The basic computer protection is to only allow connections necessary. Anything else should be disconnected.
I want to check what ports my Kali Linux has currently open. The best tool to quickly do that is NMAP scanner (written by Gordon Lyon).
Here goes (my Kali Linux):
jr@rat $ nmap 192.168.0.251
Starting Nmap 7.01 ( https://nmap.org ) at 2020-07-25 09:07 IST
Nmap scan report for hack (192.168.0.251)
Host is up (0.0038s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
jr@rat $
That's good. Only SSH server is running on the box.
What is the current state of IPTABLES configuration?
pi@hack: $ sudo iptables -L [sudo] password for pi: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination pi@hack: $
Here's a simple protection allowing only SSH traffic to my Linux box.
INPUT policy is set to 'ACCEPT'. I want to change it.
I would like to give it a simple, extra protection. In case I will open other ports in the future, they won't be accessible to the rest of my network. Not until I permit this in IPTABLES.
So here is my simple configuration allowing SSH only.
pi@hack: $ sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT pi@hack: $ sudo iptables -A INPUT -i lo -j ACCEPT pi@hack: $ sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT pi@hack: $ sudo iptables -P INPUT DROP pi@hack: $
What is it doing?
iptables -A INPUT
It will add (-A) entry to the INPUT chain (the one that deals with the packets trying to enter the box).
-m conntrack
This refers to the stateful firewall module that allows the system to track the existing connection (initiated by this very computer) and allow the returning traffic to be accepted rather than dropped.
ESTABLISHED,RELATED
The state of the connections might be of different sorts. Here ESTABLISHED means that my system has already received reply from the host it sent packet to. RELATED, will are packets that relate to already ESTABLISHED session (like ftp data session relies on already established control session).
--ctstate
This sets the state such as (ESTABLISHED, RELATED, INVALID, etc.).
Next line,
iptables -A INPUT -i lo -j ACCEPT
allows daemons talk to Loopback interface. Without this line, local software can't talk to other hosts.
The line that allows ssh traffic coming in (self explanatory)
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
And finally, the INPUT policy (-P) will drop everything that is not otherwise allowed.
The last problem to solve is that this configuration is not persistent. It will not survive the reboot.
In order to make it work like this after the computer is rebooted, I need to install extra package.
pi@hack: $ sudo apt-get install iptables-persistent pi@hack: $
During the installation, a windows pops up asking if I want to save current configuration. I am going to oblige.
Verification of this 'save' is below:
pi@hack: $ cat /etc/iptables/rules.v4 # Generated by xtables-save v1.8.2 on Sat Jul 25 09:41:15 2020 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT COMMIT # Completed on Sat Jul 25 09:41:15 2020 pi@hack: $
After adding extra lines, saving new configuration can be done with the following command:
sudo sh -c "iptables-save > /etc/iptables/rules.v4"
Similarly, the restoration of the configuration from the file, would look as follows:
sudo sh -c "iptables-restore < /etc/iptables/rules.v4
One last observation about Kali Linux is that the iptables service is not turned on by default.
pi@hack: $ systemctl status iptables ● iptables.service - netfilter persistent configuration Loaded: loaded (/etc/alternatives/iptables.service; disabled; vendor preset: disabled) Active: inactive (dead) Docs: man:netfilter-persistent(8) pi@hack: $
Quick enable mode (start for starting it now) should do the trick. After next reboot, iptables will be turned on doing what I have asked it to do.
pi@hack: $ sudo systemctl enable iptables
Created symlink /etc/systemd/system/multi-user.target.wants/netfilter-persistent.service → /lib/systemd/system/netfilter-persistent.service.
pi@hack: $
On to the next system discovery...