my iptables rules, need suggestions and advice

my iptables rules, need suggestions and advice

Post by H. S » Mon, 19 May 2003 14:14:50



Hi,

I am writing my first firewall rules (iptables). I am running RH8.0,
2.4.20-13.8

I dail up using DSL and my interface device is ppp0. I don't have any
other computers connected to this one (so I don't need NAT, right?). I
only want usual browsing, IRC, and also that I should be able to connect
from my univ. to my home. I dont' host any webpages and have no need for
ftp server. Since I am newbie yet, I have all the services switched off,
till I can get a reasonable set of rules figures out. What do you have
to say about the following?

###################### BEGIN#####################
#!/bin/sh

#my defines
#iptables command
IPTBLS=/sbin/iptables

#HS,15May2003.
#Firewall configuration written by HSS.

#allow everything on loopback so that my own computer is able to access
itself
#over the loopback interface
$IPTBLS -A INPUT -i lo -p all ACCEPT
$IPTBLS -A OUTPUT -o lo -p all ACCEPT

#allow these services
$IPTBLS -A INPUT -p tcp --dport 22 -j ACCEPT # accept ssh

# Bad TCP flags
$IPTBLS -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTBLS -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTBLS -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTBLS -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTBLS -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTBLS -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

#ICMP (0=Pong,3=Dest.Unreach,11=Time Exceeded,8=Ping)
$IPTBLS -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTBLS -A INPUT -p icmp --icmp-type 3 -j ACCEPT
#$IPTBLS -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTBLS -A INPUT -p icmp --icmp-type 8 -j ACCEPT
$IPTBLS -A INPUT -p icmp -j DROP
$IPTBLS -A INPUT -p udp --dport 33434 -j REJECT  # Traceroute default port

# Established
$IPTBLS -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Drop everything else
$i -A INPUT -j DROP
######################## END ################

->HS

--
----------------------  X  ----------------------
Remove all underscores from my email address to get the correct one.
Apologies for the inconvenience, but this is to reduce spam.

 
 
 

my iptables rules, need suggestions and advice

Post by Juha Laih » Tue, 20 May 2003 01:47:00



Quote:>I dail up using DSL and my interface device is ppp0. I don't have any
>other computers connected to this one (so I don't need NAT, right?).

Correct.

Quote:>I only want usual browsing, IRC, and also that I should be able to    
>connect from my univ. to my home. I dont' host any webpages and have  
>no need for ftp server.

Ok.

Quote:>Since I am newbie yet, I have all the services switched off, till I    
>can get a reasonable set of rules figures out.

Good!

Quote:>What do you have to say about the following?

Mostly fine; some comments interleaved with your script, and proposal for
an alternative script in the end, along with some discussion.

Quote:>###################### BEGIN#####################
>#!/bin/sh

>#my defines
>#iptables command
>IPTBLS=/sbin/iptables

>#HS,15May2003.
>#Firewall configuration written by HSS.

>#allow everything on loopback so that my own computer is able to access
>itself
>#over the loopback interface
>$IPTBLS -A INPUT -i lo -p all ACCEPT
>$IPTBLS -A OUTPUT -o lo -p all ACCEPT

"-p all" is the default, if no "-p XXX" specified. Also, you don't need
to separately accept the local interface traffic on output, as I don't
see you limiting the outbound traffic any way.

Quote:>#allow these services
>$IPTBLS -A INPUT -p tcp --dport 22 -j ACCEPT # accept ssh

Slight problem here -- you're allowing _anything_ to your SSH port,
including various TCP flag scans - as you're dropping the suspicious
TCP flag combinations only later. I'll return to my solution to this
issue later in the message.

Quote:># Bad TCP flags
>$IPTBLS -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
>$IPTBLS -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
>$IPTBLS -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
>$IPTBLS -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
>$IPTBLS -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
>$IPTBLS -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

This I _think_ (but still haven't seen clear documentation, and neither
have gone through the documentation) that you can drop with
iptables -A INPUT -m state --state INVALID -j DROP

Quote:>#ICMP (0=Pong,3=Dest.Unreach,11=Time Exceeded,8=Ping)
>$IPTBLS -A INPUT -p icmp --icmp-type 0 -j ACCEPT
>$IPTBLS -A INPUT -p icmp --icmp-type 3 -j ACCEPT
>#$IPTBLS -A INPUT -p icmp --icmp-type 11 -j ACCEPT
>$IPTBLS -A INPUT -p icmp --icmp-type 8 -j ACCEPT
>$IPTBLS -A INPUT -p icmp -j DROP

More or less, the only icmp type you need to specifically is the ICMP
echo (type 8). The others are always _related_ to some "connection" you
already have. "Connection" in quotations above, as here I talk about
connections as iptables sees them; so not TCP connections but connections
registered to the iptables connection cache - so in this sense connection
may also be UDP.

