Leon Vergottini
2016-Jun-29 10:00 UTC
[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice
Dear Members I hope you are all doing well. I am busy teaching myself iptables and was wondering if I may get some advise. The scenario is the following: 1. Default policy is to block all traffic 2. Allow web traffic and SSH 3. Allow other applications I have come up with the following: #!/bin/bash # RESET CURRENT RULE BASE iptables -F service iptables save # DEFAULT FIREWALL POLICY iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # ------------------------------------------------------ # INPUT CHAIN RULES # ------------------------------------------------------ # MOST COMMON ATTACKS iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # SSH iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # WEB SERVICES iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT # EMAIL iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT # OTHER APPLICATIONS iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT # ------------------------------------------------------ # OUTPUT CHAIN RULES # ------------------------------------------------------ # UDP iptables -A OUTPUT -p udp -j DROP # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS iptables -A OUTPUT -i lo -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # SSH iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # WEB SERVICES iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT # EMAIL iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT # OTHER APPLICATIONS iptables -A INPUT -p tcp -m tcp --dport 11009 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 12009 -j ACCEPT # ------------------------------------------------------ # SAVE & APPLY # ------------------------------------------------------ service iptables save service iptables restart To note: 1. The drop commands at the beginning of each chain is for increase performance. It is my understanding that file gets read from top to bottom and applied accordingly. Therefore, applying them in the beginning will increase the performance by not reading through all the rules only to apply the default policy. 2. I know the above point will not really affect the performance, so it is more of getting into a habit of structuring the rules according to best practice, or at least establishing a pattern for myself. How secure is this setup? Is there any mistakes or things that I need to look out for? Thank you in advance for your feedback. Kind Regards Leon
On 29/06/16 20:00, Leon Vergottini wrote:> # DEFAULT FIREWALL POLICY > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT DROP > > # ------------------------------------------------------ > # INPUT CHAIN RULES > # ------------------------------------------------------ > > # MOST COMMON ATTACKS > iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP > iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP > iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP >Why bother adding DROP rules if the default policy is DROP?
Paul Heinlein
2016-Jun-29 15:15 UTC
[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice
On Wed, 29 Jun 2016, Leon Vergottini wrote:> I am busy teaching myself iptables [....] > > How secure is this setup? Is there any mistakes or things that I > need to look out for?It's only as secure as your web stack (and, in your case, SSH configuration). Packet filtering is a necessary security tool, but it's not sufficient for total security. Much harder is auditing the pieces of your applications: * locked-down application configuration(s), * decent password policy, * access controls (mandatory and discretionary) that limit exposure to exploits or vulnerabilities, * timely patching, * good service monitoring combined with a remediation plan should things go awry, * good crypto configuration, * etc., etc. In other words, packet filtering is a good start toward a secure system, but no more than that. -- Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
Hello Leon. In addition to everything else mentioned in this thread, I'd recommend you a great book on the topic. "Attack Detection and Response with iptables, psad, and fwsnort by Michael Rash" It contains a really nice and detailed guide on iptables and most common attacks, nmap, psad and snort. Regarding your config, I'd like to point several things: 1. You're not dropping packets in status 'INVALID' on top of your script, which is strange regarding you have 3 rules to detect other non-standard behavior; 2. Since you're blocking outgoing UDP, you should be certain that all UDP services are set up to use TCP instead and add corresponding rules for them. I'm talking about DNS queries and NTP time sync requests (as most common, but not limited to). These services using UDP, but you disabled it and haven't created outgoing rule for DNS over TCP or NTP using TCP. You can't do DNS queries, and it's almost always painful for any service you're running on your server; 3. Seems strange that you haven't added SMTP to the list of allowed outgoing connections. 29.06.2016, 13:01, "Leon Vergottini" <leonv at cornerstone.ac.za>:> ?Dear Members > > ?I hope you are all doing well. > > ?I am busy teaching myself iptables and was wondering if I may get some > ?advise. The scenario is the following: > > ????1. Default policy is to block all traffic > ????2. Allow web traffic and SSH > ????3. Allow other applications > > ?I have come up with the following: > > ?#!/bin/bash > > ?# RESET CURRENT RULE BASE > ?iptables -F > ?service iptables save > > ?# DEFAULT FIREWALL POLICY > ?iptables -P INPUT DROP > ?iptables -P FORWARD DROP > ?iptables -P OUTPUT DROP > > ?# ------------------------------------------------------ > ?# INPUT CHAIN RULES > ?# ------------------------------------------------------ > > ?