Tag: firewall
ip tables commands which ‘might’ make your firewall PCI compliant
LinuxPCIUbuntu
ip tables commands which ‘might’ make your firewall PCI compliant
This is a list of the iptables commands that will setup a minimal firewall which ‘might’ be PCI compliant
This is primarily here to remind me, so I have a reference in the future.
I also have ports for FTP and SSH for a single developer IP as well as monitoring for a single monitoring server. The format is simple and can easily be changed for other services.
Be sure to replace ‘my.ip’ with your development ip, and ‘monitoring.ip’ with
This is on a Linux Ubuntu machine (of course)
apt-get install iptables iptables-persistent
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -s my.ip/32 -j ACCEPT iptables -A INPUT -p tcp --dport 21 -s my.ip/32 -j ACCEPT iptables -A INPUT -p tcp --dport 5666 -s monitoring.ip/32-j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p udp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p udp --dport 443 -j ACCEPT iptables -A INPUT -j REJECT --reject-with icmp-host-unreachable iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -t raw -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP iptables-save > /etc/iptables/rules.v4
Setting up Nagios monitoring on Windows 2003r2 through a Firewall
Technologytrain blogs
Setting up Nagios monitoring on Windows 2003r2 through a Firewall
Download nrpe_nt, currently nrpe_nt.0.8b-bin.zip Extract to the root of c: on the Target Windows Machine. You should have a directory called c:nrpe, that contains a sub-directory called bin. Download the plugins, currently nrpe_nt_plugins.zip. Unzip this file and place the executables in a directory called c:nrpepluginsbin Change to the c:nrpebin directory, edit the nrpe.cfg file to look like this: server_port=<port# you'll use for this particular Target Machine> server_address=<This Target Machine's IP Address> allowed_hosts=<The IP Address of your Nagios Server> debug=1 command_timeout=30 loglevel=7 command[check_cmd]=C:nrpebintest.cmd command[check_cpuload]=C:nrpepluginsbincpuload_nrpe_nt.exe 70 90 command[check_disk_c]=C:nrpepluginsbindiskspace_nrpe_nt.exe c: 70 90 command[check_disk_d]=C:nrpepluginsbindiskspace_nrpe_nt.exe d: 70 90 command[check_disk_e]=C:nrpepluginsbindiskspace_nrpe_nt.exe e: 70 90 command[check_memload]=C:nrpepluginsbinmemload_nrpe_nt.exe 70 90 open a command prompt, and: cdnrpebin nrpe_nt -i You should get a confirmation that the service was created successfully. Go to Administrative Tools > Services and start the service You can test that the client is listening on the designated port on the Windows Target Machine:netstat -aon | findstr <port#>Test the connection from the CLI at the nagios server: /usr/lib/nagios/plugins/check_nrpe -H <IP of the Firewall> -p 1248 MEMUSE -p <port# defined in the firewall and configured in nrpe.cfg on the target> On the Nagios Server, in the /etc/nagios3/conf.d/check_nrpe.cfg file, define a command that will use the -p switch to allow for a port # argument: define command { command_name check_nrpe_port command_line /usr/lib/nagios/plugins/check_nrpe -t20 -H $HOSTADDRESS$ -c $ARG1$ -p $ARG2$ } -c = The command executable on the Target Machine in c:nrpepluginsbin -p = the port # In the /etc/nagios3/conf.d/hosts_orig.cfg file, create your host using the ip address of the firewall. define host{ use test-host host_name test-dc1 alias test-dc1 address <IP Address of the Gateway> In the /etc/nagios3/conf.d/services.cfg file, create the services for your host using the host_name defined above and the command name you created with arguments. Set your port number for this Target Machine here, making sure the port# matches the Target Machine where you defined that port#. define service{ use test-template host_name test-dc1 service_description disk C: check_command check_nrpe_port!check_disk_c!5667 } define service{ use test-template host_name test-dc1 service_description CPU load check_command check_nrpe_port!check_cpuload!5667 } define service{ use test-template host_name test-dc1 service_description memory load check_command check_nrpe_port!check_memload!5667 } Reload nagios and check for errors. Service nagios3 reload At the firewall: Note: This example is using a Safe@Office 500P firewall, so the terminology may be different. You will need to create a service using tcp protocol and corresponding to each nrpe port number that you'll be using. In this case, I'm using 5666 through 5671. In my case, these settings were under Network > Services in the 500P configuration web interface. Create a new network object for the Nagios Server using its IP Address You'll need network objects for the Target Machines that you'll be monitoring. Create “allow and Forward” rules for each of your Target Machines using the service for the port # you assigned to that Target Machine: Service = Standard Service, The service w/correct port for you Target machine Source = Your Nagios Server Destination = “This Gateway” Forward to = Target Machine Continue by configuring your Nagios Server to monitor these new Targets. When defining the host in the hosts.cfg file for Nagios, use the firewall's gateway IP Address Matt Long 02/05/2015