iptables good packet chain (instead of bad packet chain)
Almost anyone who's used Netfilter/iptables for packet-filtering is familiar with "bad packet chains". They are user-built chains with rules that match packets with characteristics you consider to be "bad", mainly unusual TCP flag combinations. Essentially, a bad packet chain is a packet blacklist (default allow).
I've often wondered if anyone has ever taken the opposite approach. That is, use a whitelist (default deny) to create a "good packet chain" instead. Default deny has shown to be a much more solid approach than default allow when it comes to information security in general, and I would like to know if it is feasible to use it in this particular context. Some specific questions I have might be: Would it be asking for trouble? Would it take too much work to build this kind of chain? Is it worth the effort? Your opinions on these and any other relevant questions would be greatly appreciated. |
Its definitely worth the effort. It is more secure especially if you default deny on all 3 main chains (input, forward, output). When you are first setting it up make sure you do it on a local machine that you have console access because more than likely you'll lock yourself out network wise at least once. Usually people only need a few "good" rules, though output can be messy which leads most people to just doing the deny on input and forward (which is still a good idea).
|
Quote:
|
hehe, glad I could be of some service at least, sorry it wasn't to answer the question :)
|
You can see an example of a typical bad packet chain here:
Code:
# Our "hey, them's some bad tcp flags!" chain. The idea I've been kicking around is to do the inverse, kinda like this: Code:
$IPT -N GOOD_FLAGS |
Okay, I decided to go for it and get started with a proof-of-concept. I've made a CHECK_FLAGS chain with matches for the TCP flag combinations which AFAIK I need for the handshake, data transfer, and termination phases. Here's the rules I'm using to test right now, with INPUT policy set to DROP and OUTPUT policy set to ACCEPT. This is on my laptop, which does run one service (BitTorrent), so the TCP flags I'm checking include both client and server angles.
Code:
$IPT -N CHECK_FLAGS |
Okay, after a couple days worth of testing, I've concluded that the whitelist approach is feasible. I can also say somewhat less conclusively (I still need to do more testing) that it works well. That said, I haven't really finished the chain yet, as I haven't been able to decide on how to deal with bad PSH and URG flags yet (I could easily do some blacklisting, but the whole point of my endeavor is to do whitelisting only).
Here's what I've got so far: Code:
$IPT -N CHECK_TCP_FLAGS Quote:
|
All times are GMT -5. The time now is 06:28 PM. |