[CentOS] Default CentOS(Redhat) iptables, Secure?

Aleksandar Milivojevic alex at milivojevic.org
Wed Nov 30 15:16:34 UTC 2005

Quoting Johnny Hughes <mailing-lists at hughesjr.com>:
> On Wed, 2005-11-30 at 21:16 +0900, Mark Sargent wrote:
>> whilst not being an expert on iptables, the below ouput of iptables -L
>> seems too insecure to me. Does anyone agree.? Perhaps I'm not
>> understanding it as well as I think I am.? Please give your thoughts on
>> this. Cheers.

Mark, I don't find it particullary secure.  It is way better than no 
firewall at
all, however it is too open for my taste.

> Does it not block everything inbound except connections you initiate and
> the couple things that they included by default?
> ACCEPT     icmp --  anywhere             anywhere            icmp any
> ACCEPT     ipv6-crypt--  anywhere        anywhere
> ACCEPT     ipv6-auth--  anywhere         anywhere
> ACCEPT     udp  --  anywhere            udp dpt:5353
> ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp

Johnny (and Mark too), there is couple of problems here.

First of all, when you allow something using Red Hat supplied tools, you are
allowing it from *everywhere*.  For some services it is what you wanted
(example, some web and mail servers).  For some (like Cups) you usually only
want to allow your internal network, not entire known world (including
international space station).

Any bug in cups, and your system might get compromised.  Any bug in IPSec
implementation and your system might get compromised (the ipv6-auth and
ipv6-crypt are actually AH and ESP protocols for IPSec, so they are valid
protocols in IPv4 world too).  The multicast DNS thingie is not that 
much of an
issue (most systems don't run service on that port, they just act like an
client, but still).

The default config uses same set of rules for both INPUT and FORWARD 
chains. That's just braindead.  You allow SSH into your firewall for 
example, and you
allowed forwarding of it into your network too.

There's that dreaded "RELATED" rule.  It allows any connection that might look
like related to any existing connection.  To exploit it, a bit of social
engineering might be needed (or sometimes not, depending on actuall
configuration).  Some Netfilter modules were known for stamping as related
almost everything (or at least way too much).  What you really want to do is
accept related ICMP packets (if you want to be really tight, only subset that
is actually used for connection signaling) and than have rules for other
related packets that match specific module.  For example, the correct way to
allow active FTP data connection, you would allow packet in only if it is sent
from port 20 (-p tcp --sport 20), *and* it is connection to high port
(preferrably in 49152-65534 range, although some broken FTP servers use entire
1024-65534 range, but definettely high port) (--dport 49152:65534) *and*
related to existing FTP control channel (-m state --state RELATED) 
*and* it was
marked as related by ftp helper module (-m helper --helper ftp).  You really
don't want to allow it if it gets marked as related by IRC helper module for
example.  Connection from port 20 that gets marked as related by 
anything other
than ftp helper module, or to some low port (22 for example) is 100%

I could probably go on and on and on...

To make this long story shorter, I'll go to the point.  Either write 
your rules
yourself (don't use system supplied firewall config tool).  Or use some 3rd
party program if you are not really confident in this area.  There's many
around that do much better job than what you get by default with the
distribution (like fwbuilder for example).  Or send me a nice check that
matches  \$[1-9][0-9]{2,} regex, and I'll write them for you ;-)  (just

I just hope Red Hat is going to ditch the simplistic firewall tool they 
have in
favour of something better.

This message was sent using IMP, the Internet Messaging Program.

More information about the CentOS mailing list