Protecting a Windows laptop with iptables

Tue, 14 Jun 2011 02:33:48 -0400

Background:

One night last week I sat down to tune up the native firewall running on my copy of Windows 7. I quickly became frustrated with how long it was taking to point-and-click my way through the process of pruning back permissions. Between the annoyance of finding entries that various installers had entered without my permission and seeing that almost every rule had triplicates to cover each profile (Private, Public, and Domain), I decided that there had to be a better way.

As much as I would love to cut the Microsoft-cord and live in a pure open-source world, some of my frequently used applications don’t come in Linux-flavor (iTunes, Guitar Pro, Visio, etc). Occasionally, I also like to take my laptop to local LAN parties and get my Unreal Tournament and StarCraft II on. Because of this, I am reliant on a non-virtualized Window operating system. After some thought and research, I decided to create a virtual machine to act as a gateway/firewall for my host OS.

Preparation:

I first started by downloading and installing an updated version of Oracle’s VirtualBox virtualization environment.
I also grabbed the 64-bit version of the Ubuntu Server 11.04 ISO. Debian or Fedora would have easily taken care of the job as well.

Install the VM:

Create a new VM.
I have 16GB of RAM in my laptop, so I had no problem dishing out 512MB to the VM, but if you need to be more frugal with your memory, you’ll probably be fine with 128MB.
I allocated 4GB to the dynamically-expanding virtual hard drive, but again, you could probably go as low as 2GB without problems.
Removed the floppy device and disabled the audio.
Set up the network adapters as listed below.
Point the CD device at the Ubuntu Server ISO.
Start the VM.
Select “Install Ubuntu Server”.
When Ubuntu asks which network interface to use as the primary, select “eth0”. That will be Bridged Adapter.
Pick a hostname.
I chose to format the disk using the quick “Guided - Use Entire Disk” method for simplicity sake, but you can partition it up however you want.
When it comes time to set a username and password, note that if you configure the firewall the way I did, there will be no access to the VM’s operating system except through the VirtualBox window. Because of this, I wouldn’t bother making an uber-secure 16-character password for this.
Disable automatic updates (the VM will not have the ability to connect to the internet).
Don’t select any packages.
Wait for the install to complete.
Answer ‘yes’ to the GRUB question.
Reboot the VM. Optionally you can shut down instead, remove the CD device, and start back up.

Configure the VM:

Edit the network interfaces configuration file to include the following:
sudo vim /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
    address 192.168.56.1
    netmask 255.255.255.0
    network 192.168.56.0

Create the iptables firewall setup script. Note that all scripts in the ‘if-up.d’ directory will automatically be run when a network interface comes up. To allow incoming connections to reach your Windows OS, add space-separated port numbers into the FORWARDED_TCP_PORTS or FORWARD_UDP_PORTS arrays.
For example, allowing a web server: “FORWARDED_TCP_PORTS=( 80 443 )”

sudo vim /etc/network/if-up.d/iptables

#!/bin/bash

IPTABLES=/sbin/iptables
IF_PUBLIC=eth0
IF_PRIVATE=eth1
HOST=192.168.56.2
FORWARDED_TCP_PORTS=()
FORWARDED_UDP_PORTS=()

echo -n "Flushing existing iptables rules... "
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
echo "DONE"

echo -n "Setting up ingress rules... "
# No inbound traffic allowed
echo "DONE"

echo -n "Setting up egress rules... "
# No outbound traffic allowed
echo "DONE"

echo -n "Setting up the NAT... "
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $IF_PRIVATE -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s $HOST -o $IF_PUBLIC -j MASQUERADE
echo "DONE"

echo -n "Setting up forwarded ports... "
for PORT in ${FORWARDED_TCP_PORTS[@]}; do
    $IPTABLES -A FORWARD -p tcp --dport $PORT -i $IF_PUBLIC -j ACCEPT
    $IPTABLES -t nat -A PREROUTING -p tcp --dport $PORT -i $IF_PUBLIC -j DNAT --to $HOST:$PORT
done
for PORT in ${FORWARDED_UDP_PORTS[@]}; do
    $IPTABLES -A FORWARD -p udp --dport $PORT -i $IF_PUBLIC -j ACCEPT
    $IPTABLES -t nat -A PREROUTING -p udp --dport $PORT -i $IF_PUBLIC -j DNAT --to $HOST:$PORT
done
echo "DONE"

