An acceptable rule set?

All of lore.kernel.org
 help / color / mirror / Atom feed

* An acceptable rule set?
@ 2005-08-30 16:24 Luqman Munawar
  2005-08-30 17:04 ` /dev/rob0
  0 siblings, 1 reply; 2+ messages in thread
From: Luqman Munawar @ 2005-08-30 16:24 UTC (permalink / raw)
  To: Netfilter Mailing List

[-- Attachment #1: Type: text/plain, Size: 5951 bytes --]


I have read the "iptables tutorial2 by Oskar Andreasson and tried to
write a reasonable ruleset for my network scenario. Not really something
special but being behind a firewall of university, I hope it is
acceptable as an additional security measure.

Q1) Can you people be nice enough to give your ideas about how/where to
improve it.

Q2) I have introduced variables instead of actual ip-addresses, but
these variables are not being handled correctly.

I receive following error:

Bad argument `Y_IP="192.168..126.31'
Error occurred at line: 8
Try `iptables-restore -h' or 'iptables-restore --help' for more
information.


The rule set is as following:

fisw31:~/ToDo# cat /root/ToDo/iptables-save-new
# Generated by iptables-save v1.2.11 on Fri Jul 22 18:20:59 2005
*filter
:INPUT DROP [808:130818]
:FORWARD DROP [0:0]
:OUTPUT DROP [408:29492]


MY_IP="192.168..126.31"
MY_MAIL_SERVER="mail.isp.com"
MY_GMX_MAIL_SERVER="mail.gmx.net"
MY_DNS_SERVER="192.168.102.14"
MY_PROXY_SERVER="192.168.102.14"


#Allow test connections from loopback to loopback
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT


#Accept connection to/from $MY_MAIL_SERVER
-A INPUT -s $MY_MAIL_SERVER -d $MY_IP -p tcp -m tcp --sport smtp -j
ACCEPT
-A INPUT -s $MY_MAIL_SERVER -d $MY_IP -p tcp -m tcp --sport imap -j
ACCEPT
-A OUTPUT -s $MY_IP -d $MY_MAIL_SERVER -p tcp -m tcp --dport smtp -j
ACCEPT
-A OUTPUT -s $MY_IP -d $MY_MAIL_SERVER -p tcp -m tcp --dport imap -j
ACCEPT

#Accept connection to/from gmx.net
-A INPUT -s $MY_GMX_MAIL_SERVER -d $MY_IP -p tcp -m tcp --sport pop3 -j
ACCEPT
-A INPUT -s $MY_GMX_MAIL_SERVER -d $MY_IP -p tcp -m tcp --sport smtp -j
ACCEPT
-A OUTPUT -s $MY_IP -d $MY_GMX_MAIL_SERVER -p tcp -m multiport --dport
pop3 -j ACCEPT
-A OUTPUT -s $MY_IP -d $MY_GMX_MAIL_SERVER -p tcp -m multiport --dport
smtp -j ACCEPT

#Allow connection to/from port 80(http),443(https),22(ssh)
-A INPUT -d $MY_IP -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -d $MY_IP -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -d $MY_IP -p tcp -m tcp --dport 22 -j ACCEPT

-A OUTPUT -s $MY_IP -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -s $MY_IP -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -s $MY_IP -p tcp -m tcp --dport 22 -j ACCEPT


-A OUTPUT -s $MY_IP -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -s $MY_IP -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -s $MY_IP -p tcp -m tcp --dport 22 -j ACCEPT

-A OUTPUT -s $MY_IP -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -s $MY_IP -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -s $MY_IP -p tcp -m tcp --sport 443 -j ACCEPT

#check for apt-get connection behaviour to http servers and change
settings for iptables accordingly
#allow all traffic to/from DNS server ($MY_DNS_SERVER)
#-A OUTPUT -s $MY_IP -d $MY_DNS_SERVER -p udp -m udp --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -s $MY_IP -d $MY_DNS_SERVER -p tcp -m tcp --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
#-A INPUT -s $MY_DNS_SERVER -d $MY_IP -p udp -m udp --sport 53 -m state
--state ESTABLISHED -j ACCEPT
#-A INPUT -s $MY_DNS_SERVER -d $MY_IP -p tcp -m tcp --sport 53 -m state
--state ESTABLISHED -j ACCEPT

-A OUTPUT -s $MY_IP -d $MY_DNS_SERVER -p udp -m udp --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s $MY_IP -d $MY_DNS_SERVER -p tcp -m tcp --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s $MY_DNS_SERVER -d $MY_IP -p udp -m udp --sport 53 -m state
--state ESTABLISHED -j ACCEPT
-A INPUT -s $MY_DNS_SERVER -d $MY_IP -p tcp -m tcp --sport 53 -m state
--state ESTABLISHED -j ACCEPT

#connection to proxy-server ($MY_PROXY_SERVER) on port 8080
-A OUTPUT -s $MY_IP -d $MY_PROXY_SERVER -p udp -m udp --dport 8080 -m
state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s $MY_IP -d $MY_PROXY_SERVER -p tcp -m tcp --dport 8080 -m
state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s $MY_PROXY_SERVER -d $MY_IP -p udp -m udp --sport 8080 -m
state --state ESTABLISHED -j ACCEPT
-A INPUT -s $MY_PROXY_SERVER -d $MY_IP -p tcp -m tcp --sport 8080 -m
state --state ESTABLISHED -j ACCEPT



# Allow ping operation
-A INPUT -d $MY_IP -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -d $MY_IP -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -d 127.0.0.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -d 127.0.0.1 -p icmp -m icmp --icmp-type 0 -j ACCEPT

-A OUTPUT -s $MY_IP -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -s $MY_IP -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A OUTPUT -s 127.0.0.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -s 127.0.0.1 -p icmp -m icmp --icmp-type 0 -j ACCEPT

#Whois connections/connection-replies to/from outside are allowed
-A OUTPUT -s $MY_IP -d whois.crsnic.net -p tcp -m tcp --dport 43 -j
ACCEPT
-A INPUT -s whois.crsnic.net -d $MY_IP -p tcp -m tcp --sport 43 -m state
--state ESTABLISHED -j ACCEPT

#Throw away uncommon TCP packets
-A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

#Throw away unexpected packets and log valid ones
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-A INPUT -p tcp -mstate --state INVALID -m limit --limit 10/m -j LOG
--log-level info

#SYN-Flood-Protection
-N syn-flood
-A INPUT -p tcp --syn -j syn-flood
-A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
-A syn-flood -j DROP

#HTTP-CONNECT requests to be denied
#-A INPUT -p tcp -d 0/0 --dport 80 -m string --string "CONNECT" -j
REJECT

#Limit number of connections
-A INPUT -p tcp -m limit --limit 2 -j REJECT --reject-with tcp-reset

COMMIT
# Completed on Fri Jul 22 18:20:59 2005



-- 
Luqman Munawar


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: An acceptable rule set?
  2005-08-30 16:24 An acceptable rule set? Luqman Munawar
@ 2005-08-30 17:04 ` /dev/rob0
  0 siblings, 0 replies; 2+ messages in thread
From: /dev/rob0 @ 2005-08-30 17:04 UTC (permalink / raw)
  To: netfilter

On Tuesday 2005-August-30 11:24, Luqman Munawar wrote:
> I have read the "iptables tutorial2 by Oskar Andreasson and tried to
> write a reasonable ruleset for my network scenario. Not really
> something special but being behind a firewall of university, I hope
> it is acceptable as an additional security measure.

In general I would not expect very much protection from something under 
the control of university IT departments. OTOH you're apparently on a 
NAT'ed RFC 1918 IP, so your only real security concern are attackers 
from within the university. That could be a major concern.

> Q1) Can you people be nice enough to give your ideas about how/where
> to improve it.

Packet Filtering HOWTO: INPUT: accept all --state RELATED,ESTABLISHED 
traffic, accept services you want open, default policy DROP. OUTPUT 
default policy ACCEPT. FORWARD policy DROP, and no rules unless you're 
acting as a router. Why complicate things?

> Q2) I have introduced variables instead of actual ip-addresses, but
> these variables are not being handled correctly.
>
> I receive following error:
>
> Bad argument `Y_IP="192.168..126.31'

Did you read that error? What do you think about it?

> Error occurred at line: 8
> Try `iptables-restore -h' or 'iptables-restore --help' for more
> information.
>
>
> The rule set is as following:
>
> fisw31:~/ToDo# cat /root/ToDo/iptables-save-new
> # Generated by iptables-save v1.2.11 on Fri Jul 22 18:20:59 2005
> *filter
>
> :INPUT DROP [808:130818]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [408:29492]
>
> MY_IP="192.168..126.31"

For one thing, that is not a proper representation of an IP address. I 
see what appears to be an extra "." in the middle. For another thing, 
iptables-restore(8) is not sh(1), and it cannot read shell variable 
syntax.

You could do what you're trying to do with a bash "here document" to 
generate your rules and pipe them to the stdin of iptables-restore(8). 
Your main area of confusion is in thinking that your iptables rules 
file was a shell script.

> #Allow connection to/from port 80(http),443(https),22(ssh)
> -A INPUT -d $MY_IP -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUT -d $MY_IP -p tcp -m tcp --dport 443 -j ACCEPT
> -A INPUT -d $MY_IP -p tcp -m tcp --dport 22 -j ACCEPT

Other than aforementioned syntax problems, okay ...

> -A OUTPUT -s $MY_IP -p tcp -m tcp --dport 80 -j ACCEPT
> -A OUTPUT -s $MY_IP -p tcp -m tcp --dport 443 -j ACCEPT
> -A OUTPUT -s $MY_IP -p tcp -m tcp --dport 22 -j ACCEPT

... but these rules do not allow replies back out. Think about the 
difference between --dport and --sport! (Yes, there are --sport rules 
further down.)

I've lectured about OUTPUT filtering here before. My bottom line on 
that: anyone who needs to ask questions here probably should not be 
doing OUTPUT filtering.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2005-08-30 17:04 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-08-30 16:24 An acceptable rule set? Luqman Munawar
2005-08-30 17:04 ` /dev/rob0

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.