Quote:>$IPTBLS -A INPUT -p udp --dport 33434 -j REJECT  # Traceroute default port

Ok.

Quote:># Established
>$IPTBLS -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT

This needs to be much earlier.

Quote:># Drop everything else
>$i -A INPUT -j DROP

Can be done with "policy DROP".

So, here's my version of what you had above:

# Drop all packets not otherwise matched
iptables -P INPUT DROP
# Delete all rules form the input chain;
# this allows you  to run this script multiple times consequently,
# so f.ex. allows you to just update the rules in this script and
# re-run the script to have the changes take effect
iptables -F INPUT
# Accept anything and everything from the local interface
iptables -A INPUT -i lo -j ACCEPT
# Drop packets in an invalid state
# You might also put the explicit TCP flag rules from your original
# script here.
iptables -A INPUT -m state --state INVALID -j DROP
# Allow all return packets for traffic that was initiated from this
# host; also allow all packets for previously accepted inbound connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow starting new SSH connections from remote machines
iptables -A INPUT -p tcp --dport 22 --syn -j ACCEPT
# Reject packets to the traceroute port, thus responding to
# traceroute requests
iptables -A INPUT -p udp --dport 33434 -j REJECT
# Accept incoming ICMP ping requests; all connection-related ICMP is
# already accepted by the "RELATED,ESTABLISHED" rule
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

So, after the "RELATED,ESTABLISHED" rule, allow only packets that
establish a new connection (though, non-SYN TCP packets not already
belonging to an established connection, should be dropped by the
"INVALID" rule, if I understand correctly).

For example, if someone now sends a ACK (or FIN) packet to your
SSH port, the packet will not be accepted, if there wasn't already
an established SSH connection to which the packet belongs. With
your model, the SSH accept was so early that these invalid packets
would've been accepted for some processing at least.

You might also want to REJECT incoming connection requests for tcp/auth
(ident), as some servers (at least some FTP servers, some SMTP servers)
try to do an ident lookup to find more about your identity when you're
connecting, and can wait for up to 30 seconds or so to get the response.
So, when connecting to these sites, if you just drop their ident query,
you'll have an avoidable 30s delay.
--
Wolf  a.k.a.  Juha Laiho     Espoo, Finland

         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

 
 
 

my iptables rules, need suggestions and advice

Post by D. Stuss » Tue, 20 May 2003 08:02:45



> I am writing my first firewall rules (iptables). I am running RH8.0,
> 2.4.20-13.8

> I dail up using DSL and my interface device is ppp0. I don't have any
> other computers connected to this one (so I don't need NAT, right?). I
> only want usual browsing, IRC, and also that I should be able to connect
> from my univ. to my home. I dont' host any webpages and have no need for
> ftp server. Since I am newbie yet, I have all the services switched off,
> till I can get a reasonable set of rules figures out. What do you have
> to say about the following?

Your rules are a mess.

Quote:> ###################### BEGIN#####################
> #!/bin/sh

> #my defines
> #iptables command
> IPTBLS=/sbin/iptables

> #HS,15May2003.
> #Firewall configuration written by HSS.

> #allow everything on loopback so that my own computer is able to access
> itself
> #over the loopback interface
> $IPTBLS -A INPUT -i lo -p all ACCEPT
> $IPTBLS -A OUTPUT -o lo -p all ACCEPT

> #allow these services
> $IPTBLS -A INPUT -p tcp --dport 22 -j ACCEPT # accept ssh

> # Bad TCP flags
> $IPTBLS -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
> $IPTBLS -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
> $IPTBLS -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
> $IPTBLS -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
> $IPTBLS -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
> $IPTBLS -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

> #ICMP (0=Pong,3=Dest.Unreach,11=Time Exceeded,8=Ping)
> $IPTBLS -A INPUT -p icmp --icmp-type 0 -j ACCEPT
> $IPTBLS -A INPUT -p icmp --icmp-type 3 -j ACCEPT
> #$IPTBLS -A INPUT -p icmp --icmp-type 11 -j ACCEPT
> $IPTBLS -A INPUT -p icmp --icmp-type 8 -j ACCEPT
> $IPTBLS -A INPUT -p icmp -j DROP
> $IPTBLS -A INPUT -p udp --dport 33434 -j REJECT  # Traceroute default port

> # Established
> $IPTBLS -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT

> # Drop everything else
> $i -A INPUT -j DROP
> ######################## END ################

1)  Use iptables-restore to set the rules.  It does an automatic flush and can
set the policies too.

