LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-13-2010, 02:41 AM   #1
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 5.4, Mac OS 10.4 (tiger)
Posts: 1,005

Rep: Reputation: 79
iptables script


Hey all,

I have been working on a small script that flushes iptables and replaces it with a brand new rule set, what I want to check is that all the rules I am setting are actually secure.

Code:
# flush tables and create new chain for traffic filtering
iptables -F
iptables -N allowed_traffic
iptables -A INPUT -j allowed_traffic
iptables -A OUTPUT -j allowed_traffic

# open used ports
iptables -A allowed_traffic -p tcp --dport 80 -m state --state new -j ACCEPT
iptables -A allowed_traffic -p tcp --dport 22 -m state --state new -j ACCEPT
iptables -A allowed_traffic -p icmp --icmp-type 8 -j ACCEPT
iptables -A allowed_traffic -p icmp --icmp-type 0 -j ACCEPT
iptables -A allowed_traffic -p tcp --dport 25 -m state --state new -j ACCEPT
iptables -A allowed_traffic -p tcp --dport 110 -m state --state new -j ACCEPT
iptables -A allowed_traffic -p tcp --dport 143 -m state --state new -j ACCEPT
iptables -A allowed_traffic -p tcp --dport 465 -m state --state new -j ACCEPT
iptables -A allowed_traffic -p tcp --dport 995 -m state --state new -j ACCEPT
iptables -A allowed_traffic -p tcp --dport 993 -m state --state new -j ACCEPT
iptables -I allowed_traffic -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A allowed_traffic -p all -j REJECT

# Create chain for ssh attacks
iptables -N SSH_CHECK

# ssh rules
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 300 --hitcount 5 --name SSH -j DROP

#disable forwardings and save
iptables -A FORWARD -p all -j REJECT
service iptables save

# alternative save method "iptables-save > /etc/sysconfig/iptables"
At the moment this still uses port 22 for SSH but I am planning to change that later on. What I want to know is that everything this is doing seems sane and safe. This is a Web and Mail server for reference.

Thanks in Advance,
R3sistance.

Last edited by r3sistance; 02-13-2010 at 02:45 AM.
 
Old 02-13-2010, 08:26 AM   #2
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 248Reputation: 248Reputation: 248
I always thought that the first rule is to drop everything, then open the ports you require.
Otherwise, your rules aren't really doing anything as all ports are open by default.

e.g. http://www.debiantutorials.net/loadi...es-on-startup/

iptables -P INPUT DROP
iptables -P FORWARD DROP

Make sure you do specify some open ports later in the tables though, or you will be locked out !


regards

Alan
 
Old 02-13-2010, 08:32 AM   #3
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 5.4, Mac OS 10.4 (tiger)
Posts: 1,005

Original Poster
Rep: Reputation: 79
Thanks for the advice ,

iptables -A allowed_traffic -p all -j REJECT

will reject anything that does have an associated rule and is similar to the default way RHEL/CentOS handle iptables.
 
Old 02-13-2010, 10:08 AM   #4
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 248Reputation: 248Reputation: 248
I see what you're saying, but that is at the end of your rule set. It should be at the beginning. You should go from most restrictive > least restrictive in the order they are applied.

regards
Alan
 
Old 02-13-2010, 10:27 AM   #5
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 5.4, Mac OS 10.4 (tiger)
Posts: 1,005

Original Poster
Rep: Reputation: 79
Hi, The Policy is the last thing that is checked when a packet does not match anything, it would come later then a rule that blocks all left over traffic, even if it is applied priorly to the rules. As far as I am aware there is no way anybody can create a type of packet that isn't already dealt with.
 
Old 02-13-2010, 04:10 PM   #6
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,916

Rep: Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777Reputation: 777
Quote:
Originally Posted by smoker View Post
I always thought that the first rule is to drop everything, then open the ports you require.....

iptables -P INPUT DROP
iptables -P FORWARD DROP
This is to set a policy for the chain in question. A policy defines what happens, if the packet does not match any of the explicit rules and it falls through to the end.

In that sense, given that all of the explicit rules are tested before the policy comes into effect, the policy is the thing that comes into action last, even though it is the first thing that you specify.

