iptables SECURITY - default settings
Wal
mail4wal at yahoo.com
Thu Sep 9 21:04:09 UTC 2004
I am suggesting a more secure default setting-
# generated by ____
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:SecLev505-INPUT - [0:0]
-I SecLev505-INPUT -p all -j DROP
-I SecLev505-INPUT -p udp -m udp -s <DNS_SERVER1> --sport 53 --dport 1025:65535 -j ACCEPT
-I SecLev505-INPUT -p udp -m udp -s <DNS_SERVER2> --sport 53 --dport 1025:65535 -j ACCEPT
-I SecLev505-INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-I SecLev505-INPUT -p tcp -m tcp -s 0/0 --syn -j DROP
-I SecLev505-INPUT -i lo -s 0/0 -j ACCEPT
-I INPUT -j SecLev505-INPUT
:OUTPUT ACCEPT [0:0]
COMMIT
Alternately (with possible issue when rules actually get applied)-
# generated by ____
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:SecLev505-INPUT - [0:0]
-A SecLev505-INPUT -i lo -s 0/0 -j ACCEPT
-A SecLev505-INPUT -p tcp -m tcp -s 0/0 --syn -j DROP
-A SecLev505-INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A SecLev505-INPUT -p udp -m udp -s <DNS_SERVER2> --sport 53 --dport 1025:65535 -j ACCEPT
-A SecLev505-INPUT -p udp -m udp -s <DNS_SERVER1> --sport 53 --dport 1025:65535 -j ACCEPT
-A SecLev505-INPUT -p all -j DROP
-A INPUT -j SecLev505-INPUT
:OUTPUT ACCEPT [0:0]
COMMIT
How you get the rules assigned, by adding or by inserting, is personal
(artist) preference. If, however, the rules were ever added to an
active chain, there might be a period of time where undesired access
would exist until the "tigher" rule were applied. Applying the tightest
firsts, lends itself to INSERTing other rules.
I like to start with the more secure settings and INSERT rules.
Besides, when I need to open access to a trusted system, I use-
iptables -I INPUT -s x.x.x.x -j ACCEPT
For most users, DROPing undesired hits is preferable. If you need to be
seen, I suggest INSERTing a rule before the "catch-all" DROP rule and
be more specific - like use REJECT for a 10.0.0.0/8 or for a specific
protocol.
DNS typically only uses TCP for zone transfers, which should only be
done with trusted systems. Most DNS usage is UDP based.
Most users need only the UDP access.
That part of the rules is done automagically when /etc/resolv.conf
changes.
I am running a DNS server for my internal lab, so I also use something like-
-I SecLev505-INPUT -p udp -m udp -s 192.168.8.0/24 --dport 53 -j ACCEPT
Regarding- Having a DROP policy this is redundant.
Yes, it is redundant. When implementing security, sometimes redundancy
is a good thing.
A good example of this is the access lists on Cisco routers. If you have
an access list applied to an interface, the default behavior (that is,
after going thru the list) is to drop packets. If you do not have a list,
the default is to allow all. There was a time when (due to a bug) the
access list setting did allow packets through (if no specified rules
blocked them). Having the last rule in the access list be any,any,deny
would have proven valuable.
Use of the 505 is intended to imply you can have other chains / rulesets
which are more or less secure, with other access requirements.
For those not familiar with iptables, this might help. Since I worked
with a certain firewall product, I actually had to do a double-take with
the name used.
_______________________________
Do you Yahoo!?
Shop for Back-to-School deals on Yahoo! Shopping.
http://shopping.yahoo.com/backtoschool
More information about the fedora-test-list
mailing list