FUN WITH IPTABLES -
IPTABLES SECURITY BASICS
I like iptables, it's free, it runs on linux, it's easier to use than
ipchains, and you can do some pretty funky things with it. But like all
things linux, it only plays nice if you ask it properly. A badly
configured iptables firewall will be no better than a badly configured
any other firewall.
For those of you starting out, there are some user friendly options,
the most well known probably being the iptables module of the Webmin
project. Webmin is a web based administration tool for linux with
modules for just about anything, including iptables. The module
actually gives you a rules gui much like the checkpoint firewall's
point and click screen. And yes, there are various other options, just
google for a list.
Personally, I like the command line approach, so thats what I'm going
to be focusing on for some general security settings able to used on
almost any iptables firewall (and as always, any suggestions here are
taken used at your own risk) ;
-
Ensure that forwarding is enabled
echo 1 > /proc/sys/net/ipv4/ip_forward
-
Help prevent IP Spoofing
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
-
Ensure the required kernel modules are loaded
insmod ip_tables
insmod iptable_filter
insmod ip_conntrack
insmod ip_state
insmod iptable_nat
insmod ip_conntrack_ftp
insmod ip_nat_ftp
insmod ipt_LOG
insmod ipt_mangle
--there are more modules these are just the most common--
-
Always flush the old ruleset
iptables -F
iptables -t nat -F
iptables -t mangle -F
-
Always delete any custom chains
iptables -X
iptables -t nat -X
iptables -t mangle -X
-
Setup the default policies for your firewall
iptables -t nat -P POSTROUTING DROP
iptables -P FORWARD DROP
iptables -t nat -P OUTPUT DROP
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -t nat -P PREROUTING DROP
--make sure any other chains you use are also set to a default of DROP--
-
Allow for local interface to work unimpeded
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
-
Setup some source address sanity checks for your external interface
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -i $EXT_INT -j DROP
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -i $EXT_INT -j DROP
iptables -t nat -A PREROUTING -s 192.168.2.0/24 -i $EXT_INT -j DROP
iptables -t nat -A PREROUTING -s 192.168.3.0/24 -i$EXT_INT -j DROP
iptables -t nat -A PREROUTING -s 192.168.254.0/24 -i $EXT_INT -j DROP
iptables -t nat -A PREROUTING -s 199.196.196.0/24 -i $EXT_INT -j DROP
iptables -t nat -A PREROUTING -s 0.0.0.0/8 -i $EXT_INT -j DROP
iptables -t nat -A PREROUTING -s 255.255.255.255 -i $EXT_INT -j DROP
iptables -t nat -A PREROUTING -s 127.0.0.0/8 -i $EXT_INT -j DROP
iptables -t nat -A PREROUTING -s 224.0.0.0/4 -i $EXT_INT -j DROP
iptables -t nat -A PREROUTING -s 240.0.0.0/5 -i $EXT_INT -j DROP
iptables -t nat -A PREROUTING -s 169.254.0.0/16 -i $EXT_INT -j DROP
iptables -t nat -A PREROUTING -s 192.0.0.0/24 -i $EXT_INT -j DROP
iptables -t nat -A PREROUTING -s 192.0.34.0/24 -i $EXT_INT -j DROP
iptables -t nat -A PREROUTING -s 10.0.0.0/8 -i $EXT_INT -j DROP
iptables -t nat -A PREROUTING -s 172.16.0.0/12 -i $EXT_INT -j DROP
iptables -t nat -A PREROUTING -s 192.168.0.0/16 -i $EXT_INT -j DROP
--If you are running services on your firewall change the above table
to INPUT--
--If you are using private ip addresses on your network then check
these rules so nothing breaks--
-
Setup some packet flag sanity checks
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
--If you are running services on your firewall change the above table
to INPUT--
-
Protect against SYN floods
iptables -t nat -A PREROUTING -p tcp --syn -m limit --limit 10/second
--limit-burst 20 -j ACCEPT
--the figures used here could well differ from situation to situation,
please test--
-
Setup the stateful packet inspection rules for each chain
iptables -A INPUT -m state --state established,related -j ACCEPT
iptables -A FORWARD -m state --state established,related -j ACCEPT
iptables -A OUTPUT -m state --state established,related -j ACCEPT
iptables -t nat -A PREROUTING -m state --state established,related -j
ACCEPT
iptables -t nat -A POSTROUTING -m state --state established,related -j
ACCEPT
iptables -t nat -A OUTPUT -m state --state established,related -j ACCEPT
--make sure any other chains you use are also setup for packet
inspection--
And thats it for this first
installment, hopefully some of these tips will help make your iptables
firewall a little more secure. And being more secure
is never a bad thing