Need evaluation of my firewall rules
I need an expert eye on my FW rules to see if everything is OK. I have been using these for a very long time and don't have any problems. I want to have these evaluated once and for all so that I don't ever have to come back to them.
I don't know what some of the rules are for and I am not sure if the rules are ordered correctly. Can anyone see any problems/weaknesses in them? Are there any rules I don't need and can be removed? The server handles HTTP, incoming-only SMTP delivery, and DNS requests. Thanks. # Generated by iptables-save v1.4.21 on Sat May 26 00:03:57 2018 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [716:124495] -A INPUT -s xxx.xxx.xxx.xxx/32 -m comment --comment "all access from own IP" -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Sat May 26 00:03:57 2018 |
I'm certainly not an expert on firewall rules, but all the ports listed as open are ports that legitimately could be open for tcp, http, https, and email.
|
I don't have strong OUTPUT rules. Should I?
|
Simple Firewall Iptables for One Desktop Machine.
(POP, SMTP, and IMAP are commented) #!/bin/bash ### Delete previous rules iptables -F ### Accepting loopback iptables -A OUTPUT -o lo -j ACCEPT ### Creating default policies iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP ### Allow previously established connections to continue uninterupted iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ### Allow outbound connections on the ports we previously decided iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ### DNS iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A OUTPUT -p udp --dport 51413 -j ACCEPT ### HTTP iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT ### HTTPS iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT ### POP #iptables -A OUTPUT -p tcp --dport 995 -j ACCEPT ### IMAP #iptables -A OUTPUT -p tcp --dport 993 -j ACCEPT ### SMTP #iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT ### BTtracker iptables -A OUTPUT -p tcp --dport 51413 -j ACCEPT ### DHCP iptables -A OUTPUT -p tcp --dport 6969 -j ACCEPT iptables -A OUTPUT -p UDP --dport 67:68 -j ACCEPT ### Drop others input connections iptables -A INPUT -p tcp --syn -j DROP If you want to do it more simple yet, you can use only this two rules. They give permission to access internet with security, without complications: #!/bin/bash iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -p tcp --syn -j DROP Credits: Carlos Morimoto Servidores Linux, guia prático Editora Meridional, Porto Alegre 2008, p. 191 |
Your defaults are all drops, and mine are all accepts. Which is better? My rules are for a server. At the moment all outgoing traffic are allowed. This seems too relaxed.
|
Quote:
Quote:
Quote:
Quote:
Code:
*filter HTH |
Quote:
Based on your evaluation, I have modified my FW rules accordingly: Quote:
The "all access from own IP" rule remains at the top because that's a script generated entry (done on demand), and I don't know a way to generate it at an arbitrary line towards the bottom. I have no idea what the appropriate limits should be. So, I am using the ones you indicated. Port 25 SMTP limit is set to 10. No idea if this is good but seems more forgiving than 1. Public access to SSH port 22 is not required. All SSH access will be private and granted by the "all access from own IP" rule. I have decided not to add any OUTPUT rules but to set up log for observation. At the moment, most of the log is about port 22 which I don't need. How do I exclude port 22 from logging? |
Had a fatal flaw in the following rule which let everything through:
Quote:
Quote:
|
I don't use open rules to initialize. I set the filter tables to drop. I specifically block all private address spaces except what I'm using, and about half of ipv4 address space. But if you initialize with a drop policy, you have to specifically allow everything.
|
Quote:
My INPUT rules should be OK. Not sure if it's because I don't know how to read the OUTPUT log, my server appears to be contacting IP's from all over the place. Not sure why. I could do with some control over that. |
Quote:
|
Based on stats, the rule
Quote:
Stats: Quote:
My final rules are Quote:
|
All times are GMT -5. The time now is 02:47 AM. |