Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
"iptables -P INPUT DROP" says that by default, any incoming packet is dropped, unless it is explicitly accepted by a rule like "iptables -A INPUT -i eth0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT". That means that rules to explicitly *drop* stuff are superfluous, cause they'd be dropped anyway unless they were picked up by an accept rule. So, I'd suggest commenting out that huge block of icmp DROPs (in the "DROP CERTAIN INCOMING ICMP PACKET TYPES." section). There are a few DROPs, too, but I'm getting sick of scrolling up and down to look, so I won't comment on them
Also, in the "ACTIVE FTP" section, the first line pertains to ftp, but the last four do not; they relate to the domain port (53) and imply that you're wanting to let those connections in because you're running a DNS server. (The second and third are in fact duplicates, and the last refers to an arbitary IP which I don't think is related to you (unless of course you put it there for a reason ).) So I'd just comment the last four lines out (of course, if something unforeseen breaks, you can always uncomment them again ).
You need to let dns REPLIES back into the box after you send them out to your ISP or wherever.
They will come back as udp unless they are BIG like a zone transfer when they come back as tcp.
Lots of recommendations say to limit the source address to your known dns servers.
And I notice that with scripts that try to make SNAT rules instead of MASQUERADE rules, that you can only load them AFTER the network is up and running, rather than before .
But that is just an opinion... a different view of security...
Regards,
Peter
Last edited by peter_robb; 08-29-2002 at 09:47 AM.
#The following script is made for a single computer with Cable Internet access,
#Linux 2.4x and IPTables/NetFilter
#---------------------------------------------------------------------------------
### Below is a list of pre-configuration options to get IPTables setup properly. ###
## ETHERNET INTERFACE TO THE INTERNET. DHCP ASSIGNED IP ADDRESSING - CABLE INTERNET.
INET_IP=`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e s/.*://`
BROADCAST=`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $3}' | sed -e s/.*://`
INET_IFACE="eth0"
## FLUSH ALL CHAINS (INPUT, OUTPUT FORWARD, ETC); REMOVE ALL PRE-EXSITING
## DEFINED RULES AND ZERO THE COUNTERS.
iptables -F
iptables -X
iptables -Z
## DROP ALL INCOMING, OUTGOING AND FORWARDING PACKETS.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#---------------------------------------------------------------------------------
### Below is a list of kernel flags. ###
## DISABLE RESPONSE TO BROADCASTS.
# You don't want yourself becoming a Smurf amplifier.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
## DON'T ACCEPT SOURCE ROUTED PACKETS.
# Attackers can use source routing to generate traffic pretending to be from inside
# your network.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
## DISABLE ICMP REDIRECT ACCEPTANCE.
# ICMP redirects can be used to alter your routing tables, possibly to a bad end.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
## ENABLE BAD ERROR MESSAGE PROTECTION.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
## TURN ON REVERSE PACKET FILTERING.
# This helps make sure that packets use legitimate source addresses, by automatically
# rejecting incoming packets if the routing table entry for their source address
# doesn't match the network interface they're arriving on.
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done
## THE WEAKEST LINK.
# Find out whether the following is secure or not, before you start uncommenting it.
#iptables -A INPUT -i eth0 -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
## SPOOFING PROTECTION.
# Refuse spoofed packets pretending to be from your IP address.
iptables -A INPUT -i eth0 -s $INET_IP -j DROP
# Refuse spoofed packets pretending to be from the loopback interface.
iptables -A INPUT -i lo -s $LO_IP -j DROP
# Refuse broadcast address packets.
iptables -A INPUT -i eth0 -s $BROADCAST -j DROP
## DROP NASTY FLAGS.
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix BADFLAG!_L1
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix BADFLAG!_L2
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix BADFLAG!_L3
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix BADFLAG!_L4
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix BADFLAG!_L5
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
## STEALTH PORT SCANNER PROTECTION.
# Check the following line it may be wrong for what you need.
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
## FRAGMENTS.
iptables -A INPUT -i eth0 -f -j LOG --log-prefix IPTABLES_FRAGMENTS
iptables -A INPUT -i eth0 -f -j DROP
## PING OF DEATH PROTECTION.
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
## SAFETY BARRIER RULES
iptables -A INPUT -i eth0 -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
iptables -A INPUT -i eth0 -j DROP
iptables -A OUTPUT -o eth0 -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: "
iptables -A OUTPUT -o eth0 -j DROP
I have updated my IPTables script and have submitted it here for checking.
BTW: I seem to be having problem with my Cable Internet connection, that I have monitored with ethereal. Ethereal tells me that I'm recieving traffic for ARP requests, even though I have already run/ran the dhcp client program/daemon.
for a single pc connected to a single dhcp service....
I have my iptables running all the time. When I ifup eth~, it inserts a couple of extra rules. I used a script initially but I have modified the network scripting to leave the saved copy running.
1. you can have your script load BEFORE the interface comes up
I would dispense with the 1st 5 value specifiers. You won't need them until AFTER the interface is up. if lo isn't 127.0.0.1, fix it.
2. Loading modules. In my pc, RH7.2, when I enter the iptables commands by hand, the modules load automatically. The ftp & irc modules need manual loading tho'. type lsmod after you load each iptables command to check the loading.
3. Flush ALL the chains in all the tables for security, nat & mangle tables.
4. Your DROP policy on the OUTPUT chain to me is very restrictive. Every new service will need manual intervention to change the script. There shouldn't be anything inside your box that shouldn't go out if you make a clean wall to prevent it coming in.
5. Put the /proc/sys/net echos in the /etc/sysconfig/sysctl.conf file rather than the script. Makes them more permanent.
6. The WEAKEST LINK reference is duplicated later
7. Typos in the 2nd 'INPPUT' statement of FTP entries.
8. If you don't have servers on the inside, I prefer a global -state ESTABLISHED,RELATED line rather than a port by port entry. Make these entries in the INPUT chain
iptables -A INPUT -m state --state NEW,INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
This catches the ftp connection, icmp, pop, smtp etc automatically.
9. Spoofing protection is via the /proc/sys/net rp_filter. Why do it twice?
10. I'm still undecided about the NASTY FLAGS... I prefer to dump them all in the PREROUTING chain in nat. Once conntrack has lost the connection, it will dump excessive RST packets and because the 1st packet of any NEW connections passes through the nat table 1st, I find it cleaner. Drops RST stealth, Xmas tree etc...
iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j DROP
11. Handle the DNS by
iptables -A INPUT -s dns-server-1-ip -i eth0 -p udp -m udp --sport 53 -j ACCEPT
iptables -A INPUT -s dns-server-2-ip -i eth0 -p udp -m udp --sport 53 -j ACCEPT
Pick these addresses from the /etc/resolv.conf once connected and then do the grep/awk thing if they ever change.
12. SYN FLOOD again I prefer to put in the nat PREROUTING chain like this
iptables -t nat -N flood
iptables -t nat -A PREROUTING -j flood
iptables -t nat -A flood -i eth0 -m limit --limit 10/sec -j RETURN
iptables -t nat -A flood -j DROP
This catches all the 1st tcp packets in a stream that ARE actually SYN , and the other protocols.
13. FRAGMENTS are handled by the conntrack mechanism, and anything irregular gets dropped by the INVALID option I mentioned in 8.
14. PING OF DEATH is handled by the PREROUTING limit rule
15. I like the SAFETY BARRIER lines. Make sure your logs are rotated! They may get full...
16. Be careful with ACCEPT rules in the INPUT chain. Once a packet is ACCEPTed by any rule, it has finished in that chain. Rules after that ACCEPT do NOT have any effect. So, ACCEPTing with a FLOOD rule allows ALL packets to enter... Hmmm?
17. Logging needs to be placed away from /var/log/messages.
Make them --log-level 6
and make sure you quote the --log-prefix "comment " with a space after the last character, otherwise it will run on into the IN=eth0 comment in the log file. Can't use a delimited log reader to find the comment otherwise.
Add a line to /etc/syslog.conf,
kern.=info /var/log/info
and change any line that will still put *.info into /var/log/messages
18. You have FORWARD rules specified. Unnecessary. You aren't forwarding and /proc/sys/net/~/ip_forward = 0
19. My suggestions would look more like this with your SEFETY BARRIER entries following
/sbin/depmod -a
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j DROP
iptables -t nat -N flood
iptables -t nat -A flood -i eth0 -m limit --limit 10/sec -j RETURN
iptables -t nat -A flood -j DROP
iptables -t nat -A PREROUTING -j flood
iptables -t nat -A PREROUTING -i eth0 -j LOG --log-prefix "eth0_new_cnxn " --log-level 6
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s dns-server-1-ip -i eth0 -p udp -m udp --sport 53 -j ACCEPT
iptables -A INPUT -s dns-server-2-ip -i eth0 -p udp -m udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp -j LOG --log-prefix "eth0_udp_dropped " --log-level 6
/sbin/insmod ip_conntrack_ftp (needs to be loaded after the ip_conntrack module is loaded)
put the /proc/sys/net stuff into /etc/sysconfig/sysctl.conf
AND, I have a lot more in my tables due to internal servers, LAN forwarding etc.
My comment on the module loading is what I experience with RH 7.2 so it can change.
Regards,
Peter
Last edited by peter_robb; 09-06-2002 at 04:51 AM.
Sorry for the slow response. I have updated my script again, accordingly to most of your instructions, but I have few questions I still want to ask.
The Questions are below, the iptables script will be in the next post.
Quote:
Make these entries in the INPUT chain
iptables -A INPUT -m state --state NEW,INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
This catches the ftp connection, icmp, pop, smtp etc automatically.
Are you sure this is safe ???
Quote:
iptables -t nat -N flood
iptables -t nat -A PREROUTING -j flood
iptables -t nat -A flood -i eth0 -m limit --limit 10/sec -j RETURN iptables -t nat -A flood -j DROP
Do I really need to use NAT. I though NAT was only used for LANs behind a firewall box.
Quote:
Your DROP policy on the OUTPUT chain to me is very restrictive. Every new service will need manual intervention to change the script. There shouldn't be anything inside your box that shouldn't go out if you make a clean wall to prevent it coming in.
What if there is a trojaned program on my machine. You can't always be too safe.
## FLUSH ALL CHAINS (INPUT, OUTPUT FORWARD, ETC); REMOVE ALL PRE-EXSITING
## DEFINED RULES AND ZERO THE COUNTERS.
iptables -F
iptables -X
iptables -Z
## DROP ALL INCOMING, OUTGOING AND FORWARDING PACKETS.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#---------------------------------------------------------------------------------
## GENERAL INTERNET USE (HTTP/HTTPS,POP3,SMTP,FTP,ETC).
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
## DROP NASTY FLAGS.
iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j DROP
## STEALTH PORT SCANNER PROTECTION.
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
## FRAGMENTS.
iptables -A INPUT -i eth0 -f -j LOG --log-prefix 6 "IPTABLES_FRAGMENTS "
iptables -A INPUT -i eth0 -f -j DROP
## PING OF DEATH PROTECTION.
# Check the following line it may be wrong for what you need.
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
## SAFETY BARRIER RULES
iptables -A INPUT -i eth0 -j LOG --log-prefix 6 "IPTABLES PROTOCOL-X-IN: "
iptables -A INPUT -i eth0 -j DROP
iptables -A OUTPUT -o eth0 -j LOG --log-prefix 6 "IPTABLES PROTOCOL-X-OUT: "
iptables -A OUTPUT -o eth0 -j DROP
/sbin/depmod -a
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j DROP
iptables -t nat -N flood
iptables -t nat -A flood -i eth0 -m limit --limit 10/sec -j RETURN
iptables -t nat -A flood -j DROP
iptables -t nat -A PREROUTING -j flood
iptables -t nat -A PREROUTING -i eth0 -j LOG --log-prefix "eth0_new_cnxn " --log-level 6
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s dns-server-1-ip -i eth0 -p udp -m udp --sport 53 -j ACCEPT
iptables -A INPUT -s dns-server-2-ip -i eth0 -p udp -m udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp -j LOG --log-prefix "eth0_udp_dropped " --log-level 6
Don't confuse your script with my suggestions...
They are Alternatives... one or the other...
The safety of netfilter is up for debate. According to the writers, it is as secure if not more so than a 2.2 kernel & ipchains combo.