# MOST COMMON ATTACKS > ?iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP > ?iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP > ?iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP > > ?# LOOPBACK, ESTABLISHED & RELATED CONNECTIONS > ?iptables -A INPUT -i lo -j ACCEPT > ?iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > ?# SSH > ?iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > > ?# WEB SERVICES > ?iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > ?iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > ?iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT > > ?# EMAIL > ?iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT > ?iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT > > ?# OTHER APPLICATIONS > ?iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT > ?iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT > > ?# ------------------------------------------------------ > ?# OUTPUT CHAIN RULES > ?# ------------------------------------------------------ > ?# UDP > ?iptables -A OUTPUT -p udp -j DROP > > ?# LOOPBACK, ESTABLISHED & RELATED CONNECTIONS > ?iptables -A OUTPUT -i lo -j ACCEPT > ?iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > ?# SSH > ?iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > > ?# WEB SERVICES > ?iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > ?iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > ?iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT > > ?# EMAIL > ?iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT > ?iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT > > ?# OTHER APPLICATIONS > ?iptables -A INPUT -p tcp -m tcp --dport 11009 -j ACCEPT > ?iptables -A INPUT -p tcp -m tcp --dport 12009 -j ACCEPT > > ?# ------------------------------------------------------ > ?# SAVE & APPLY > ?# ------------------------------------------------------ > > ?service iptables save > ?service iptables restart > > ?To note: > > ????1. The drop commands at the beginning of each chain is for increase > ????performance. It is my understanding that file gets read from top to bottom > ????and applied accordingly. Therefore, applying them in the beginning will > ????increase the performance by not reading through all the rules only to apply > ????the default policy. > ????2. I know the above point will not really affect the performance, so it > ????is more of getting into a habit of structuring the rules according to best > ????practice, or at least establishing a pattern for myself. > > ?How secure is this setup? Is there any mistakes or things that I need to > ?look out for? > > ?Thank you in advance for your feedback. > > ?Kind Regards > ?Leon > ?_______________________________________________ > ?CentOS mailing list > ?CentOS at centos.org > ?https://lists.centos.org/mailman/listinfo/centos29.06.2016, 13:01, "Leon Vergottini" <leonv at cornerstone.ac.za>:> Dear Members > > I hope you are all doing well. > > I am busy teaching myself iptables and was wondering if I may get some > advise. The scenario is the following: > > ???1. Default policy is to block all traffic > ???2. Allow web traffic and SSH > ???3. Allow other applications > > I have come up with the following: > > #!/bin/bash > > # RESET CURRENT RULE BASE > iptables -F > service iptables save > > # DEFAULT FIREWALL POLICY > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT DROP > > # ------------------------------------------------------ > # INPUT CHAIN RULES > # ------------------------------------------------------ > > # MOST COMMON ATTACKS > iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP > iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP > iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP > > # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS > iptables -A INPUT -i lo -j ACCEPT > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > # SSH > iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > > # WEB SERVICES > iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT > > # EMAIL > iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT > > # OTHER APPLICATIONS > iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT > > # ------------------------------------------------------ > # OUTPUT CHAIN RULES > # ------------------------------------------------------ > # UDP > iptables -A OUTPUT -p udp -j DROP > > # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS > iptables -A OUTPUT -i lo -j ACCEPT > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > # SSH > iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > > # WEB SERVICES > iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT > > # EMAIL > iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT > > # OTHER APPLICATIONS > iptables -A INPUT -p tcp -m tcp --dport 11009 -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport 12009 -j ACCEPT > > # ------------------------------------------------------ > # SAVE & APPLY > # ------------------------------------------------------ > > service iptables save > service iptables restart > > To note: > > ???1. The drop commands at the beginning of each chain is for increase > ???performance. It is my understanding that file gets read from top to bottom > ???and applied accordingly. Therefore, applying them in the beginning will > ???increase the performance by not reading through all the rules only to apply > ???the default policy. > ???2. I know the above point will not really affect the performance, so it > ???is more of getting into a habit of structuring the rules according to best > ???practice, or at least establishing a pattern for myself. > > How secure is this setup? Is there any mistakes or things that I need to > look out for? > > Thank you in advance for your feedback. > > Kind Regards > Leon > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
