Need evaluation of my firewall rules

DevGuy · 05-25-2018, 07:29 PM

I need an expert eye on my FW rules to see if everything is OK. I have been using these for a very long time and don't have any problems. I want to have these evaluated once and for all so that I don't ever have to come back to them.

I don't know what some of the rules are for and I am not sure if the rules are ordered correctly. Can anyone see any problems/weaknesses in them? Are there any rules I don't need and can be removed? The server handles HTTP, incoming-only SMTP delivery, and DNS requests. Thanks.

# Generated by iptables-save v1.4.21 on Sat May 26 00:03:57 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [716:124495]
-A INPUT -s xxx.xxx.xxx.xxx/32 -m comment --comment "all access from own IP" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat May 26 00:03:57 2018

frankbell · 05-25-2018, 08:59 PM

I'm certainly not an expert on firewall rules, but all the ports listed as open are ports that legitimately could be open for tcp, http, https, and email.

DevGuy · 05-26-2018, 04:15 AM

I don't have strong OUTPUT rules. Should I?

luizlmarins · 05-26-2018, 08:55 AM

Simple Firewall Iptables for One Desktop Machine.

(POP, SMTP, and IMAP are commented)

#!/bin/bash
### Delete previous rules
iptables -F
### Accepting loopback
iptables -A OUTPUT -o lo -j ACCEPT
### Creating default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
### Allow previously established connections to continue uninterupted
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
### Allow outbound connections on the ports we previously decided
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
### DNS
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 51413 -j ACCEPT
### HTTP
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
### HTTPS
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
### POP
#iptables -A OUTPUT -p tcp --dport 995 -j ACCEPT
### IMAP
#iptables -A OUTPUT -p tcp --dport 993 -j ACCEPT
### SMTP
#iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT
### BTtracker
iptables -A OUTPUT -p tcp --dport 51413 -j ACCEPT
### DHCP
iptables -A OUTPUT -p tcp --dport 6969 -j ACCEPT
iptables -A OUTPUT -p UDP --dport 67:68 -j ACCEPT
### Drop others input connections
iptables -A INPUT -p tcp --syn -j DROP

If you want to do it more simple yet, you can use only this two rules.
They give permission to access internet with security, without complications:

#!/bin/bash
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP

Credits:
Carlos Morimoto
Servidores Linux, guia prático
Editora Meridional, Porto Alegre
2008, p. 191

DevGuy · 05-26-2018, 10:43 AM

Your defaults are all drops, and mine are all accepts. Which is better? My rules are for a server. At the moment all outgoing traffic are allowed. This seems too relaxed.

unSpawn · 05-27-2018, 05:49 AM

Quote:

Originally Posted by DevGuy

I have been using these for a very long time and don't have any problems.

You may encounter problems on different levels. For now remember that continuous systems hardening and monitoring are a given, and that compromises most likely take place at OSI layer 7 (application) and 8 (wetware ;-p).

Quote:

Originally Posted by DevGuy

I want to have these evaluated once and for all so that I don't ever have to come back to them.

You use of the machine should include regular review of security posture. On ounce of prevention and all that.

Quote:

Originally Posted by DevGuy

I don't know what some of the rules are for and I am not sure if the rules are ordered correctly.

If you're a Dev guy doing Ops then your rudimentary knowledge should include basic Linux admin knowledge I'd say?

Quote:

Originally Posted by DevGuy

Can anyone see any problems/weaknesses in them? Are there any rules I don't need and can be removed? The server handles HTTP, incoming-only SMTP delivery, and DNS requests.

Looks OK. Slight tweaks:

Code:

*filter
:INPUT ACCEPT [0:0]
# You're not forwarding so explicitly deny it.
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [716:124495]
# Get loopback device out of the way, also keeps you from having to use Ethernet device names if you have just one.
-A INPUT -i lo -j ACCEPT
# The next rules should be ordered "first match wins", meaning since it's a server you want to prioritize what you serve, yes?
# I've taken the liberty to make this an Internet-facing server so prioritize DNS over the rest and remote over local req's.
# Tweak or remove limits as you see fit. Also spot a new port for SSH:
-A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 53 -m limit --limit 10/s -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -m tcp --dport 53 -m limit --limit 5/s -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp -m multiport --dports 80,443 -m limit --limit 120/s -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp -m multiport --dports 22,25 -m limit --limit 1/s -j ACCEPT
-A INPUT -m conntrack --ctstate NEW RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/32 -m comment --comment "all access from own IP" -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Indeed your egress rule set is empty. You could populate it with a list of bogon ranges (https://www.team-cymru.org/Services/...ogons-ipv4.txt), common ports for say IRC and Bitcoin miners, but instead of that I'd invest time in basic hardening & monitoring.

