the packets from 00:12:8D:EE:6E:AB MAC.

How To:LAN Firewall with IPTables (II)

Continuing the last post, we’re going to begin the IPTables script to do our basic home firewall.

I suppose that you know the basic rules of BASH scripting, but if dont, i recommend to read this link.

The first step, consists in create the network variables, which store the information (The IP) about a host of the network. This is an example:

## !/bin/bash
## Basic IPTables firewall script
## By CaZa
## jun, 20, 2007
## alberto1337[at]gmail[dot]com

###################################
## Host and interfaces variables ##
###################################
#The card connected to the DSL/cable Router
WAN=”eth1″
#The card connected to the switch
LAN=”eth0″
#client hosts of our network
host1=”192.168.0.10″
host2=”192.168.0.5″

We can define variables for each one computer of our network or interfaces, this isn’t necessary, but its very recommended. Before this, its very important reset the current IPTables rules. To “flash”, put this in the script:

iptables -F #delete all chain rules
iptables -X #Delete all user defined rules
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z

 

The next step, is probably the most important of our script. Here, we set the default policy of the firewall. There are two options:

1. Restrictive policy (All deny, except those services we need)
2. Permissive policy (All allow, except those services we conside)

The first, its most secure, but its more complex than the first. I’ve always use the first, and its the policy i’ll use to do this script.

To do this, type:

#Set the default I/O and forward policies

IPTABLES -P INPUT DROP
IPTABLES -P OUTPUT DROP
IPTABLES -P FORWARD DROP

If we execute the script in this moment, all the connections that try to join in, will be refused. In the next step we will open the necessary ports to use basic services, like http, ftp, etc.

After this, we must put a chain to forward the incoming packets from the LAN to internet and the second line its necessay to NAT
#The [IP]/24 in the IP its to define the Subnet mask.

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

Finally, we can apply now the rules for services we want 🙂 .

#This allows traffic at the port 80 (For example if you have apache on the server u need it) and forward web traffic to the LAN
iptables -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp -m tcp –sport 80 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp -m tcp –dport 80 -j ACCEPT

#Allows FTP traffic
iptables -A FORWARD -s 192.168.0.0/24 -p tcp -m tcp –sport 21 -j ACCEPT
iptables -A FORWARD -d 192.168.0.0/24 -p tcp -m tcp –dport 21 -j ACCEPT

This is a very basic example of a “DROP policy” firewall, but i think its enough to do a good firewall between our LAN and Internet 🙂 .

I’ll comment in other articles other IPTables commands to create our own rules and some more things. But, if you need more information NOW, look this webpages: [IPTables tutorial] and [doc_IPTables by Pello]

See you!

How To:LAN Firewall with IPTables (I)

Hi again!

When you want a homemade firewall, we have some options, buying a “physic” firewall, installing a software in each one computer of the LAN or mount our IPTables firewall using an old computer. The first option its very expensive for home users, the second could be a valid option, but if we have different operating systems installed in our LAN, we need to manage different firewall software depending on the OS, or install the same in all the computers of our LAN. a lot of work to do!!. The last its a very very boring option 😛 . The option of using an old computer, probably are the best and the cheapest we can use to build our homemade firewall.

 

This is all we need to build the firewall :

• Old computer (Or new one if you prefer it..)
• Two ethernet cards
• A 10/100 or similar Switch
• Linux (*NIX) distro installed

The scheme of the network situation its something like this pic:

I have always used Debian or Gentoo distro, but all Linux distros works to do this. Only one more thing, you must have installed the necessary Kernel modules to use IPTables (later called NetFilter).

In the next post i’ll comment on the necessary Kernel modules, commands and an example script to do the Firewall 🙂

See you!