Add execution permissions to the script.
sudo chmod +x /etc/network/if-up.d/iptables
Configure the kernel to allow IP forwarding by uncommenting the line:
“net.ipv4.ip_forward=1” in the sysctl configuration file.
sudo vim /etc/sysctl.conf
Shut down the VM and optionally take a snapshot.

Configure VirtualBox Networking

In the main VirtualBox application, open up the network preferences (found in the File -> Preference window and under the Network section).
Select the Host-Only Adapter and click the edit button on the right-hand side of the pane (looks like a screwdriver).
Verify the IPv4 address is 192.168.56.1.
On the DHCP Server tab, uncheck the “Enable Server” option.

Configure the Windows Host Networking

Open the Windows network adapters control window. This will be labeled and in different places depending on your version of Windows.
Right-click on your Wireless LAN and/or Wired LAN adapter and click properties.
Uncheck or remove everything except what is shown in the image below.
Select the IPv4 protocol and click the Properties button. Fill out the values to match the following image below.
Click “OK” twice to return back to the list of network adapters. Right-click on the “VirtualBox Host-Only” adapter and click properties.
Uncheck or remove everything except what is shown in the image below.
Select the IPv4 protocol and click the Properties button. Fill out the values to match the following image below. I have my own DNS server as the preferred server and the OpenDNS servers as two alternate servers (more than two DNS servers can be specified by using the “Advanced…” button).
Optionally, you could disable your native Windows firewall entirely unless you want to maintain application-level firewall rules.
Press “OK” and you’re done.

Done!

With any luck, you should be able to start up your Firewall VM, minimize it, and go about your business on the interwebs.

So the girlfriend and I were hiking today...

Sat, 07 May 2011 22:17:22 -0400

…and we noticed a sign beside the trail stating “CAUTION: This area is open to hunting”. At one point I caught myself thinking how we were now flagged for PvP.

The newest track to achieve the ultimate honor of receiving the...

Sat, 30 Apr 2011 11:38:00 -0400

The newest track to achieve the ultimate honor of receiving the coveted 5-star rating in my iTunes library. This Is Letting Go joins other 5-star Rise Against tracks such as Rumors of My Demise Have Been Greatly Exaggerated, Whereabouts Unknown, and Collapse.

Artist: Rise Against
Track: This Is Letting Go
Album: Endgame (2011)

IM bots are getting smarter... slightly

Fri, 29 Apr 2011 20:47:00 -0400

I logged into my IM accounts on Pidgin this evening and instantaneously messaged by an unknown user with an attractive female as the profile picture. Ignoring the alias, I checked the actual username expecting to see something along the lines of “htwcgv84209”, but instead it was a very normal looking username. Despite the author’s best attempts, it didn’t take but three lines for me to tell it was a bot though.

What I found interesting was the response I got when asking if the user was a bot:

i don’t think so. lol

I asked a second time and got the response:

whats that? like a robot?

After simply typing the word “bot” several more times, I found that these were canned responses that were selected randomly and repeated after a few inquiries.

At this point I got curious and began trying to find other keywords that the author had embedded in his program. Aside from triggering the “let’s cam” / “click here for a private area where no one can watch us” / “you just have to use your credit card to prove you are old enough” standard script, I did manage to find a couple keywords. My favorite was the response to the word “police”:

hahaha! call em! and tell them you are reporting a felony… YOUR HAIRSTYLE!! You might wanna get that looked at!

NullPointerException

Protecting a Windows laptop with iptables

So the girlfriend and I were hiking today...

The newest track to achieve the ultimate honor of receiving the...

IM bots are getting smarter... slightly