Iptables rule, brainstorming

TimHolus · April 4, 2019, 11:14pm

Any thoughts?

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A INPUT -f -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.14/32 -i enx001e0630caa8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j DROP
-A INPUT -p udp -m udp --dport 8080 -j DROP
-A INPUT -p tcp -m tcp --dport 3389 -j DROP
-A INPUT -s 192.168.1.1/32 -i enx001e0630caa8 -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j DROP
-A INPUT -s 127.0.0.0/8 -i lo -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 127.0.0.0/8 -j DROP
-A OUTPUT -d 9.9.9.9/32 -p udp -j ACCEPT
-A OUTPUT -d 9.9.9.9/32 -p tcp -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW -m tcp -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -m tcp -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW -m tcp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type any -m limit --limit 1/sec -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type any -j DROP
-A OUTPUT -j DROP

cburn11 · April 4, 2019, 11:19pm

What is the point of having a default accept policy, a bunch of specific drop targets and then a handful of accept targets?

Why not make the default policy drop, “drop” all the rules with drop targets from your file, and affirmatively keep the rules with the accept target?

TimHolus · April 4, 2019, 11:34pm

Good question. For this I ask to get the correct solution.

hem · April 5, 2019, 9:30am

Keep the three accepts in the beginning, add drop for input and forward in the end. Add only what you want to allow in-between. Am out at the moment, can write it with correct syntax when I get home tonight or tomorrow.

TimHolus · April 5, 2019, 4:48pm

If you find a moment of free time then write what and how it should be in your opinion. Thanks in advance.

hem · April 6, 2019, 11:43pm

Sorry for the tardiness, out doing stuff all day.

I run mine from rc.local on startup. I have a folder with several files named 10.vpn.sh, 20.iptables.sh, 30.routing.sh and so on. Find it easier to have it all divided up like that instead of using iptables-save and what not. Since you only have INPUT/OUTPUT in your post, I wont get into PREROUTING, POSTROUTING and FORWARD.

Start with accepting most things.

iptables -A INPUT -j ACCEPT
iptables -A OUTPUT -j ACCEPT

You need to accept already established and related connections from being able to reply to a request you initiated.

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

You should allow for full INPUT/OUTPUT communication back and forth to your localhost using

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

In case you want to have much more control, only allow what you need to go through OUTPUT chain. If you want to shut down OUTPUT also, add the lines I added starting with **

**iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT # DNS
**iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT # DNS
**iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT # HTTP
**iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT # HTTPS

Finish you script with dropping everything that wasn’t addressed above, except OUTPUT, I assume you’re ok with the outgoing connections you chose to initiate.

iptables -A INPUT -j DROP
**iptables -A OUTPUT -j DROP

Everything has to be added in between the initial INPUT/OUTPUT -j ACCEPT and the two -j DROP in the end, since iptables will jump (-j parameter), as soon as it finds a rule that fits. Not even sure that the first ACCEPTs are required, but they don’t hurt where they are, so I never bothered checking that out.

I only recently started mucking around with iptables, so am still kinda new to it. Decided to look closer because I wanted to setup split routing using tables and fwmark, am hosting my own servers, and I wanted to setup load balancing on several VPN connections using ip and iptables. If anyone has anything else that would be good to add or remove, or I’m simply wrong, please say so I can get better at understanding it.

If you want a map of how iptables work, this map is quite nice.

This one gives a quick overview of the flow, and gives a hint to where you have to do what you want to do.

Edit: Removed some unwanted chars to prevent errors with commands, added map and img

TimHolus · April 7, 2019, 12:11am

hem:

Sorry for the tardiness, out doing stuff all day.

I run mine from rc.local on startup. I have a folder with several files named 10.vpn.sh, 20.iptables.sh, 30.routing.sh and so on. Find it easier to have it all divided up like that instead of using iptables-save and what not. Since you only have INPUT/OUTPUT in your post, I wont get into PREROUTING, POSTROUTING and FORWARD.

Start with accepting most things.
iptables -A INPUT -j ACCEPT
iptables -A OUTPUT -j ACCEPT
You need to accept already established and related connections from being able to reply to a request you initiated.
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
You should allow for full INPUT/OUTPUT communication back and forth to your localhost using
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
In case you want to have much more control, only allow what you need to go through OUTPUT chain. If you want to shut down OUTPUT also, add the lines I added starting with **
**iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT # DNS
**iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT # DNS
**iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT # HTTP
**iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT # HTTPS
Finish you script with dropping everything that wasn’t addressed above, except OUTPUT, I assume you’re ok with the outgoing connections you chose to initiate.
iptables -A INPUT -j DROP
**iptables -A OUTPUT -j DROP
Everything has to be added in between the initial INPUT/OUTPUT -j ACCEPT and the two -j DROP in the end, since iptables will jump (-j parameter), as soon as it finds a rule that fits. Not even sure that the first ACCEPTs are required, but they don’t hurt where they are, so I never bothered checking that out.

I only recently started mucking around with iptables, so am still kinda new to it. Decided to look closer because I wanted to setup split routing using tables and fwmark, am hosting my own servers, and I wanted to setup load balancing on several VPN connections using ip and iptables. If anyone has anything else that would be good to add or remove, or I’m simply wrong, please say so I can get better at understanding it.

If you want a map of how iptables work, this map is quite nice.

This one gives a quick overview of the flow, and gives a hint to where you have to do what you want to do.

Edit: Removed some unwanted chars to prevent errors with commands, added map and img

Thank you for your response.

This mess is the result of generating rules using the gui firewall in openmediavault, which only allows you to touch the INPUT / OUTPUT chain.

My goal is maximum security in the most correct way.
I always block completely the IN / OUT traffic and allow only the selected one. Even the outgoing traffic I like to limit, such a fetish.
Summing up only the traffic that I know and want the rest to be cut. And because the case concerns the NAS server is preferable to be tightly closed.

So if you have any comments, I will be happy to read.

hem · April 7, 2019, 12:31am

If you are on a linux system, you can try and check out fwbuilder, is in most repositories. It’s a fairly decent UI for generating iptables setups. Can try and tinker with that a bit. It also has templates for some setups, which gives you a decent starting point to setup your firewall.

Edit, unless you have keyboard and screen connected to Nas, don’t run the commands I wrote, you’d be locked out.

risk · April 7, 2019, 4:41pm

2 things, 1. iptables-restore swaps old rules for new rules atomically, use it to your advantage, 2. set default to drop in all chains, that way new interfaces coming online don’t leak packets before firewall rules are reapplied.