Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have an apache server going and I set the default settings for the chains to drop everything and I would allow only what I declared necessary to be open to run on the firewall but I faced a problem. I have done these commands for security
Code:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
Now iptables is set to drop everything from all the targets, Since I have an apache server going I did these commands
Code:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
I attempted to access the website after setting these options and I was unable to reach it so I did some experimenting. I changed the defaults of the input chain to ACCEPT and I got nothing still, When I changed the defaults of the output chain to accept and the input back to drop it started working again. My question is what do I need to set in the output chain in order to have a working apache server while having the default value for the output chain set to drop while allowing access to the web page.
Don't set OUTPUT to DROP. It sounds like you don't have a real grasp what what the different tables are for, so I'd really suggest you read up on things like connection tracking and such. Most normal servers will not have anything at all in the OUTPUT table, only INPUT. Whilst forums are great places to learn, saying "how to I make this work?" is really not the way to do what you're after, you need to understand what you're messing with IF you are messing with it. The defaults would more than laikely have been just fine, after new connections on port 80 were added to INPUT.
Why do you want to have a default DROP? What security scenarios are you trying to guard against?
Last edited by acid_kewpie; 01-08-2013 at 10:05 AM.
I am trying to prevent the possibility that if someone had planted a netcat listener and it's working on a port that isn't being used (through the output chain, the input chain should be just as restrictive as to not let any unauthorized connection established). They can then use the netcat listener to make a backdoor and gain access to the machine. In order to ensure that any unused ports aren't open I set the default output chain target to drop and I want to only allow ports for certain services (in this case apache) and nothing else. The problem is that when I set the output chain to drop and put in this command
Code:
iptables -P OUTPUT DROP
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
Last edited by baronobeefdip; 01-08-2013 at 11:21 AM.
I am trying to prevent (..) They can then use the netcat listener to make a backdoor and gain access to the machine.
That being your scenario I suggest you look at other aspects of host security first. Please list what distribution and release you're using, what your web server serves (package names and versions if possible) and what security measures you already implemented?
Quote:
Originally Posted by baronobeefdip
In order to ensure that any unused ports aren't open I set the default output chain target to drop and I want to only allow ports for certain services (in this case apache) and nothing else.
Generally speaking you should be somewhat aware of how network connections and services work before you modify your firewall. If you do best use "-j LOG" targets to assess what traffic goes where as that's the easiest, most efficient way to troubleshoot rule set problems. For example (top of my head):
Code:
-P OUTPUT ACCEPT
- A OUTPUT -o lo -j ACCEPT
- A OUTPUT -m tcp -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
- A OUTPUT -m limit --limit 1/s -j LOG --log-prefix "OUT_EST_other "
- A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- A OUTPUT -m udp -p udp --dport 53 -m state --state NEW -j ACCEPT
- A OUTPUT -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT
- A OUTPUT -m icmp -p icmp -m state --state NEW -j ACCEPT
- A OUTPUT -m limit --limit 1/s -j LOG --log-prefix "OUT_REJ_other "
- A OUTPUT -m limit --limit 1/s -j REJECT
will allow loopback (which you always should), allows "answers" from your web server without logging them, logs all other related requests with a "OUT_EST_other" tag, allows DNS and ICMP requests out and finally logs and rejects everything else (not DROP wrt response) using the "OUT_REJ_other" tag which you can grep for in your Syslog.
I agree that having the output chain like this and this only
Code:
iptables -A OUTPUT -m state --state ESTABLLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state INVALID -j DROP
Will suffice as being at least the best security that I can do, You are right in saying that in order for someone to get access to the box with netcat they need to traverse the input chain first, since the input chain is restricted to only the ports that match the protocols that the box is running the possibility of something being able to get in through a backdoor like netcat are reduced considerably, This might not fare well with the leader of the lab environment that I am working in, He is very hard to convince. From what I can see however is that the OUTPUT chain shouldn't be a big concern since it's only allowing currently established connection out (related and established, do i need NEW?) and that if net cat is running it will be visible as being an open port from the outside (which is controlled by the output chain) but in order to get a connection to the machine you need to go through the input chain and this is where it is going to stop the netcat backdoor in it's tracks.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.