Difference between revisions of "Iptables whitelist"
(Starting article) |
m |
||
Line 8: | Line 8: | ||
iptables -P OUTPUT DROP | iptables -P OUTPUT DROP | ||
+ | # Allow traffic across the local loopback interface. Some software might use this interface for inter-process communication and external sources don't send traffic through it. | ||
iptables -A INPUT -i lo -j ACCEPT | iptables -A INPUT -i lo -j ACCEPT | ||
iptables -A OUTPUT -o lo -j ACCEPT | iptables -A OUTPUT -o lo -j ACCEPT | ||
+ | # Allow web browsing traffic and other HTTP-based services like most package managers. In order to account for both the outgoing request and the incoming reply, two rules have to be added. Note the use of the conntrack module which provides state information to the firewall. The rules below allow outgoing traffic on ports 80 and 443 as long as the connection is NEW or already ESTABLISHED. The complementary rule allows incoming traffic on either of the ports, but only when the firewall is tracking an already established connection. So what would happen if the INPUT rule allowed the NEW connection state as well? Suddenly there's a gaping hole in your firewall. If an attacker binds all of his packets to originate from a source port of 80, they all get accepted and pass right through the firewall. | ||
+ | iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | ||
+ | iptables -A INPUT -p tcp -m multiport --sports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT | ||
+ | |||
+ | # Allow DNS traffic. Trying to do just about anything will be impossible without DNS resolution. Notice that even though DNS is a UDP protocol--and therefore stateless--that the conntrack module is still able to function. Internally, it does this by keeping track of the source address, source port, destination address, and destination port. These four items comprise an effective unique identifier for the connection. | ||
iptables -A OUTPUT -p udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | iptables -A OUTPUT -p udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | ||
iptables -A INPUT -p udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT | iptables -A INPUT -p udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT | ||
− | + | ||
− | + | ||
iptables -N LOGSERVER | iptables -N LOGSERVER |
Latest revision as of 21:36, 18 June 2015
There is a lot of documentation available for iptables on the internet, but less in the way of creating a secure set of rules. This guide is intended to provide the most secure firewall setup possible--one that drops all traffic except traffic that has been added to a whitelist. If you rely on blacklisting attackers, they can always come from another IP address and your rules get larger and more expensive to traverse. Whitelisting provides a small set of rules that provide only the functionality you need and nothing more.
iptables -F
- Set the default policies on all of the filter table chains to DROP. This means that
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
- Allow traffic across the local loopback interface. Some software might use this interface for inter-process communication and external sources don't send traffic through it.
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
- Allow web browsing traffic and other HTTP-based services like most package managers. In order to account for both the outgoing request and the incoming reply, two rules have to be added. Note the use of the conntrack module which provides state information to the firewall. The rules below allow outgoing traffic on ports 80 and 443 as long as the connection is NEW or already ESTABLISHED. The complementary rule allows incoming traffic on either of the ports, but only when the firewall is tracking an already established connection. So what would happen if the INPUT rule allowed the NEW connection state as well? Suddenly there's a gaping hole in your firewall. If an attacker binds all of his packets to originate from a source port of 80, they all get accepted and pass right through the firewall.
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -m multiport --sports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
- Allow DNS traffic. Trying to do just about anything will be impossible without DNS resolution. Notice that even though DNS is a UDP protocol--and therefore stateless--that the conntrack module is still able to function. Internally, it does this by keeping track of the source address, source port, destination address, and destination port. These four items comprise an effective unique identifier for the connection.
iptables -A OUTPUT -p udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -N LOGSERVER iptables -A INPUT -p tcp -m multiport --dports 22,3306 -m conntrack --ctstate NEW -j LOGSERVER iptables -A LOGSERVER -m limit --limit 5/min -j LOG --log-prefix "SYN to server: " --log-level warning iptables -A LOGSERVER -j RETURN