HTH

DevGuy · 05-27-2018, 10:07 AM

Quote:

Originally Posted by unSpawn

If you're a Dev guy doing Ops then your rudimentary knowledge should include basic Linux admin knowledge I'd say?

Too much knowledge makes for too little time. I am happy to outsource to experts. Gives them a chance to use their skills before becoming rusty

.

Based on your evaluation, I have modified my FW rules accordingly:

Quote:

# Generated by iptables-save v1.4.21 on Sun May 27 14:49:37 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [485:169191]
-A INPUT -s xxx.xxx.xxx.xxx/32 -m comment --comment "all access from own IP" -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport xxxxx -m comment --comment Apps -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 53 -m limit --limit 10/sec -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -m limit --limit 5/sec -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp -m multiport --dports 80,443 -m limit --limit 120/sec -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -m limit --limit 10/sec -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport xxxxxx -m comment --comment "backup access from secondary server" -j ACCEPT
-A INPUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j LOG
COMMIT
# Completed on Sun May 27 14:49:37 2018

The "all access from own IP" rule remains at the top because that's a script generated entry (done on demand), and I don't know a way to generate it at an arbitrary line towards the bottom.

I have no idea what the appropriate limits should be. So, I am using the ones you indicated.

Port 25 SMTP limit is set to 10. No idea if this is good but seems more forgiving than 1.

Public access to SSH port 22 is not required. All SSH access will be private and granted by the "all access from own IP" rule.

I have decided not to add any OUTPUT rules but to set up log for observation. At the moment, most of the log is about port 22 which I don't need. How do I exclude port 22 from logging?

DevGuy · 05-27-2018, 04:22 PM

Had a fatal flaw in the following rule which let everything through:

Quote:

-A INPUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

It should be:

Quote:

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

AwesomeMachine · 05-29-2018, 12:36 PM

I don't use open rules to initialize. I set the filter tables to drop. I specifically block all private address spaces except what I'm using, and about half of ipv4 address space. But if you initialize with a drop policy, you have to specifically allow everything.

DevGuy · 05-29-2018, 04:19 PM

Quote:

Originally Posted by AwesomeMachine

I don't use open rules to initialize. I set the filter tables to drop. I specifically block all private address spaces except what I'm using, and about half of ipv4 address space. But if you initialize with a drop policy, you have to specifically allow everything.

Can I see a short sample. If it makes sense to me, I'll make use of what you have.

My INPUT rules should be OK.

Not sure if it's because I don't know how to read the OUTPUT log, my server appears to be contacting IP's from all over the place. Not sure why. I could do with some control over that.

unSpawn · 05-30-2018, 12:19 PM

Quote:

Originally Posted by DevGuy

Had a fatal flaw in the following rule which let everything through

Good one! Thanks for posting back, missed that one myself.

DevGuy · 05-31-2018, 07:43 PM

Based on stats, the rule

Quote:

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

really needs to be at the top for best server efficiency, which may translate into better server response.

Stats:

Quote:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1424 173K ACCEPT all -- * * xx.x.xxx.xx 0.0.0.0/0 /* all access from own IP */
0 0 DROP all -- * * xx.xx.xxx.x/24 0.0.0.0/0 /* email spammer */
2825 1608K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
13 923 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW udp dpt:53 /* DNS */ limit: avg 10/sec burst 5
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:53 /* DNS */ limit: avg 5/sec burst 5
17 948 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp multiport dports 80,443 limit: avg 120/sec burst 5
5 260 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:25 limit: avg 5/sec burst 5
0 0 ACCEPT tcp -- * * xxx.xxx.xxx.xxx 0.0.0.0/0 tcp dpt:xxxxx /* backup access from secondary server */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:xxxxx /* Legacy user apps */
132K 417M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1 28 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3288 197K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy DROP 0 packets, 0 bytes)

My final rules are

Quote:

# Generated by iptables-save v1.4.21 on Fri Jun 1 00:30:42 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [29:4312]
-A INPUT -s xx.x.xxx.xx/32 -m comment --comment "all access from own IP" -j ACCEPT
-A INPUT -s xx.xx.xxx.x/24 -m comment --comment "email spammer" -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 53 -m comment --comment DNS -m limit --limit 10/sec -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -m comment --comment DNS -m limit --limit 5/sec -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp -m multiport --dports 80,443 -m limit --limit 120/sec -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -m limit --limit 5/sec -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport xxxxx -m comment --comment "backup access from secondary server" -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport xxxxx -m comment --comment "Legacy user apps" -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Jun 1 00:30:42 2018