HPE Community
Operating System - Linux
1753447 Members
5258 Online
108794 Solutions
New Discussion юеВ

IPTABLES - RULES

 
SOLVED
Go to solution
Piotr Kirklewski
Super Advisor

тАО11-11-2008 03:27 PM

тАО11-11-2008 03:27 PM

IPTABLES - RULES

Hi there
My task is to develop iptables rules for a small network. We have HTTP + VPN + Exchange + Active Directory. I've set the default INPUT policy to DROP and developed about 20 rules.
Now - my CTO says that there should be abould 1100 rules to start with.
I was playing with IPTABLES before but this is a compleatly new aproch to me.The problem is - he is usualy right.
Does anyone undersdand why so many rules in so small network ? Is there any way to automate the creation of those rules - i just don't feel like sitting in front of my computer editing manually 1100 rules.
Regards
Peter
Jesus is the King
0 Kudos
Reply
4 REPLIES 4
Ivan Ferreira
Honored Contributor

тАО11-12-2008 05:07 PM

тАО11-12-2008 05:07 PM

Solution

Re: IPTABLES - RULES

Does anyone undersdand why so many rules in so small network ?

No. In fact, depending of what you really need, only a few rules are needed. From the security point of view, with only one rule you can deny all incoming traffic, pretty secure.

>>> Is there any way to automate the creation of those rules - i just don't feel like sitting in front of my computer editing manually 1100 rules.

Probably, you should use shorewall. There are other tools like firestarter. I prefer shorewall.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
Fredrik.eriksson
Valued Contributor

тАО11-13-2008 12:19 AM

тАО11-13-2008 12:19 AM

Re: IPTABLES - RULES

There is no obvious reason to have 1100 rules. This is only if you haven't used the drop policy which wasn't always a standard praxis about 10 years ago.

Long an obnoxious firewall scripts are just harder to administrate.
I would say you're doing it just right. Put default drop policy on input and then set up exceptions for the things you want to do.
I would recommend that you look into hashlimits thou since it's a perfect way to lower the impact of a DDoS.

If you're just going to make a long long list of ports to be closed/opened a script could do this for you like this:
#!/bin/bash
for i in $(cat list-of-ports.ext); do
iptables blah blah blah :P
done

Normally (unless you run SuSE or the alike) the firewall scripts is just a bash script that runs in your init so doing bash commands isn't an issue :)

Hope my ranting gave anything :)
Best regards
Fredrik Eriksson
Reply
Andrew Cowan
Honored Contributor

тАО11-13-2008 12:21 AM

тАО11-13-2008 12:21 AM

Re: IPTABLES - RULES

I agree with Ivan, the simpler you make it, the more secure it is likely to be because its always going to be easier to see when changes are made etc, and to spot simple mistakes.

I would suggest you start by drawing a network and dataflow map of your network and decide which services and ports you wish to allow.

Next create a basic ruleset such as the one below, and then gradually add each service and (re)test:

#!/bin/sh

IPT=/sbin/iptables

$IPT -F

#policies

$IPT -P OUTPUT ACCEPT
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT

$IPT -N SERVICES

#drop spoofed packets
$IPT -A INPUT --in-interface ! lo --source 127.0.0.0/8 -j DROP

#limit ping requests
$IPT -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT

#drop bogus packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

#allowed inputs

$IPT -A INPUT --in-interface lo -j ACCEPT
$IPT -A INPUT -j SERVICES

#allow responses
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow services
$IPT -A SERVICES -p tcp --dport 22 -j ACCEPT
$IPT -A SERVICES -p tcp --dport 8080 -j ACCEPT
$IPT -A SERVICES -m iprange --src-range 192.168.1.1-192.168.1.254 -p tcp --dport 631 -j ACCEPT
$IPT -A SERVICES -m iprange --src-range 192.168.1.1-192.168.1.254 -p udp --dport 631 -j ACCEPT

$IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
$IPT -A FORWARD -p tcp --dport 8080 -j ACCEPT

Note: I lifted this script from the Linuxuser magazine, and if you search YouTube, you should find a series of videos explaning how this script works.

Good luck,
Andrew
Reply
Steven E. Protter
Exalted Contributor

тАО11-13-2008 07:52 AM - last edited on тАО04-15-2021 04:27 AM by

тАО11-13-2008 07:52 AM - last edited on тАО04-15-2021 04:27 AM by

Re: IPTABLES - RULES

Shalom,

http://fs-security.com/

I find this product substantially decreases the difficulty and manageability of these rules.

I use it to build firewall protected routers, exposed on the public internet. It has allowlist or denylist mode which makes it much easier to control access in a corporate environment.

Downside is its not been updated in a few years and it has no web based GUI configuration tool.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.