[CentOS] IPTables help

Mon May 26 15:10:54 UTC 2008
Robert Spangler <mlists at zoominternet.net>

On Sunday 25 May 2008 20:50, Fajar Priyanto wrote:

>  On Saturday 24 May 2008 21:55:57 Robert Spangler wrote:
>  First of all, thank you Robert for pointing some points. For the sake of
>  discussion, may I say something too?

Certainly.

>  > Since you believe that he wants a very strict firewall why are you
>  > setting the default policy's to ACCEPT?  Security 101, strict firewall
>  > drops everything from the start.  Then you open the access you require,
>  > not the other way around.
>
>  This is my mistake I think. It's because I was assuming the setting of the
>  firewall is done from another machine (ssh). Those rules are to prevent
>  unaware lockout.

It doesn't matter if you are trying to prevent unwanted lockout or not.  Once 
the rules are loaded they are set.  If they are set so that another machine 
(ssh) is not to have access then it will not have access.

>  > >  #Allowing needed ports:
>  > >  iptables -A INPUT -i eth0 -m multiport -p udp --dport
>  > > 5060,10000:60000 -s ipthatyouwantallow -j ACCEPT
>  > >  iptables -A INPUT -i eth1 -m multiport -p udp --dport
>  > >  53,80,5060,10000:60000 -j ACCEPT
>  > >  iptables -A OUTPUT -m multiport -p udp --dport 53 -j ACCEPT
>  > >  iptables -A FORWARD -m multiport -p udp --dport 53,5060,10000:60000
>  > > -s ipthatyouallow -j ACCEPT
>  > >  iptables -A FORWARD -m multiport -p tcp --dport 80 -j ACCEPT
>  >
>  > First question you need to ask yourself is there any hosting services on
>  > this box that will require a connection form the WAN side.  If not then
>  > you should change your input statements to allow only the LAN.  You do
>  > not require the INPUT statements for packets that pass through the box
>  > as the FORWARD will handle all traffic passing through.
>
>  The OP said that it's an Asterisk box. So it surely needs some open ports,
>  doesn't it?

I really don't know.  I do not know this setup.  If it does then I would look 
into using an old 486 or Pentium for a firewall and setting this box up to be 
in a DMZ.

>  > Second question is if you are using ESTABLISHED,RELATED why are you not
>  > using NEW in the above rules?
>
>  It depends on the context and level of details needed. