LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-21-2004, 12:52 AM   #1
lucastic
Member
 
Registered: Aug 2003
Location: Oz
Distribution: Gentoo - Debian
Posts: 202

Rep: Reputation: 30
iptables - drop all -> allow needed OR allow all -> drop specific


Hi All,

Just wondering what people think the best approach is to firewall setups on a basic level.

Do people recommend dropping all in,out and forward packets then allowing only the services that need access to external or internal networks? Or it is quite ok to allow all and just block or drop connections to sensitive ports that do not need to be exposed to the external network?

At first glance they would seem to have the same effect. But, the first one would be more secure, I suppose, if someone managed to compromise your machine and open a backdoor that say listened on port 30000 or whatever then at least all outgoing and incoming connections to this service would be blocked, unless of course the intruder changed your iptables rule set.

Thanks in advance.
 
Old 12-21-2004, 02:12 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Usually dropping all and allowing only selected services is going to be the more secure option. That being said, it's entire possible to use a default of allow all and have it be equally secure, but it is much more difficult to determine what types of attacks/malicious traffic you'll need to block. This is because with an allow all policy, you'll have to define these types of traffic beforehand. For the novice user, this can be a extremely difficult task (ie should I allow SYN packets? SYN ACK? SYN RST? SYN URG PSH?!). So it is much easier to miss a critical rule and thereby open up your firewall (and even worse, not realize there is a gaping hole).

With a deny by default firewall, you can identify the rules you'll need more easily (look at the docs and see how the protocol works), they usually require less rules overall, and if you miss a critical rule it's usually much more apparent (you break some networking function). The downside to deny by default is that it usually requires more tweaking early on in order to allow the traffic you need (they tend to fail closed).

However, with either scenario a single miss-placed rule can open your system up to attack. So it's an absolute requirement to thoroughly test out a firewall script to see if it's doing what you think it should. In practice the allow all defaults tend to have more of a "oops, I forgot about that" -factor than the deny all scripts.

Ideally it's best to use drop policies on all three chains, but often people use an allow all policy on the OUTPUT chain because it makes configuration more easy (don't have to worry about basic networking requirements like DNS, DHCP, ping, etc). Also in most cases, you shouldn't see malicious outbound traffic, unless of course if an internal host is compromised, in which case having drop output policies can act as a final line of defenses and prevent a compromised machine from "connecting out" or attacking other machines.
 
Old 12-21-2004, 02:50 AM   #3
rhoekstra
Member
 
Registered: Aug 2004
Location: The Netherlands
Distribution: RedHat 2, 3, 4, 5, Fedora, SuSE, Gentoo
Posts: 356

Rep: Reputation: 40
To add to the wonderful clarification (it is ...)

Dropping all but a few has indeed the advantage of you knowing what you want to do... you KNOW you want HTTP, so you can open that port... you KNOW you want ftp, so you can open THAT port.... The other way around doesn't work as well... imagine: I KNOW I DON'T want blahblah... well, lots to think of...

Also... indeed a lot of iptables firewalls have the OUTPUT to be open.. having a tight INPUT gives best protection.. if you fully trust the local machine (the iptables machine), the OUTPUT could be set open... this together with a State RELATED,ESTABLISHED on the INPUT chain grants communication initiated by the local machine..

It really depends on what you want... there are two solution thoughts...:

- Security first, drop all but a few. I don't want anything to happen that I don't know of. Any service run on your local network isn't exposed until YOU say so.
- Ease of setup, allow but a few.. I don't want (lots of) administration about what port to open.. it needs to route my traffic, and security isn't that important.. I don't have any services opened anyways.

Hopes this adds some sense...

Last edited by rhoekstra; 12-21-2004 at 02:51 AM.
 
Old 12-21-2004, 03:00 AM   #4
lucastic
Member
 
Registered: Aug 2003
Location: Oz
Distribution: Gentoo - Debian
Posts: 202

Original Poster
Rep: Reputation: 30
Thanks for the replies!
 
Old 12-21-2004, 03:05 AM   #5
Skyline
Senior Member
 
Registered: Jun 2003
Distribution: Debian/other
Posts: 2,104

Rep: Reputation: 45
Personally prefer the DROP all option, and then simply defining what ports/services you want to allow connections out to - as a simple example to allow outbound connections to 80 & 443:

Code:
#!/bin/bash  
iptables --flush  
iptables -P INPUT DROP  
iptables -P FORWARD DROP  
iptables -P OUTPUT DROP  
iptables -A INPUT -i lo -j ACCEPT  
iptables -A OUTPUT -o lo -j ACCEPT  
iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT  
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dport 80,443 -j ACCEPT  
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Last edited by Skyline; 12-21-2004 at 03:17 AM.
 
Old 12-21-2004, 03:07 AM   #6
rhoekstra
Member
 
Registered: Aug 2004
Location: The Netherlands
Distribution: RedHat 2, 3, 4, 5, Fedora, SuSE, Gentoo
Posts: 356

Rep: Reputation: 40
Logging!

Oh.. I forgot something...

When you do choose for 'drop but a few' method, put a LOG entry just before you drop...
If you drop by policy, do the log entry as the very last, if you drop explicitly by a rule, put the log JUST before that one....

This way, if something is not working right, you can check the logs for packets that didn't come through. needs some practise to read them well, but it helps out in these situations...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Drop connections to port 80 at firewall machine also drop at protected network? Niceman2005 Linux - Security 2 10-27-2005 09:21 AM
drop packets for specific port with iptables ohcarol Linux - Security 1 07-03-2005 11:48 AM
mysql drop revoke user from specific host ? RedHat123 Programming 0 04-21-2005 03:54 PM
Drop pings from specific IP address GUIPenguin Linux - Networking 10 10-13-2004 11:18 PM
iptables how drop ip address issin Linux - Networking 4 09-02-2004 07:45 AM


All times are GMT -5. The time now is 08:28 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration