Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello,
recently I tried to tune my iptables with help of internet but I can reproduce dropping of bad tcp packets with bad tcp flags.
I am trying to send flags by nmap or hping but it doesnt get blocked. Even I can do XMAS or other stuff, and still no log about this in /var/log/messages.
Can somebody help me to reproduce one of this bad packets? Or can somebody check if the chains are in right order or if there is any problem?
I will appreciate also if somebody will have any other hardening hint too.
Thank you
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-N bad_packets
-N bad_tcp_packets
-N icmp_packets
-N udp_inbound
-N udp_outbound
-N tcp_inbound
-N tcp_outbound
# Drop any invalid packet that could not be identified
-A bad_packets -p ALL -m state --state INVALID -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "Invalid packet: "
-A bad_packets -p ALL -m state --state INVALID -j DROP
# Then check the tcp packets for additional problems
-A bad_packets -p tcp -j bad_tcp_packets
# All good, so return
-A bad_packets -p ALL -j RETURN
# All tcp packets will traverse this chain.
-A bad_tcp_packets -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "New not syn: "
-A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
-A bad_tcp_packets -p tcp -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "TCP fragment: "
-A bad_tcp_packets -p tcp -f -j DROP
-A bad_tcp_packets -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "ALL NONE Ss: "
-A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
-A bad_tcp_packets -p tcp --tcp-flags ALL ALL -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "ALL ALL Ss: "
-A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
-A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "ALL FIN,URG,PSH Ss: "
-A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
-A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "ALL SYN,RST,ACK,FIN,URG Ss: "
-A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "SYN,RST SYN,RST Ss: "
-A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "SYN,FIN SYN,FIN Ss: "
-A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A bad_tcp_packets -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "FIN,SYN,URG NONE Ss: "
-A bad_tcp_packets -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A bad_tcp_packets -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "FIN,SYN,RST ACK,URG Ss: "
-A bad_tcp_packets -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A bad_tcp_packets -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "FIN,SYN,RST PSH,URG Ss: "
-A bad_tcp_packets -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A bad_tcp_packets -p tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "FIN,SYN FIN,SYN Ss: "
-A bad_tcp_packets -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A bad_tcp_packets -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "FIN,RST FIN,RST Ss: "
-A bad_tcp_packets -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A bad_tcp_packets -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "FIN,ACK FIN Ss: "
-A bad_tcp_packets -p tcp --tcp-flags FIN,ACK FIN -j DROP
-A bad_tcp_packets -p tcp --tcp-flags PSH,ACK PSH -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "PSH,ACK PSH Ss: "
-A bad_tcp_packets -p tcp --tcp-flags PSH,ACK PSH -j DROP
-A bad_tcp_packets -p tcp --tcp-flags ACK,URG URG -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "ACK,URG URG Ss: "
-A bad_tcp_packets -p tcp --tcp-flags ACK,URG URG -j DROP
-A bad_tcp_packets -p tcp --tcp-flags ACK,FIN FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "ACK,FIN FIN Ss: "
-A bad_tcp_packets -p tcp --tcp-flags ACK,FIN FIN -j DROP
# All good, so return
-A bad_tcp_packets -p tcp -j RETURN
# icmp_packets chain
# ICMP packets should fit in a Layer 2 frame, thus they should never be fragmented
-A icmp_packets --fragment -p ICMP -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "ICMP Fragment: "
-A icmp_packets --fragment -p ICMP -j DROP
# Echo to allow your system to be pinged.
-A icmp_packets -p ICMP --icmp-type 8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "Ping detected: "
-A icmp_packets -p ICMP --icmp-type 8 -j ACCEPT
# Echo drop
#-A icmp_packets -p ICMP --icmp-type 8 -j DROP
# Time Exceeded
-A icmp_packets -p ICMP --icmp-type 11 -j ACCEPT
# Not matched, so return so it will be logged
-A icmp_packets -p ICMP -j RETURN
#udp_inbound chain
#udp windows drop
-A udp_inbound -p UDP --destination-port 137 -j DROP
-A udp_inbound -p UDP --destination-port 138 -j DROP
# Network Time Protocol (NTP) Server
#-A udp_inbound -p UDP --destination-port 123 -j ACCEPT
# Not matched, so return for logging
-A udp_inbound -p UDP -j RETURN
# udp_outbound chain
# No match, so ACCEPT
-A udp_outbound -p UDP -j ACCEPT
# tcp_inbound chain
# Services
# Email Server (SMTP)
-A tcp_inbound -p TCP --destination-port 25 -j ACCEPT
# HTTP
-A tcp_inbound -p TCP --destination-port 80 -j ACCEPT
# Email Server (POP3)
-A tcp_inbound -p TCP --destination-port 110 -j ACCEPT
# Email Server (IMAP4)
-A tcp_inbound -p TCP --destination-port 143 -j ACCEPT
# HTTPS (Secure Web Server)
-A tcp_inbound -p TCP --destination-port 443 -j ACCEPT
# Email Server (SMTPS)
-A tcp_inbound -p TCP --destination-port 465 -j ACCEPT
# Email Server (SMTP)
-A tcp_inbound -p TCP --destination-port 587 -j ACCEPT
# SSL Email Server (IMAP4S)
-A tcp_inbound -p TCP --destination-port 993 -j ACCEPT
# SSL Email Server (POP3S)
-A tcp_inbound -p TCP --destination-port 995 -j ACCEPT
# Zimbra admin (zimbra)
-A tcp_inbound -p TCP -s xx.xx.xx.xx --destination-port 7071 -j ACCEPT
# Not matched, so return so it will be logged
-A tcp_inbound -p TCP -j RETURN
# tcp_outbound chain
# No match, so ACCEPT
-A tcp_outbound -p TCP -j ACCEPT
# INPUT Chain
# Allow all on localhost interface
-A INPUT -p ALL -i lo -j ACCEPT
# Drop bad packets
-A INPUT -p ALL -d 224.0.0.1 -j DROP
-A INPUT -p ALL -j bad_packets
-A INPUT -p ALL -i eth0 -s 10.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP spoof 10: "
-A INPUT -p ALL -i eth0 -s 10.0.0.0/8 -j DROP
-A INPUT -p ALL -i eth0 -s 172.16.0.0/12 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP spoof 172: "
-A INPUT -p ALL -i eth0 -s 172.16.0.0/12 -j DROP
-A INPUT -p ALL -i eth0 -s 192.168.0.0/16 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP spoof 192: "
-A INPUT -p ALL -i eth0 -s 192.168.0.0/16 -j DROP
-A INPUT -p ALL -i eth0 -s 224.0.0.0/4 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP spoof 224: "
-A INPUT -p ALL -i eth0 -s 224.0.0.0/4 -j DROP
#-A INPUT -p ALL -i eth0 -d 224.0.0.0/4 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP spoof 224: "
#-A INPUT -p ALL -i eth0 -d 224.0.0.0/4 -j DROP
-A INPUT -p ALL -i eth0 -s 240.0.0.0/5 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP spoof 240: "
-A INPUT -p ALL -i eth0 -s 240.0.0.0/5 -j DROP
#-A INPUT -p ALL -i eth0 -s 127.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP spoof 127: "
#-A INPUT -p ALL -i eth0 -s 127.0.0.0/8 -j DROP
-A INPUT -p ALL -i eth0 -d 127.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP spoof 127: "
-A INPUT -p ALL -i eth0 -d 127.0.0.0/8 -j DROP
-A INPUT -p ALL -i eth0 -s 169.254.0.0/16 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP spoof 169: "
-A INPUT -p ALL -i eth0 -s 169.254.0.0/16 -j DROP
#-A INPUT -p ALL -i eth0 -s 0.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP spoof 0: "
-A INPUT -p ALL -i eth0 -s 0.0.0.0/8 -j DROP
-A INPUT -p ALL -i eth0 -s 255.255.255.255/32 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP spoof 255: "
-A INPUT -p ALL -i eth0 -s 255.255.255.255/32 -j DROP
#-A INPUT -p ALL -i eth0 -d 255.255.255.255 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP spoof 255: "
#-A INPUT -p ALL -i eth0 -d 255.255.255.255 -j DROP
-A INPUT -p ALL -i eth0 -s 168.254.0.0/16 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP spoof 168: "
-A INPUT -p ALL -i eth0 -s 168.254.0.0/16 -j DROP
-A INPUT -p ALL -i eth0 -s 248.0.0.0/5 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP spoof 248: "
-A INPUT -p ALL -i eth0 -s 248.0.0.0/5 -j DROP
# Accept Established Connections
-A INPUT -p ALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Route the rest to the appropriate user chain
-A INPUT -p TCP -i eth0 -j tcp_inbound
-A INPUT -p UDP -i eth0 -j udp_inbound
-A INPUT -p ICMP -i eth0 -j icmp_packets
# Drop without logging broadcasts that get this far.
-A INPUT -m pkttype --pkt-type broadcast -j DROP
# Log packets that still don't match
-A INPUT -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "INPUT packet died: "
# OUTPUT Chain
# Invalid icmp packets need to be dropped to prevent a possible exploit
-A OUTPUT -m state -p icmp --state INVALID -j DROP
# Localhost
-A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
-A OUTPUT -p ALL -o lo -j ACCEPT
# To internet
-A OUTPUT -p ALL -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Log packets that still don't match
-A OUTPUT -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "OUTPUT packet died: "
COMMIT
Can somebody help me to reproduce one of this bad packets? Or can somebody check if the chains are in right order or if there is any problem?
As for rule order try first allowing loopback (meaning the remaining filters will only apply to other network devices), then ESTABLISHED ethernet connections (the bulk of the traffic), then filter ethernet for INVALID state (doing away with all the flag rules), and then use NEW state and multiport for TCP / UDP services (need only two rules for TCP) and then filter ICMP. Doing that can be accomplished in the default INPUT chain w/o custom chains. BTW there's no need for explicit "-p ALL". Plus you could drop bogons (the private IP ranges that are not routed over the 'net like 169.254.0.0/16 and such) in both default in and outbound chains of the raw table. Try that rule set on a non-production host and then post it here for comments because right now it's way more convoluted than it IMHO should be.
Thank you very much for answer and help.
I tried to rewrite it without w/o custom chains. Please check if order is OK and please suggest me place where to put drop bogons (after invalid?) and where should be check for bad flags or INVALID has all bad flags included?
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Allow all input/output on localhost interface
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Accept Established Connections
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop invalid packets
-A INPUT -m state --state INVALID -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "Invalid packet: "
-A INPUT -m state --state INVALID -j DROP
# Services
# SMTP, HTTP, POP3, IMAP4, HTTPS, SMTPS, SMTP, IMAP4S, POP3S
-A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 25,80,110,143,443,465,587,993,995 -j ACCEPT
# Zimbra admin (zimbra)
-A INPUT -i eth0 -p tcp -s xx.xx.xx.xx -m state --state NEW --dport 7071 -j ACCEPT
# ICMP
# ICMP packets should fit in a Layer 2 frame, thus they should never be fragmented
-A INPUT --fragment -p icmp -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "ICMP Fragment: "
-A INPUT --fragment -p icmp -j DROP
# Echo to allow your system to be pinged.
-A INPUT -p icmp --icmp-type 8 -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "Ping detected: "
-A INPUT -p icmp --icmp-type 8 -j ACCEPT
# Time Exceeded
-A INPUT -p icmp --icmp-type 11 -j ACCEPT
# Drop without logging
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -p udp --dport 137 -j DROP
-A INPUT -p udp --dport 138 -j DROP
# Output to the internet
-A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Invalid icmp packets need to be dropped to prevent a possible exploit
-A OUTPUT -p icmp -m state --state INVALID -j DROP
# Logging
-A INPUT -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "INPUT packet died: "
-A FORWARD -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "FORWARD packet died: "
-A OUTPUT -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "OUTPUT packet died: "
COMMIT
I tried to rewrite it without w/o custom chains. Please check if order is OK and
Well done! I removed some DROP and ".*packet died:" logging rules since INPUT chain default policy:
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Allow all input/output on localhost interface
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Accept Established Connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop invalid packets
-A INPUT -m state --state INVALID -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "Invalid packet: "
-A INPUT -m state --state INVALID -j DROP
# Services
# SMTP, HTTP, POP3, IMAP4, HTTPS, SMTPS, SMTP, IMAP4S, POP3S
-A INPUT -p tcp -m state --state NEW -m multiport --dports 25,80,110,143,443,465,587,993,995 -j ACCEPT
# Zimbra admin (zimbra)
-A INPUT -p tcp -s xx.xx.xx.xx -m state --state NEW --dport 7071 -j ACCEPT
# ICMP
-A INPUT -p icmp --icmp-type 8 -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "Ping detected: "
-A INPUT -p icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp --icmp-type 11 -j ACCEPT
COMMIT
Quote:
Originally Posted by Biosko
please suggest me place where to put drop bogons (after invalid?) and
Not in the filter but the raw table. Pipe through grep right after the wget if there's LAN ranges you want to allow:
Code:
wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout|while read RANGE; do
/sbin/iptables -t raw -I PREROUTING -i eth0 -s $RANGE -j DROP
/sbin/iptables -t raw -I OUTPUT -o eth0 -s $RANGE -j DROP
done
then when you run
Code:
iptables-save|less
you should see the rules in effect.
Quote:
Originally Posted by Biosko
where should be check for bad flags or INVALID has all bad flags included?
As far as I understand, yes. However unless you run completely unreliable and instable services that die when you point at them "bad flags" don't cause the most grief: exploits do. Keep software up to date, use secure instead of plain services (as in IMAPS vs IMAP, HTTPS vs HTTP), run an application firewall like mod_security if you run a LAMP web stack, maybe run an IDS, ensure you audit regularly including a remote scan against the machine (like OpenVAS, not nmap).
Its working OK on production. Can I have few more questions please?
1. You pointed me to page with bogons. I found out that they have txt with fullbogons ipv4 and ipv6 bogons. It should be interesting to have all those unregistered ips with drop rule but can iptables handle 9000 drop rules on ipv4 and almost 120 000 rules on ipv6 without performance impact?
2. Regarding raw table: Why we need to place 2 rules for each IP?
Data came to us it will be filtered by -t raw -I PREROUTING -i eth0 thats I understand.
But I dont understand -t raw -I OUTPUT -o eth0 -s. It means that every data came from us to internet will be checked that they dont have source of bogons. Why is this needed? It preventing exploits to send data from our machine?
3. You changed :OUTPUT ACCEPT [0:0] from DROP because -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT(and deleted this row). Thats probably because they are equal right?
What about # Invalid icmp packets need to be dropped to prevent a possible exploit -A OUTPUT -p icmp -m state --state INVALID -j DROP we dont need to really drop them?
4. Can you please explain me a little bit DROPING policy. When I have default policy DROP It means that every packet which is not accepted by rule is dropped. Then I am little bit curious why we dropped INVALID packets by rule and not let default policy to drop it. Its because we want to drop it sooner? Some example on internet have $IPTABLES -A INPUT/OUTPUT/FORWARD -j DROP at the end of every chain even they have default policy drop. Its some bad practice or its doubling, is this good for something?
5. Till yesterday I used rule like
-A bad_tcp_packets -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "New not syn: "
-A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
This rule was after rule --state INVALID -j DROP rule
It catched and droped packets like
IN=eth0 OUT= MAC=xxxxxxxxxxxx SRC=xxxxxxx DST=xxxxxxxx LEN=1500
TOS=0x00 PREC=0x00 TTL=120 ID=20097 DF PROTO=TCP SPT=61540 DPT=7071
WINDOW=16273 RES=0x00 ACK FIN URGP=0
So it looks like Invalid rule didnt droped packed with ACK FIN or ACK alone. Invalid rule often drop packets with ACK SYN.
Do you know why this packets was not droped by invalid rule? Do i need -p tcp ! --syn rule also? Or no?
Sorry for too much questions. Sometimes its hard understand examples on internet because they are old or they doubling some rows which are not really needed. I have found like 20 examples of iptables but often you can delete half of it and its same. Or like iptables at my first post. We delete like 100 rows from orignal script and its still working like same.
I appreciate your time and help, It really helps me to improve my knowledge in this area.