It's advantages are the extra configurable parameters and the State tracking machine, ip_conntrack. When more facilities are desired, we add modules to perform them.
It's weakness is, the user/writer of Rules.
quote:
Make these entries in the INPUT chain
iptables -A INPUT -m state --state NEW,INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
This catches the ftp connection, icmp, pop, smtp etc automatically.
Are you sure this is safe ???
What this does is to stop NEW connection into your pc, stop INVALID packets (deformed non-relevant & non-related) & allow your pc to accept replies to your outward requests. All this capabilty in just 2 Rules! This is the state machine at it's best. If you don't run internal servers, it's safe.
quote:
iptables -t nat -N flood
iptables -t nat -A PREROUTING -j flood
iptables -t nat -A flood -i eth0 -m limit --limit 10/sec -j RETURN
iptables -t nat -A flood -j DROP
Do I really need to use NAT? I though NAT was only used for LANs behind a firewall box.
The nat table is built into iptables and by default is selected in your kernel config.
This rule uses that nat table because only the 1st packet of a NEW connection passes through here. It makes it easy to LOG/limit/DROP attempts to connect to you that don't belong to any connection you have made. It's against most filtering recommendations but works like magic.
(The NAT facility or MASQUERADEing is -j SNAT/DNAT/MASQUERADE
That's what we use for renumbering ip addresses behind a firewall.)
quote:
Your DROP policy on the OUTPUT chain to me is very restrictive. Every new service will need manual intervention to change the script. There shouldn't be anything inside your box that shouldn't go out if you make a clean wall to prevent it coming in.
What if there is a trojaned program on my machine. You can't always be too safe.
Too true... BUT...
You have a SAFETY NET series of rules which will allow you to LOG outward connections.
Keep an eye on the LOG files and you can deal with them properly. Identify them then eradicate them.
Also you have 'netstat -an' which lists all listening and connected servers on your machine.
If it shouldn't be there, turn it off...
NOW, the big stuff...
I recommend you have your iptables start BEFORE your interfaces come up.
This is SECURE. (and again it is only my preference.) I don't bring iptables up and down unless I am testing other people's rulesets. It's on when I power on and it stays on!
That is why I move the /proc/sys/net stuff to /etc/sysctl.conf.
I bring up the ip_conntrack_ftp module in an rc.local script, after all the other stuff is alive and kicking.
2.
I use 'service iptables save' to make a start script for iptables-restore to use. The iptables script in '/etc/init.d/iptables' does the save and restore when initd runs. (I'm on RH7.2 so file locations and scripts will be somewhat different...)
3.
Whay I have suggested is INSTEAD of your script...
It is not complete... You will need to choose which way to go and then configure accordingly.
I'll leave that to you, helping of course...
4.
Did you read the http://www.netfilter.org/documentati...ials/blueflux/ tutorial?
You will need a slightly deeper knowledge than now to avoid some very basic misunderstandings.
So, I suggest you do this...
Disconnect from the cable...
Turn off xinetd... ('service xinetd stop')
'netstat -an' to see a list of servers listening & turn off unnecessary ones...
Modify your '/etc/sysconfig/syslog.conf' file to make a new log file...
Restart syslogd... ('service syslog restart')
Manually enter the 'echo ~ > /pro/sys/~~ ' commands...
Manually load the modules... (you may get messages saying they are already loaded...)
Manually enter my script, rule by rule... (from the beginning...)
Manually enter your "SAFETY BARRIER" -j LOG entries... (with the --log-level 6 added)
Add a rule 'iptables -t nat -A PREROUTING -j LOG --log-prefix "new_cnxn " --log-level 6 (to record any inward connections)
lsmod to check the module list is complete...
iptables -nL ( to check the rules)
iptables -t nat -nL (to check those rules)
In a command window type 'tail -f /var/log/info" (to watch the log files)
Reconnect to the cable and watch the log file...
If anything has stopped working, check for DROPped connections in the log file and make a rule to ACCEPT them. If you read the tutorial, you will be able to decide on a 'good' rule composition.
Port numbers relate to services listed in '/etc/services'
I will make sure that I'll make multiple backups of this thread and will also take a thorough read of that IPTables tutorial.
BTW: Ever thought of becoming a moderator here, one day.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.