So, it is correct that the policy is the first thing that you specify when setting up the rules for the chain, it is executed, if at all, after everything else in the chain.

To look at things the other way around, if the policy was the first thing was tested, and the policy was set to drop or reject, all of the packets in that chain would be dropped (or rejected). That would be rather secure, but only in the same way that pulling out the network cable would be very secure.
 
Old 02-13-2010, 05:46 PM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Why are you jumping to the same chain from both INPUT and OUTPUT?

Why aren't you making rules specially-tailored for either INPUT or OUTPUT instead?
 
Old 02-14-2010, 02:16 AM   #8
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 5.4, Mac OS 10.4 (tiger)
Posts: 1,005

Original Poster
Rep: Reputation: 79
The reason for that is that the only type of traffic going outwards from the server should be exactly the same as the traffic going into the server.
 
Old 02-14-2010, 02:36 AM   #9
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by r3sistance View Post
The reason for that is that the only type of traffic going outwards from the server should be exactly the same as the traffic going into the server.
I'm not sure I follow. Let's take the port 80/TCP rule, for example. Since this box provides Web service, you need to allow inbound connections to port 80/TCP - no problem. Your current setup, however, takes this a step further by also allowing users/applications on this box to start outbound connections to port 80/TCP on other boxes. Unless this is your deliberate intention, then you've got a security issue right there which you must address.

Generally speaking, on servers the amount of rules sending packets in state NEW to ACCEPT on the OUTPUT chain should be much, much less than the INPUT chain. In fact, in many cases, the number of packets in state NEW traversing the server's OUTPUT chain should be equal to zero (that is, there shouldn't be any outbound connections allowed at all). I'm mentioning this because it seems to me like you might believe that every one of those INPUT rules requires a corresponding OUTPUT rule, which isn't the case. An OUTPUT rule to deal with packets in states RELATED and ESTABLISHED should take care of most of your needs, with only a handful of rules required for allowing certain outbound connections - and only if necessary.

Last edited by win32sux; 02-14-2010 at 02:48 AM.
 
1 members found this post helpful.
Old 02-14-2010, 08:12 AM   #10
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 5.4, Mac OS 10.4 (tiger)
Posts: 1,005

Original Poster
Rep: Reputation: 79
It's deliberate for 80 and 22 as this will be running VNC-server via SSH tunnel. However I will take that into account.
 
Old 02-14-2010, 05:34 PM   #11
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by r3sistance View Post
It's deliberate for 80 and 22 as this will be running VNC-server via SSH tunnel. However I will take that into account.
If that's the only outbound connections you need (Are you sure you don't need 53/UDP to your DNS provider's IP address?) then I'd suggest something like this:
Code:
#!/bin/sh

IPT="/sbin/iptables"

echo "0" > /proc/sys/net/ipv4/ip_forward

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw

$IPT -Z
$IPT -Z -t nat
$IPT -Z -t mangle
$IPT -Z -t raw

$IPT -N SSH_CHECK
$IPT -A SSH_CHECK -m recent --set --name SSH
$IPT -A SSH_CHECK -m recent --update --seconds 300 --hitcount 5 --name SSH -j DROP

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p TCP --dport 22 -m state --state NEW -j SSH_CHECK
$IPT -A INPUT -p TCP -m multiport --dports 22,25,80,110,143,465,993,995 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 8 ! --fragment -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -p TCP -m multiport --dports 22,80 -m state --state NEW -j ACCEPT
BTW, if you know the user accounts which will be starting the outbound connections, then I would highly recommend making the rules specific to those users. This way if another non-root user account gets cracked, the firewall will still prevent your box from being used to attack other boxes.

Last edited by win32sux; 02-14-2010 at 05:52 PM.
 
  


Reply

Tags
iptables, script


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables-save, iptables-restore, how to set up them in some script sarajevo Linux - Networking 1 03-25-2008 12:39 AM
Iptables (with masq) troubleshooting, very simple script attached script and logs. xinu Linux - Networking 13 11-01-2007 05:19 AM
IPtables on a Script SBN Linux - Security 1 10-16-2007 11:54 PM
iptables script buttnutt Linux - Security 17 04-20-2002 10:55 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM


All times are GMT -5. The time now is 04:54 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration