iptables – Page 15 – WindowsTechs.com

Networking in Qubes OS

Posted on January 31, 2017 by JumpAlways

I’ve started recently to use Qubes OS and I want to set up a virtual IDS and IPS in separate VMs, but I can’t figuring out how the comunications between different VMs works here.

Each VM should be isolated and all the connections handled by a separate FirewallWM (sys-firewall), which is connected to the NetWM (sys-net), which, in the basic configuration, is the only one which has Network Device attached (Ethernet and WiFi cards).

I’ve read the iptables in all VMs and I found the VM Manager set up automatically a DNAT Redirection to let the DNS packets (port 53) exit thought sys-net, but I can’t understand how all the packets can go through each layer and return back to the different original sources AppVM connected through sys-firewall.

For what concerns the IDS and IPS, I can easily handle and filter packet base on the content, but I can’t think how to fiter, for example, Source IP based on a blacklist, since I can’t see the real origin and since each VM is a separate system which can be based on differents Template (Fedora, Debian, Whonix, …) I think the Packet Options can be altered.

So, the iptables and the auditings like Psad can only be placed in the VM that is directly connected to the Router?

Some basic infos

Qubes OS is a system based on Isolation through Hardware Virtualization Technology that let you run different Domains (Personal, Work, Untrusted, … ) based on different Systems (Templates) on VMs and each instance is complete separate from others, so that if one get compromised, the system remains clean and fully usable
You can choose what devices attach to a VM and detach from it, so in the standard and savy configuration you have a sys-net machine wich is the only one that can connect to Internet (Ethernet/WiFi attached) and a sys-firewall machine which handle all the connections and pass through sys-net, so you have 2 level (you can add more) of isolation for the other domains (ex. PublicWiFi -> sys-firewall -> sys-net, Trusted -> sys-firewall -> sys-net )

I’ll post the sys-firewall and sys-net ifconfig and iptables-save outputs, to give you all the details.

VMs Details:

             me | updbl |  type |         netvm |          ip |    ip back | gateway/DNS |
----------------+-------+-------+---------------+-------------+------------+-------------+
         {dom0} |   Yes | Admin |           n/a |  10.137.0.2 | 10.137.0.1 |         n/a |
      {sys-net} |       |   Net |           n/a |        None | 10.137.1.1 |         n/a |
 {sys-firewall} |       | Proxy |       sys-net |  10.137.1.8 | 10.137.2.1 |  10.137.1.1 |
   {sys-whonix} |       | Proxy |  sys-firewall | 10.137.2.10 | 10.137.3.1 |  10.137.2.1 |
      {sys-usb} |       |   Net |           n/a |        None | 10.137.4.1 |         n/a |
    [fedora-23] |   Yes |   Tpl | *sys-firewall |  10.137.2.3 |        n/a |  10.137.2.1 |
      untrusted |       |       | *sys-firewall |  10.137.2.9 |        n/a |  10.137.2.1 |
     [debian-8] |   Yes |   Tpl |  sys-firewall |  10.137.2.4 |        n/a |  10.137.2.1 |
       personal |       |       |             - |        None |        n/a |         n/a |
    [whonix-gw] |   Yes |   Tpl |    sys-whonix |  10.137.3.5 |        n/a |  10.137.3.1 |
    [whonix-ws] |   Yes |   Tpl |    sys-whonix |  10.137.3.6 |        n/a |  10.137.3.1 |
    anon-whonix |       |       |    sys-whonix | 10.137.3.11 |        n/a |  10.137.3.1 |

sys-firewall iptables:

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

:PR-QBS - [0:0]
:PR-QBS-SERVICES - [0:0]

-A PREROUTING -j PR-QBS
-A PREROUTING -j PR-QBS-SERVICES

-A POSTROUTING -o vif+ -j ACCEPT
-A POSTROUTING -o lo -j ACCEPT
-A POSTROUTING -j MASQUERADE

-A PR-QBS -d 10.137.2.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 10.137.1.1
-A PR-QBS -d 10.137.2.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.137.1.1

-A PR-QBS -d 10.137.2.254/32 -p udp -m udp --dport 53 -j DNAT --to-destination 10.137.1.254
-A PR-QBS -d 10.137.2.254/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.137.1.254

sys-firewall ifconfig:

eth0      Link encap:Ethernet  HWaddr 00:16:3e:5e:6c:06  
          inet addr:10.137.1.8  Bcast:10.255.255.255  Mask:255.255.255.255
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:N errors:0 dropped:0 overruns:0 frame:0
          TX packets:N errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:N errors:0 dropped:0 overruns:0 frame:0
          TX packets:N errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1

sys-net iptables:

COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

:PR-QBS - [0:0]
:PR-QBS-SERVICES - [0:0]

-A PREROUTING -j PR-QBS
-A PREROUTING -j PR-QBS-SERVICES

-A POSTROUTING -o vif+ -j ACCEPT
-A POSTROUTING -o lo -j ACCEPT
-A POSTROUTING -j MASQUERADE

-A PR-QBS -d 10.137.1.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.1.1
-A PR-QBS -d 10.137.1.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.1.1

-A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT

sys-net ifconfig:

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1  (Local Loopback)
        RX packets N bytes N
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets N bytes N
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vif62.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.137.1.1  netmask 255.255.255.255  broadcast 0.0.0.0
        ether fe:ff:ff:ff:ff:ff  txqueuelen 32  (Ethernet)
        RX packets N bytes N
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets N bytes N
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlp0s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.4  netmask 255.255.255.0  broadcast 192.168.1.255
        ether 30:3a:64:3a:a2:2d  txqueuelen 1000  (Ethernet)
        RX packets N bytes N
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets N bytes N
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Continue reading Networking in Qubes OS→

how to block pop up with iptables

Posted on January 28, 2017 by ph0t3k

Although I have enabled the pop up blocker in firefox, there are many websites that are able to circumvent this feature. (for example movie streaming sites like kinox.to). My question is not really about how I can install som… Continue reading how to block pop up with iptables→

Setting up a fake AP – problem with iptables or DHCP server

Posted on January 26, 2017 by eyal360

Im trying to set up a fake AP using aircrack-ng suite, DHCP server & iptables.

After creating the fake AP:

airmon-ng start wlan1
airbase-ng -c 11 -e “freewifi” wlan1mon

running iptables configuration and at0 routin… Continue reading Setting up a fake AP – problem with iptables or DHCP server→

Strange errors when running iptables in bash script [on hold]

Posted on January 25, 2017 by eyal360

I’m having some trouble with running the following iptables commands with a bash script.

This is my script:

#!/bin/bash
ifconfig at0 up
ifconfig at0 192.168.1.129 netmask 255.255.255.128
ifconfig at0 mtu 1400
route add -net… Continue reading Strange errors when running iptables in bash script [on hold]→

Iptables as vpn killswitch but access to internal network

Posted on January 5, 2017 by Pen Protex

currently I’m using iptables as a kill-switch for my VPN connection. Therefore I only have one rule :
-A OUTPUT -o eth0 -m owner –uid-owner 1000 -j DROP
everything else is accepted.

Now the problem is I actually want to a… Continue reading Iptables as vpn killswitch but access to internal network→

Iptables as vpn killswitch but access to internal network

Posted on January 5, 2017 by Pen Protex

currently I’m using iptables as a kill-switch for my VPN connection. Therefore I only have one rule :
-A OUTPUT -o eth0 -m owner –uid-owner 1000 -j DROP
everything else is accepted.

Now the problem is I actually want to a… Continue reading Iptables as vpn killswitch but access to internal network→

udp port 1194 forward through from gateway to LAN server through DMZ

Posted on December 20, 2016 by Regpa

my iptables rules don’t seem to work, I do not understand what’s wrong.
could somebody be kind enough to give me a hint ? thanks in advance

iptables -t nat -A PREROUTING -d $INET_IP -p udp –dport 1194 -j DNAT –to $NAS_IP:… Continue reading udp port 1194 forward through from gateway to LAN server through DMZ→

System-Level Network Security (Packet Classification and etc.) – SELinux and Libnftnl

Posted on December 20, 2016 by Parsa Samet

I read that Libnftnl is a userspace library providing a low-level netlink programming interface to the in-kernel nf_tables subsystem and it uses NFTables.

Since it’s a kernel related topic, at the very first time of hearing … Continue reading System-Level Network Security (Packet Classification and etc.) – SELinux and Libnftnl→

How to prevent ICMP redirection produced by a man-in-the-middle

Posted on December 5, 2016 by user123456

How can I prevent my route to be redirected with redirecting ICMP packets from a man-in-the-middle?

I am specifically looking to avoid someone using ettercap with the -M icmp option. From man ettercap:

 icmp (MAC/IP)
                     This attack  implements  ICMP  redirection.  It  sends  a
                     spoofed  icmp  redirect  message  to the hosts in the lan
                     pretending to be a better route for internet. All connec‐
                     tions  to  internet  will  be  redirected to the attacker
                     which, in turn, will forward them to  the  real  gateway.
                     The  resulting  attack  is  a  HALF-DUPLEX mitm. Only the
                     client is redirected, since the gateway will  not  accept
                     redirect  messages  for  a directly connected network. BE
                     SURE TO NOT USE FILTERS THAT MODIFY THE  PAYLOAD  LENGTH.
                     you  can  use  a filter to modify packets, but the length
                     must be the  same  since  the  tcp  sequences  cannot  be
                     updated in both ways.
                     You  have  to pass as argument the MAC and the IP address
                     of the real gateway for the lan.
                     Obviously you have to be able to sniff all  the  traffic.
                     If  you  are on a switch you have to use a different mitm
                     attack such as arp poisoning.

Continue reading How to prevent ICMP redirection produced by a man-in-the-middle→

Is the Mirai malware attacks related to the TR-069 is a classic port attack?

Posted on November 30, 2016 by MOHAMED

Refering to the following topic:
http://arstechnica.com/security/2016/11/notorious-iot-botnets-weaponize-new-flaw-found-in-millions-of-home-routers/?utm_content=buffer8f018&utm_medium=social&utm_source=twitter.com&amp… Continue reading Is the Mirai malware attacks related to the TR-069 is a classic port attack?→