Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello everyone! I've written an IPtables script for my server which won't be routing anything. I'd like any input on anything you see that may not work (I haven't tested this yet as I don't want to lock myself out of SSH!).
Okay below's the script. Are the protocols correct? I'm not sure which run on TCP and which on UDP. Also, are ICMP packets such as ping dropped because of my DROP default for the input chain? Shouldn't I add -j ACCEPT to the state line as well?
Code:
#!/bin/sh
IPTABLES=/usr/sbin/iptables
echo 0 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -F
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 80
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 21
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 110
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 25
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 22
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 53
$IPTABLES -A INPUT -j ACCEPT -p udp --dport 53
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 80 --tcp-flags SYN,FIN,ACK SYN
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED
I want packets heading out of the machine to be allowed at first.. once I test this and get the machine configured I'll probably deny those and add specific holes to allow.
Will hit the INPUT DROP first. I would move that to last in the chain.
Take a closer look. The first INPUT rule is the policy rule. The first rule that will really be at the top of the INPUT chain is the --dport 80 rule.
In general it's a pretty basic firewall, not bad just basic. The second --dport 80 rule is redundant (you are already allowing all port 80 traffic through with this rule:
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 80
so you don't need this one:
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 80 --tcp-flags SYN,FIN,ACK SYN
I think you'll also find ftp doesn't work really well with your firewall like that (unless you limit clients to active ftp). Normally passive ftp will require you to open up a chunk of ports > 1023 (check your ftp servers docs). You could do some egress filtering (as per dominants post), restrict DNS packets to only those of your DNS server (or your ISPs) and systems on your network. If you want to get a little more complex, you could add some things like burst limiting/logging rules and drop spoofed IPs.
I think you'll also find ftp doesn't work really well with your firewall like that (unless you limit clients to active ftp). Normally passive ftp will require you to open up a chunk of ports > 1023 (check your ftp servers docs).
cc is correct. you dont want your ftp clients controlling the connection with active ftp. passive leaves the server in control. if you are using vsftpd, you can state a range of ports to use for passive ftp. heres what you want to set in the vsftpd.conf...
Code:
pasv_enable=YES # enable pasv ftp
pasv_min_port=63000 # first pasv port in range
pasv_max_port=65534 # last pasv port in range
pasv_address=xxx.xxx.xxx.xxx # listen address here
other ftpd's have similar settings.
you are missing -s [source] on all your rules. so services like http/smtp/pop you want to have -s 0/0 set for accept from anywhere. if you are afraid of locking yourself out of ssh, you can use the -s flag and a few spesific trusted IPs, or your intenal network, to give yourself a backdoor to the system in the case you blow up your connection. you might want to set up a rule to accep all from localhost, just in case [ever had this happen? i have. woo] things blow up on your local interface.
if you are running apache, you may also want to open up port 443 for https if you need secure communications.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.