Are my iptables rules ok?

Fruity · 2009-12-16 23:07:01

Hello everyone, am a new convert to the world of arch, and have to say I am enjoying things so far

I wanted to post my iptables rules and ask those in the know if they were ok, especially the ordering of them, as in XXX rule should be above YYY rule etc. I copied a lot of the DROP rules from the arch wiki.

Chain INPUT (policy DROP)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp address-mask-reply
DROP icmp -- anywhere anywhere icmp address-mask-request
DROP icmp -- anywhere anywhere icmp router-solicitation
DROP icmp -- anywhere anywhere icmp router-advertisement
DROP icmp -- anywhere anywhere icmp redirect
DROP all -- 127.0.0.0/8 anywhere
DROP all -- 192.168.0.0/16 anywhere
DROP all -- 172.16.0.0/12 anywhere
DROP all -- 10.0.0.0/8 anywhere
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP all -f anywhere anywhere
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

And a copy from the rules file in case this is easier for you to read!

# Generated by iptables-save v1.4.5 on Wed Dec 16 22:56:54 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1011:146398]
-A INPUT -p icmp -m icmp --icmp-type 18 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 10 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 9 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 5 -j DROP
-A INPUT -s 127.0.0.0/8 -i eth0 -j DROP
-A INPUT -s 192.168.0.0/16 -i eth0 -j DROP
-A INPUT -s 172.16.0.0/12 -i eth0 -j DROP
-A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Dec 16 22:56:54 2009

Please tell me what you think

fukawi2 · 2009-12-17 01:10:48

Fruity wrote:

DROP all -- 127.0.0.0/8 anywhere
DROP all -- 192.168.0.0/16 anywhere
DROP all -- 172.16.0.0/12 anywhere
DROP all -- 10.0.0.0/8 anywhere

I'm assuming you use one of these network spaces on your local network, so you'll probably want to remove whichever one is appropriate...

Fruity wrote:

ACCEPT all -- anywhere anywhere

This allows anyone from anywhere to connect to anything that's listening on your computer. I strongly advise against this rule. Add in specific rules for anything that you want to allow connections to.

Fruity wrote:

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

This would normally be one of the first rules, so established and related connections can work without being interfered with by the other rules.

Fruity · 2009-12-17 02:11:37

fukawi2 wrote:

Fruity wrote:
DROP all -- 127.0.0.0/8 anywhere
DROP all -- 192.168.0.0/16 anywhere
DROP all -- 172.16.0.0/12 anywhere
DROP all -- 10.0.0.0/8 anywhere
I'm assuming you use one of these network spaces on your local network, so you'll probably want to remove whichever one is appropriate...
Fruity wrote:
ACCEPT all -- anywhere anywhere
This allows anyone from anywhere to connect to anything that's listening on your computer. I strongly advise against this rule. Add in specific rules for anything that you want to allow connections to.
Fruity wrote:
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
This would normally be one of the first rules, so established and related connections can work without being interfered with by the other rules.

Hi fukawi2, thanks for the help

I added the local network ones following the wiki, they apparently help stop spoofing attacks 'blocking reserved private networks incoming from the internet'. For now I think they are OK, as you say I may need to remove one however.

This next one I want to ask on though, it seems a little ambiguous.. When I run;

iptables -L

..cut
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

The second line from bottom is the one in question, and it does seem to open everything.. But the odd thing is, when I look in /etc/iptables/iptables.rules the same section looks like so;

..cut
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i lo -j ACCEPT << Doesnt the 'lo' refer to loopback device, the keyboard(?).

It does seem to imply 2 things depending on which output you view. Of course I may not be right about the lo bit anyway!

You mentioned about RELATED,ESTABLISHED too, I will amend this and put it at the top

Any thoughts on the seeming duality in that one line -A INPUT -i lo -j ACCEPT vs ACCEPT all -- anywhere anywhere

fukawi2 · 2009-12-17 03:04:26

Fruity wrote:

Any thoughts on the seeming duality in that one line -A INPUT -i lo -j ACCEPT vs ACCEPT all -- anywhere anywhere

Try iptables -nvL instead of just -L

Leonid.I · 2010-01-22 17:01:21

Can you guys explain what do the numbers in square brackets mean?

:OUTPUT ACCEPT [1011:146398]

Thx

kgas · 2010-01-22 18:34:50

The numbers inside the square brackets indicates the port numbers. this guide can help.

Leonid.I · 2010-01-22 20:41:46

Thanks, kgas

So, it's a range of ports, right? The reason, why I am asking is that my iptables.rules (from an old RHEL5 installation) reads:

:OUTPUT ACCEPT [1835450:668291040]

Can this be right? Everything works as expected, though...

fukawi2 · 2010-01-25 02:18:59

kgas wrote:

The numbers inside the square brackets indicates the port numbers. this guide can help.

God NO!

Those numbers were the counters against how many times that rule was matched when you last saved the firewall using iptables-save.

quarkup · 2010-01-25 11:39:39

check the script in the stateful firewall howto article in the wiki
there is a script i made in the end.

check it and you can even test it.

kgas · 2010-01-25 13:58:15

fukawi2 wrote:

kgas wrote:
The numbers inside the square brackets indicates the port numbers. this guide can help.
God NO!
Those numbers were the counters against how many times that rule was matched when you last saved the firewall using iptables-save.

sorry I misunderstood this part. Thanks fukawi2. I am using this currently for my laptop.

Leonid.I · 2010-01-27 17:12:13

fukawi2 wrote:

kgas wrote:
The numbers inside the square brackets indicates the port numbers. this guide can help.
God NO!
Those numbers were the counters against how many times that rule was matched when you last saved the firewall using iptables-save.

Thanks for your responces.

No, this is not the output of iptables -L, it is the head of iptables.rules, which in turn came from RHEL5 installation, dated I think 2007 (I only modified the last few lines to protect ssh). I never run iptables-save -- no need, as long I have the saved rules already. I searched this, and many examples in the guides also have the strange :OUTPUT [X:Y] line (with nonzero X and Y). I guess, since no one actually writes any rules for this chain, the numbers do not matter...

BTW, regarding the wiki, I noticed a few advice regarding the protection against ssh brute force attacks. But there is no mention of the dynamic IP blocking (with the 'xt_recent' module), in case someone is very desperate to break in. In my experience, this is way simpler and more effective than port knocking/static blacklisting. And the log files are not filled with junk...

L.

Arch Linux

#1 2009-12-16 23:07:01

Are my iptables rules ok?

#2 2009-12-17 01:10:48

Re: Are my iptables rules ok?

#3 2009-12-17 02:11:37

Re: Are my iptables rules ok?

#4 2009-12-17 03:04:26

Re: Are my iptables rules ok?

#5 2010-01-22 17:01:21

Re: Are my iptables rules ok?

#6 2010-01-22 18:34:50

Re: Are my iptables rules ok?

#7 2010-01-22 20:41:46

Re: Are my iptables rules ok?

#8 2010-01-25 02:18:59

Re: Are my iptables rules ok?

#9 2010-01-25 11:39:39

Re: Are my iptables rules ok?

#10 2010-01-25 13:58:15

Re: Are my iptables rules ok?

#11 2010-01-27 17:12:13

Re: Are my iptables rules ok?

Board footer