Need evaluation of my firewall rules
 

I need an expert eye on my FW rules to see if everything is OK. I have been using these for a very long time and don't have any problems. I want to have these evaluated once and for all so that I don't ever have to come back to them.

I don't know what some of the rules are for and I am not sure if the rules are ordered correctly. Can anyone see any problems/weaknesses in them? Are there any rules I don't need and can be removed? The server handles HTTP, incoming-only SMTP delivery, and DNS requests. Thanks.


# Generated by iptables-save v1.4.21 on Sat May 26 00:03:57 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [716:124495]
-A INPUT -s xxx.xxx.xxx.xxx/32 -m comment --comment "all access from own IP" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat May 26 00:03:57 2018

I'm certainly not an expert on firewall rules, but all the ports listed as open are ports that legitimately could be open for tcp, http, https, and email.

I don't have strong OUTPUT rules. Should I?

Simple Firewall Iptables for One Desktop Machine.

(POP, SMTP, and IMAP are commented)



#!/bin/bash
### Delete previous rules
iptables -F
### Accepting loopback
iptables -A OUTPUT -o lo -j ACCEPT
### Creating default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
### Allow previously established connections to continue uninterupted
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
### Allow outbound connections on the ports we previously decided
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
### DNS
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 51413 -j ACCEPT
### HTTP
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
### HTTPS
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
### POP
#iptables -A OUTPUT -p tcp --dport 995 -j ACCEPT
### IMAP
#iptables -A OUTPUT -p tcp --dport 993 -j ACCEPT
### SMTP
#iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT
### BTtracker
iptables -A OUTPUT -p tcp --dport 51413 -j ACCEPT
### DHCP
iptables -A OUTPUT -p tcp --dport 6969 -j ACCEPT
iptables -A OUTPUT -p UDP --dport 67:68 -j ACCEPT
### Drop others input connections
iptables -A INPUT -p tcp --syn -j DROP


If you want to do it more simple yet, you can use only this two rules.
They give permission to access internet with security, without complications:



#!/bin/bash
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP



Credits:
Carlos Morimoto
Servidores Linux, guia prático
Editora Meridional, Porto Alegre
2008, p. 191

Your defaults are all drops, and mine are all accepts. Which is better? My rules are for a server. At the moment all outgoing traffic are allowed. This seems too relaxed.

You may encounter problems on different levels. For now remember that continuous systems hardening and monitoring are a given, and that compromises most likely take place at OSI layer 7 (application) and 8 (wetware ;-p).


You use of the machine should include regular review of security posture. On ounce of prevention and all that.


If you're a Dev guy doing Ops then your rudimentary knowledge should include basic Linux admin knowledge I'd say?


Looks OK. Slight tweaks:

Indeed your egress rule set is empty. You could populate it with a list of bogon ranges (https://www.team-cymru.org/Services/...ogons-ipv4.txt), common ports for say IRC and Bitcoin miners, but instead of that I'd invest time in basic hardening & monitoring.


HTH

Too much knowledge makes for too little time. I am happy to outsource to experts. Gives them a chance to use their skills before becoming rusty ;).

Based on your evaluation, I have modified my FW rules accordingly:


The "all access from own IP" rule remains at the top because that's a script generated entry (done on demand), and I don't know a way to generate it at an arbitrary line towards the bottom.

I have no idea what the appropriate limits should be. So, I am using the ones you indicated.

Port 25 SMTP limit is set to 10. No idea if this is good but seems more forgiving than 1.

Public access to SSH port 22 is not required. All SSH access will be private and granted by the "all access from own IP" rule.

I have decided not to add any OUTPUT rules but to set up log for observation. At the moment, most of the log is about port 22 which I don't need. How do I exclude port 22 from logging?

Had a fatal flaw in the following rule which let everything through:

It should be:

I don't use open rules to initialize. I set the filter tables to drop. I specifically block all private address spaces except what I'm using, and about half of ipv4 address space. But if you initialize with a drop policy, you have to specifically allow everything.

Can I see a short sample. If it makes sense to me, I'll make use of what you have.

My INPUT rules should be OK.

Not sure if it's because I don't know how to read the OUTPUT log, my server appears to be contacting IP's from all over the place. Not sure why. I could do with some control over that.

Good one! Thanks for posting back, missed that one myself.

Based on stats, the rule

really needs to be at the top for best server efficiency, which may translate into better server response.


Stats:

My final rules are