Leon Vergottini
2016-Jun-29 16:37 UTC
[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice
Dear Members Thank you for your replies. @Anthony K. -- One of the articles that I have read mentioned that the file gets read from the top to bottom and apply the rules accordingly. In addition the article also explained that if there is no matching rule, the default policy will be applied. The writer suggested that rules with the highest chance to match should be in the beginning of the tables. Therefore, I added them the top with the assumption that one would like to drop non-standard packets as early as possible. @Paul. I totally agree with you. My main objective is to master concepts related to iptables. I never had to deal with iptables in the past, however the landscape I find myself in, is changing and I realised the need to develop the skill set. @ll at avc.su. I was able to track down the book you have mentioned and downloaded a copy. Thank you once again to all. I have learned a lot from you replies. Have an awesome week further. Kind Regards Leon On Wed, Jun 29, 2016 at 5:41 PM, l at avc.su <l at avc.su> wrote:> Hello Leon. > > In addition to everything else mentioned in this thread, I'd recommend you > a great book on the topic. > "Attack Detection and Response with iptables, psad, and fwsnort by Michael > Rash" > It contains a really nice and detailed guide on iptables and most common > attacks, nmap, psad and snort. > > Regarding your config, I'd like to point several things: > 1. You're not dropping packets in status 'INVALID' on top of your script, > which is strange regarding you have 3 rules to detect other non-standard > behavior; > 2. Since you're blocking outgoing UDP, you should be certain that all UDP > services are set up to use TCP instead and add corresponding rules for > them. I'm talking about DNS queries and NTP time sync requests (as most > common, but not limited to). These services using UDP, but you disabled it > and haven't created outgoing rule for DNS over TCP or NTP using TCP. You > can't do DNS queries, and it's almost always painful for any service you're > running on your server; > 3. Seems strange that you haven't added SMTP to the list of allowed > outgoing connections. > > > > 29.06.2016, 13:01, "Leon Vergottini" <leonv at cornerstone.ac.za>: > > Dear Members > > > > I hope you are all doing well. > > > > I am busy teaching myself iptables and was wondering if I may get some > > advise. The scenario is the following: > > > > 1. Default policy is to block all traffic > > 2. Allow web traffic and SSH > > 3. Allow other applications > > > > I have come up with the following: > > > > #!/bin/bash > > > > # RESET CURRENT RULE BASE > > iptables -F > > service iptables save > > > > # DEFAULT FIREWALL POLICY > > iptables -P INPUT DROP > > iptables -P FORWARD DROP > > iptables -P OUTPUT DROP > > > > # ------------------------------------------------------ > > # INPUT CHAIN RULES > > # ------------------------------------------------------ > > > > # MOST COMMON ATTACKS > > iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP > > iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP > > iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP > > > > # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS > > iptables -A INPUT -i lo -j ACCEPT > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > # SSH > > iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > > > > # WEB SERVICES > > iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > > iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > > iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT > > > > # EMAIL > > iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT > > iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT > > > > # OTHER APPLICATIONS > > iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT > > iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT > > > > # ------------------------------------------------------ > > # OUTPUT CHAIN RULES > > # ------------------------------------------------------ > > # UDP > > iptables -A OUTPUT -p udp -j DROP > > > > # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS > > iptables -A OUTPUT -i lo -j ACCEPT > > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > # SSH > > iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > > > > # WEB SERVICES > > iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > > iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > > iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT > > > > # EMAIL > > iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT > > iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT > > > > # OTHER APPLICATIONS > > iptables -A INPUT -p tcp -m tcp --dport 11009 -j ACCEPT > > iptables -A INPUT -p tcp -m tcp --dport 12009 -j ACCEPT > > > > # ------------------------------------------------------ > > # SAVE & APPLY > > # ------------------------------------------------------ > > > > service iptables save > > service iptables restart > > > > To note: > > > > 1. The drop commands at the beginning of each chain is for increase > > performance. It is my understanding that file gets read from top to > bottom > > and applied accordingly. Therefore, applying them in the beginning > will > > increase the performance by not reading through all the rules only > to apply > > the default policy. > > 2. I know the above point will not really affect the performance, so > it > > is more of getting into a habit of structuring the rules according > to best > > practice, or at least establishing a pattern for myself. > > > > How secure is this setup? Is there any mistakes or things that I need to > > look out for? > > > > Thank you in advance for your feedback. > > > > Kind Regards > > Leon > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > https://lists.centos.org/mailman/listinfo/centos > > 29.06.2016, 13:01, "Leon Vergottini" <leonv at cornerstone.ac.za>: > > Dear Members > > > > I hope you are all doing well. > > > > I am busy teaching myself iptables and was wondering if I may get some > > advise. The scenario is the following: > > > > 1. Default policy is to block all traffic > > 2. Allow web traffic and SSH > > 3. Allow other applications > > > > I have come up with the following: > > > > #!/bin/bash > > > > # RESET CURRENT RULE BASE > > iptables -F > > service iptables save > > > > # DEFAULT FIREWALL POLICY > > iptables -P INPUT DROP > > iptables -P FORWARD DROP > > iptables -P OUTPUT DROP > > > > # ------------------------------------------------------ > > # INPUT CHAIN RULES > > # ------------------------------------------------------ > > > > # MOST COMMON ATTACKS > > iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP > > iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP > > iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP > > > > # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS > > iptables -A INPUT -i lo -j ACCEPT > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > # SSH > > iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > > > > # WEB SERVICES > > iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > > iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > > iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT > > > > # EMAIL > > iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT > > iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT > > > > # OTHER APPLICATIONS > > iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT > > iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT > > > > # ------------------------------------------------------ > > # OUTPUT CHAIN RULES > > # ------------------------------------------------------ > > # UDP > > iptables -A OUTPUT -p udp -j DROP > > > > # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS > > iptables -A OUTPUT -i lo -j ACCEPT > > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > # SSH > > iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > > > > # WEB SERVICES > > iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > > iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > > iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT > > > > # EMAIL > > iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT > > iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT > > > > # OTHER APPLICATIONS > > iptables -A INPUT -p tcp -m tcp --dport 11009 -j ACCEPT > > iptables -A INPUT -p tcp -m tcp --dport 12009 -j ACCEPT > > > > # ------------------------------------------------------ > > # SAVE & APPLY > > # ------------------------------------------------------ > > > > service iptables save > > service iptables restart > > > > To note: > > > > 1. The drop commands at the beginning of each chain is for increase > > performance. It is my understanding that file gets read from top to > bottom > > and applied accordingly. Therefore, applying them in the beginning > will > > increase the performance by not reading through all the rules only to > apply > > the default policy. > > 2. I know the above point will not really affect the performance, so > it > > is more of getting into a habit of structuring the rules according to > best > > practice, or at least establishing a pattern for myself. > > > > How secure is this setup? Is there any mistakes or things that I need to > > look out for? > > > > Thank you in advance for your feedback. > > > > Kind Regards > > Leon > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > https://lists.centos.org/mailman/listinfo/centos > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
Gordon Messmer
2016-Jun-29 17:49 UTC
[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice
On 06/29/2016 03:00 AM, Leon Vergottini wrote:> #!/bin/bash > > # RESET CURRENT RULE BASE > iptables -F > service iptables saveWhy would you save the existing rule set? This script throws it away later, when it runs save again.> # MOST COMMON ATTACKS > iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP > iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP > iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROPBy putting these rules first, before the "ESTABLISHED,RELATED" rule, you're applying additional processing (CPU time) to the vast majority of your packets for no reason. The "E,R" rule should be first. It won't match the invalid packets you're trying to drop.> # SSH > iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPTYou're not specifying the "new" state in any of your input ACCEPT rules, which means that you're also ACCEPTing invalid packets that don't match the handful of invalid states you DROPped earlier.> iptables -A OUTPUT -p udp -j DROPWhat? Why? Do you like really slow DNS? (If you don't care about your own lookups, turn the question around. Do you like putting extra load on your DNS server, impacting service for all of its other users?)> # SSH > iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPTThese are the same INPUT rules you specified earlier. You probably meant the OUTPUT chain, but you didn't allow DNS anywhere, so you've broken the most important service imaginable.> 1. The drop commands at the beginning of each chain is for increase > performance.I understand what you're trying to do, but in the real world, this will decrease performance.> How secure is this setup? Is there any mistakes or things that I need to > look out for?It's not great. Use firewalld. Your rules fail to do some things both correctly and quickly that firewalld gets right. You also don't improve on firewalld's rule sets in any way.
