Hi André. I want to thank you so much for the time you spent for me. This was very helpful and I applied it as you suggested. Thank you very much! Stef On 8/20/18 11:22 PM, André Paulsberg-Csibi (IBM Consultant) wrote:
I will just make some small comments , since there is not enough detail to understand your setup ( special regarding your spoofing question ) as it still unclear how many interfaces are in use ... ... I will assume you have at least 2 interfaces ( if not anti-spoofing is kind of obsolete ) and you might want other options in place in that case . So first off , for most systems , you would have the "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" first ( as this normally have the most hits ) Next , and this is optional , you would have one "branch rule" for each interface ... ( I assume 2 interface named eth0 and eth1 with respective 192.168.1.0/24 and 192.168.2.0/24 ) ( I prefer to have the branch rules even when having ONE interface so it is easier to add them later when needed ) Yes you will have longer ruleset , but I find it more easy to manage and "understand" later if it grows and becomes more complex . -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -j in-eth0 -A INPUT -i eth1 -j in-eth1 -A INPUT -i lo -j ACCEPT -A INPUT -j LOG --log-prefix "FW-INVALID-INPUT " --log-tcp-options --log-ip-options -A INPUT -j DROP -A in-eth0 -m conntrack --ctstate NEW -p udp -m multiport --dports 10000:20000 -j ACCEPT -A in-eth0 -m conntrack --ctstate NEW -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 5061 -j ACCEPT -A in-eth0 -m conntrack --ctstate NEW -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j ACCEPT -A in-eth0 --p icmp -m icmp --icmp-type 8 -j ACCEPT -A in-eth0 -m conntrack --ctstate INVALID -j DROP -A in-eth0 -m limit --limit 10/min -j LOG --log-prefix "[netfilter] " -A in-eth0 -j DROP -A in-eth1 -m conntrack --ctstate NEW -p udp -m multiport --dports 10000:20000 -j ACCEPT -A in-eth1 -m conntrack --ctstate NEW -s 192.168.2.0/24 -p udp -m multiport --dports 5060:5061 -j ACCEPT -A in-eth1 -m conntrack --ctstate NEW -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -j ACCEPT -A in-eth1 -m conntrack --ctstate NEW -s 192.168.2.0/24 -p tcp -m tcp --dport 80 -j ACCEPT -A in-eth1 --p icmp -m icmp --icmp-type 8 -j ACCEPT -A in-eth1 -m conntrack --ctstate INVALID -j DROP -A in-eth1 -m limit --limit 10/min -j LOG --log-prefix "[netfilter] " -A in-eth1 -j DROP Typically I only use the allow for ICMP TYPE 8 , as the others should work with the state engine as RELATED , ESTABLISHED . I moved the DROP for INVALID packets later , as most likely you will not have to much of those . In any case you can move it up if the number of INVALID packets are larger then valid packets . I removed this rule , this should only be added if you need to limit new sessions ( simple DoS protection ) "-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec --limit-burst 3 -j DROP" However I would most likely only add it using the following syntax ( including a PORT ) - A in-ethX -m conntrack --ctstate NEW -p tcp -m tcp -m tcp --dport 80 m limit --limit 1/sec --limit-burst 3 -j DROP Best regards André Paulsberg-Csibi Senior Network Engineer IBM Services AS Sensitivity: Internal -----Opprinnelig melding----- Fra: netfilter-owner@xxxxxxxxxxxxxxx <netfilter-owner@xxxxxxxxxxxxxxx> På vegne av Stefanie Leisestreichler Sendt: mandag 20. august 2018 18.34 Til: netfilter@xxxxxxxxxxxxxxx Emne: Please review/comment my firewall script Hi. Would you please review my firewall script and advise what is good/bad/missing/missordered for production use? I did implement reverse path filtering over sysctl.conf and disabled IPv6. I am loading with iptables-restore. Thank you very much. *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [9:796] :ICMPALL - [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec --limit-burst 3 -j DROP -A INPUT -s xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 5061 -j ACCEPT -A INPUT -s 192.168.2.0/24 -p udp -m multiport --dports 5060:5061 -j ACCEPT -A INPUT -p udp -m multiport --dports 10000:20000 -j ACCEPT -A INPUT -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m iprange --src-range 192.168.1.1-192.168.2.255 -m tcp --dport 80 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type any -j ICMPALL -A INPUT -m limit --limit 10/min -j LOG --log-prefix "[netfilter] " -A ICMPALL -p icmp -f -j DROP -A ICMPALL -p icmp -m icmp --icmp-type 0 -j ACCEPT -A ICMPALL -p icmp -m icmp --icmp-type 3 -j ACCEPT -A ICMPALL -p icmp -m icmp --icmp-type 4 -j ACCEPT -A ICMPALL -p icmp -m icmp --icmp-type 8 -j ACCEPT -A ICMPALL -p icmp -m icmp --icmp-type 11 -j ACCEPT -A ICMPALL -p icmp -j DROP
