topic Re: IPTABLES - RULES in Operating System - Linux

IPTABLES - RULES

Piotr Kirklewski — Tue, 11 Nov 2008 23:27:08 GMT

Hi there
My task is to develop iptables rules for a small network. We have HTTP + VPN + Exchange + Active Directory. I've set the default INPUT policy to DROP and developed about 20 rules.
Now - my CTO says that there should be abould 1100 rules to start with.
I was playing with IPTABLES before but this is a compleatly new aproch to me.The problem is - he is usualy right.
Does anyone undersdand why so many rules in so small network ? Is there any way to automate the creation of those rules - i just don't feel like sitting in front of my computer editing manually 1100 rules.
Regards
Peter

Re: IPTABLES - RULES

Ivan Ferreira — Thu, 13 Nov 2008 01:07:47 GMT

Does anyone undersdand why so many rules in so small network ?

No. In fact, depending of what you really need, only a few rules are needed. From the security point of view, with only one rule you can deny all incoming traffic, pretty secure.

>>> Is there any way to automate the creation of those rules - i just don't feel like sitting in front of my computer editing manually 1100 rules.

Probably, you should use shorewall. There are other tools like firestarter. I prefer shorewall.

Re: IPTABLES - RULES

Fredrik.eriksson — Thu, 13 Nov 2008 08:19:40 GMT

There is no obvious reason to have 1100 rules. This is only if you haven't used the drop policy which wasn't always a standard praxis about 10 years ago.

Long an obnoxious firewall scripts are just harder to administrate.
I would say you're doing it just right. Put default drop policy on input and then set up exceptions for the things you want to do.
I would recommend that you look into hashlimits thou since it's a perfect way to lower the impact of a DDoS.

If you're just going to make a long long list of ports to be closed/opened a script could do this for you like this:
#!/bin/bash
for i in $(cat list-of-ports.ext); do
iptables blah blah blah :P
done

Normally (unless you run SuSE or the alike) the firewall scripts is just a bash script that runs in your init so doing bash commands isn't an issue :)

Hope my ranting gave anything :)
Best regards
Fredrik Eriksson

Re: IPTABLES - RULES

Andrew Cowan — Thu, 13 Nov 2008 08:21:06 GMT

I agree with Ivan, the simpler you make it, the more secure it is likely to be because its always going to be easier to see when changes are made etc, and to spot simple mistakes.

I would suggest you start by drawing a network and dataflow map of your network and decide which services and ports you wish to allow.

Next create a basic ruleset such as the one below, and then gradually add each service and (re)test:

#!/bin/sh

IPT=/sbin/iptables

$IPT -F

#policies

$IPT -P OUTPUT ACCEPT
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT

$IPT -N SERVICES

#drop spoofed packets
$IPT -A INPUT --in-interface ! lo --source 127.0.0.0/8 -j DROP

#limit ping requests
$IPT -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT

#drop bogus packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

#allowed inputs

$IPT -A INPUT --in-interface lo -j ACCEPT
$IPT -A INPUT -j SERVICES

#allow responses
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow services
$IPT -A SERVICES -p tcp --dport 22 -j ACCEPT
$IPT -A SERVICES -p tcp --dport 8080 -j ACCEPT
$IPT -A SERVICES -m iprange --src-range 192.168.1.1-192.168.1.254 -p tcp --dport 631 -j ACCEPT
$IPT -A SERVICES -m iprange --src-range 192.168.1.1-192.168.1.254 -p udp --dport 631 -j ACCEPT

$IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
$IPT -A FORWARD -p tcp --dport 8080 -j ACCEPT

Note: I lifted this script from the Linuxuser magazine, and if you search YouTube, you should find a series of videos explaning how this script works.

Good luck,
Andrew

Re: IPTABLES - RULES

Steven E. Protter — Thu, 15 Apr 2021 11:27:46 GMT

Shalom,

http://fs-security.com/

I find this product substantially decreases the difficulty and manageability of these rules.

I use it to build firewall protected routers, exposed on the public internet. It has allowlist or denylist mode which makes it much easier to control access in a corporate environment.

Downside is its not been updated in a few years and it has no web based GUI configuration tool.

SEP