Dennis Jacobfeuerborn
2016-Jun-29 19:51 UTC
[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice
On 29.06.2016 12:00, Leon Vergottini wrote:> Dear Members > > I hope you are all doing well. > > I am busy teaching myself iptables and was wondering if I may get some > advise. The scenario is the following: > > > 1. Default policy is to block all traffic > 2. Allow web traffic and SSH > 3. Allow other applications > > I have come up with the following: > > #!/bin/bash > > # RESET CURRENT RULE BASE > iptables -F > service iptables save > > # DEFAULT FIREWALL POLICY > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT DROP > > # ------------------------------------------------------ > # INPUT CHAIN RULES > # ------------------------------------------------------ > > # MOST COMMON ATTACKS > iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP > iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP > iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP > > # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS > iptables -A INPUT -i lo -j ACCEPT > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > # SSH > iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > > # WEB SERVICES > iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT > > # EMAIL > iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT > > # OTHER APPLICATIONS > iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT > > > # ------------------------------------------------------ > # OUTPUT CHAIN RULES > # ------------------------------------------------------ > # UDP > iptables -A OUTPUT -p udp -j DROP > > # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS > iptables -A OUTPUT -i lo -j ACCEPT > iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > # SSH > iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > > # WEB SERVICES > iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT > > # EMAIL > iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT > > # OTHER APPLICATIONS > iptables -A INPUT -p tcp -m tcp --dport 11009 -j ACCEPT > iptables -A INPUT -p tcp -m tcp --dport 12009 -j ACCEPT > > > > # ------------------------------------------------------ > # SAVE & APPLY > # ------------------------------------------------------ > > > service iptables save > service iptables restart > > To note: > > > 1. The drop commands at the beginning of each chain is for increase > performance. It is my understanding that file gets read from top to bottom > and applied accordingly. Therefore, applying them in the beginning will > increase the performance by not reading through all the rules only to apply > the default policy. > 2. I know the above point will not really affect the performance, so it > is more of getting into a habit of structuring the rules according to best > practice, or at least establishing a pattern for myself. > > > How secure is this setup? Is there any mistakes or things that I need to > look out for?You shouldn't script iptables like this and instead use iptables-save and iptables-restore to activate the rules atomically and with some error checking. Regards, Dennis
Gordon Messmer
2016-Jun-29 20:20 UTC
[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice
On 06/29/2016 12:51 PM, Dennis Jacobfeuerborn wrote:> On 29.06.2016 12:00, Leon Vergottini wrote: >> # ------------------------------------------------------ >> # SAVE & APPLY >> # ------------------------------------------------------ >> >> service iptables save >> service iptables restart > You shouldn't script iptables like this and instead use iptables-save > and iptables-restore to activate the rules atomically and with some > error checking.Yeah, he is. That's what those two commands do.
Always Learning
2016-Jun-30 00:19 UTC
[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice
On Wed, 2016-06-29 at 10:49 -0700, Gordon Messmer wrote:> On 06/29/2016 03:00 AM, Leon Vergottini wrote: > > #!/bin/bash > > > > # RESET CURRENT RULE BASE > > iptables -F > > service iptables save> Why would you save the existing rule set? This script throws it away > later, when it runs save again.He flushes all the tables, then saves an empty iptables configuration. Later he adds to that empty iptables configuration. Long-winded, but nothing wrong. Don't forget he is a learner (leerling) No person is perfect when starting to learn a new system. Only by experimenting will one learn. -- Regards, Paul. England, EU. England's place is in the European Union. UK banned residents voting when they have lived in the UK for 51 years.
On Wed, Jun 29, 2016 at 1:49 PM, Gordon Messmer <gordon.messmer at gmail.com> wrote:> > By putting these rules first, before the "ESTABLISHED,RELATED" rule, you're > applying additional processing (CPU time) to the vast majority of your > packets for no reason. The "E,R" rule should be first. It won't match the > invalid packets you're trying to drop. > > You're not specifying the "new" state in any of your input ACCEPT rules, > which means that you're also ACCEPTing invalid packets that don't match the > handful of invalid states you DROPped earlier. > >> 1. The drop commands at the beginning of each chain is for increase >> performance. > > > I understand what you're trying to do, but in the real world, this will > decrease performance. >Gordon, I appreciate your observations. I've been using iptables for a long time and still don't really know how to configure the order of rules to optimize performance while providing thorough filtering as a component of security. Can you share links and/or other sources and guides on this subject. Thank you.