#!/bin/sh
exec iptables-restore <<EOF
*filter
INPUT   DROP    [0:0]
OUTPUT  ACCEPT  [0:0]
FORWARD DROP    [0:0]
-A INPUT -j ACCEPT -m state --state RELATED,ESTABLISHED
-A INPUT -j ACCEPT -m state --state RELATED,ESTABLISHED -f
COMMIT
EOF

You specified no reason for accepting incoming SSH (or any other incoming
connection).  Therefore, your input rules should only accept connections that
you initiated - with everything else dropped.  The rules above would also hold
true for ICMP responses.  There is no reason (and not one stated) to make a
DIAL-UP machine pingable or traceroutable, so I ignored those rules that you
proposed.

 
 
 

my iptables rules, need suggestions and advice

Post by RainbowHa » Tue, 20 May 2003 18:34:41


< Juha Laiho


>>$IPTBLS -A INPUT -p udp --dport 33434 -j REJECT  # Traceroute default port

>Ok.

Not a critical problem. There are many variant of `traceroute`. Most
popular `traceroute` that's included in most Linux distributions change
the destination port by TTL (hops). '33434' is just a default _base_
port. For example, If his|her univ. is 10 hops far, dport is 33444.

destination port = 32768(0x8000) + 666 + TTL(hops)

--
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7

 
 
 

my iptables rules, need suggestions and advice

Post by D. Stuss » Wed, 21 May 2003 05:34:36



> < Juha Laiho

> >>$IPTBLS -A INPUT -p udp --dport 33434 -j REJECT  # Traceroute default port

> >Ok.

> Not a critical problem. There are many variant of `traceroute`. Most
> popular `traceroute` that's included in most Linux distributions change
> the destination port by TTL (hops). '33434' is just a default _base_
> port. For example, If his|her univ. is 10 hops far, dport is 33444.

> destination port = 32768(0x8000) + 666 + TTL(hops)

                                     ^^^
Proof of how "evil" traceroute was initially thought to be?
 
 
 

my iptables rules, need suggestions and advice

Post by RainbowHa » Thu, 22 May 2003 01:46:46


< D. Stussy

nqueries : how many packets to send for each hop (default 3).

destination port = 32768(0x8000) + 666 + TTL(hops) * nqueries - 1

Quote:>> destination port = 32768(0x8000) + 666 + TTL(hops)
>                                     ^^^
>Proof of how "evil" traceroute was initially thought to be?

I'm not sure but maybe just a joke or `traceroute` consume the network
resources especially without "-n" option. Again, there are many variants.
Most `traceroute` are originated|based the following.

traceroute\x40ee.lbl.gov

]u_short port = 32768 + 666; /* start udp dest port # for probe packets */

$ zgrep 'V\. Jacobson' rfc-index.txt.gz
1072 TCP extensions for long-delay paths.
1185 TCP Extension for High-Speed Paths.
1323 TCP Extensions for High Performance.
2327 SDP: Session Description Protocol.
2598 An Expedited Forwarding PHB.

I don't think Lawrence Berkeley National Laboratory and Van Jacobson
are evil. They are contributing the network infrastructures. One of my
favorite tools `tcpdump/libpcap` is originated LBNL, too. I respect
them.

--
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7

 
 
 

my iptables rules, need suggestions and advice

Post by D. Stuss » Thu, 22 May 2003 12:03:55



> < D. Stussy

> nqueries : how many packets to send for each hop (default 3).

> destination port = 32768(0x8000) + 666 + TTL(hops) * nqueries - 1

> >> destination port = 32768(0x8000) + 666 + TTL(hops)
> >                                     ^^^
> >Proof of how "evil" traceroute was initially thought to be?

> I'm not sure but maybe just a joke or `traceroute` consume the network
> resources especially without "-n" option. Again, there are many variants.
> Most `traceroute` are originated|based the following.

Jokes usually have some basis in fact.  :-)
 
 
 

1. iptables: rule with RETURN target just after a rule with ACCEPT target

Hi, I've seen in several scripts the following layout:

iptables criteria -j ACCEPT
iptables the_same_criteria_as_above -j RETURN

for example:

iptables  -A INPUT -p tcp -m tcp --dport 100 -j ACCEPT
iptables  -A INPUT -p tcp -m tcp --dport 100 -j RETURN

The last rule will be never matched, because all tcp incoming
connections will be accepted, and then will go throw the next chain.
So, What is the usefulness of this configuration?

IMHO, I think is for changing the scripts in a fast way (just
commenting on the first line will yield in default policy for the
INPUT chain)

TIA

2. Problems with SMC Elite Ultra and GW 2000 P5 60

3. Converting ipchains rules to iptables rules?

4. ASF on Linux?

5. iptables: rule with RETURN target after a rule with the ACCEPT target

6. Help!! Please... RedHat 7.0 to 7.2

7. Looking for iptables applications code (iptables.c) to run some rules to forward packets

8. Passwords

9. HELP, Need quick iptables rules

10. Need help with iptables rule(s) for socks server

11. Help installing Linux! advice, suggestions needed

12. Moving to iptables from ipchains - need advice

13. I need some advice of a wise person and iptables