You pointed me to page with bogons. I found out that they have txt with fullbogons ipv4 and ipv6 bogons. It should be interesting to have all those unregistered ips with drop rule but can iptables handle 9000 drop rules on ipv4 and almost 120 000 rules on ipv6 without performance impact?
Regarding raw table: Why we need to place 2 rules for each IP? (..) I dont understand -t raw -I OUTPUT -o eth0 -s. It means that every data came from us to internet will be checked that they dont have source of bogons. Why is this needed? It preventing exploits to send data from our machine?
It prevents sending traffic with bogon destination addresses.
Quote:
Originally Posted by Biosko
You changed :OUTPUT ACCEPT [0:0] from DROP because -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT(and deleted this row). Thats probably because they are equal right?
Given the ports you open this machine may be operating in a server role and while servers should do egress filtering to prevent sending unwanted traffic when compromised a DROP policy is but then opening up with --state NEW,ESTABLISHED,RELATED equals an ACCEPT policy, yes.
Quote:
Originally Posted by Biosko
What about # Invalid icmp packets need to be dropped to prevent a possible exploit -A OUTPUT -p icmp -m state --state INVALID -j DROP we dont need to really drop them?
Two things: first of all it's good to consider regulating or denying traffic when a machine has been compromised but when I come across collateral from compromised hosts it'll mostly be very specific exploit scanners and mostly for SSH. Secondly ICMP is a protocol mainly used for communicating errors so if your machine is going to send ICMP messages it would be exceptional for it to send invalid ones.
Quote:
Originally Posted by Biosko
Can you please explain me a little bit DROPING policy. When I have default policy DROP It means that every packet which is not accepted by rule is dropped. Then I am little bit curious why we dropped INVALID packets by rule and not let default policy to drop it. Its because we want to drop it sooner?
A DROP policy means "disregard any traffic regardless". My reason for dropping invalid packets is twofold: you'll have ACCEPT rules for services so you will want to drop invalid packets plus having this rule set logs them so you know if any occur.
Quote:
Originally Posted by Biosko
Some example on internet have $IPTABLES -A INPUT/OUTPUT/FORWARD -j DROP at the end of every chain even they have default policy drop. Its some bad practice or its doubling, is this good for something?
IMHO it's not bad to have catchall rules.
Quote:
Originally Posted by Biosko
Till yesterday I used rule like
-A bad_tcp_packets -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "New not syn: "
-A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
This rule was after rule --state INVALID -j DROP rule
It catched and droped packets like
IN=eth0 OUT= MAC=xxxxxxxxxxxx SRC=xxxxxxx DST=xxxxxxxx LEN=1500
TOS=0x00 PREC=0x00 TTL=120 ID=20097 DF PROTO=TCP SPT=61540 DPT=7071
WINDOW=16273 RES=0x00 ACK FIN URGP=0
So it looks like Invalid rule didnt droped packed with ACK FIN or ACK alone. Invalid rule often drop packets with ACK SYN.
Do you know why this packets was not droped by invalid rule? Do i need -p tcp ! --syn rule also? Or no?
SYN-ACK and ACK on its own are part of the three-way handshake and ACK-FIN is part of the tear-down handshake. Sure it's good to be aware of stray packets with flags they shouldn't have but unless you run extremely fragile services that die() when you point at them the majority of exploits take place at the application level, not using nmap at --insane speeds (-m limit) or hping3. Trading in these rules for a proper IDS like Snort would be way more efficient. "--state NEW ! --syn" may occur but it should be rare. There's no reason why you couldn't add that rule if you want to.
Quote:
Originally Posted by Biosko
Sorry for too much questions. Sometimes its hard understand examples on internet because they are old or they doubling some rows which are not really needed. I have found like 20 examples of iptables but often you can delete half of it and its same. Or like iptables at my first post. We delete like 100 rows from orignal script and its still working like same.
There's no such thing as "too much questions" and especially not when they clearly show you're making an effort to learn. I don't have an opinion of other peoples rule sets as I'm not an iptables guru, I still consult the Frozentux tutorial, and I still learn new tricks.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
FW-Iptables hardening/tunning
