Re: SV: Please review/comment my firewall script

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi André.
I want to thank you so much for the time you spent for me.
This was very helpful and I applied it as you suggested.

Thank you very much!
Stef


On 8/20/18 11:22 PM, André Paulsberg-Csibi (IBM Consultant) wrote:
I will just make some small comments , since there is not enough detail to understand your setup ( special regarding your spoofing question ) as it still unclear how many interfaces are in use ...
... I will assume you have at least 2 interfaces ( if not anti-spoofing is kind of obsolete ) and you might want other options in place in that case .

So first off , for most systems , you would have the "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" first ( as this normally have the most hits )
Next , and this is optional , you would have one "branch rule" for each interface ... ( I assume 2 interface named eth0 and eth1 with respective 192.168.1.0/24 and 192.168.2.0/24 )
( I prefer to have the branch rules even when having ONE interface so it is easier to add them later when needed )
Yes you will have longer ruleset , but I find it more easy to manage and "understand" later if it grows and becomes more complex .

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j in-eth0
-A INPUT -i eth1 -j in-eth1
-A INPUT -i lo -j ACCEPT
-A INPUT -j LOG --log-prefix "FW-INVALID-INPUT " --log-tcp-options --log-ip-options
-A INPUT -j DROP

-A in-eth0 -m conntrack --ctstate NEW -p udp -m multiport --dports 10000:20000 -j ACCEPT
-A in-eth0 -m conntrack --ctstate NEW -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 5061 -j ACCEPT
-A in-eth0 -m conntrack --ctstate NEW -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A in-eth0 --p icmp -m icmp --icmp-type 8 -j ACCEPT
-A in-eth0 -m conntrack --ctstate INVALID -j DROP
-A in-eth0 -m limit --limit 10/min -j LOG --log-prefix "[netfilter] "
-A in-eth0 -j DROP

-A in-eth1 -m conntrack --ctstate NEW -p udp -m multiport --dports 10000:20000 -j ACCEPT
-A in-eth1 -m conntrack --ctstate NEW -s 192.168.2.0/24 -p udp -m multiport --dports 5060:5061 -j ACCEPT
-A in-eth1 -m conntrack --ctstate NEW -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A in-eth1 -m conntrack --ctstate NEW -s 192.168.2.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A in-eth1 --p icmp -m icmp --icmp-type 8 -j ACCEPT
-A in-eth1 -m conntrack --ctstate INVALID -j DROP
-A in-eth1 -m limit --limit 10/min -j LOG --log-prefix "[netfilter] "
-A in-eth1 -j DROP

Typically I only use the allow for ICMP TYPE 8 , as the others should work with the state engine as RELATED , ESTABLISHED .
I moved the DROP for INVALID packets later , as most likely you will not have to much of those .
In any case you can move it up if the number of INVALID packets are larger then valid packets .

I removed this rule , this should only be added if you need to limit new sessions ( simple DoS protection )
"-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec --limit-burst 3 -j DROP"
However I would most likely only add it using the following syntax ( including a PORT )

- A in-ethX -m conntrack --ctstate NEW -p tcp -m tcp -m tcp --dport 80  m limit --limit 1/sec --limit-burst 3 -j DROP


Best regards
André Paulsberg-Csibi
Senior Network Engineer
IBM Services AS


Sensitivity: Internal

-----Opprinnelig melding-----
Fra: netfilter-owner@xxxxxxxxxxxxxxx <netfilter-owner@xxxxxxxxxxxxxxx> På vegne av Stefanie Leisestreichler
Sendt: mandag 20. august 2018 18.34
Til: netfilter@xxxxxxxxxxxxxxx
Emne: Please review/comment my firewall script

Hi.

Would you please review my firewall script and advise
what is good/bad/missing/missordered for production use?
I did implement reverse path filtering over sysctl.conf and
disabled IPv6. I am loading with iptables-restore.

Thank you very much.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [9:796]
:ICMPALL - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec --limit-burst 3 -j DROP
-A INPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 5061 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p udp -m multiport --dports 5060:5061 -j ACCEPT
-A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m iprange --src-range 192.168.1.1-192.168.2.255 -m tcp --dport 80 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ICMPALL
-A INPUT -m limit --limit 10/min -j LOG --log-prefix "[netfilter] "
-A ICMPALL -p icmp -f -j DROP
-A ICMPALL -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A ICMPALL -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ICMPALL -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ICMPALL -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ICMPALL -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ICMPALL -p icmp -j DROP




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux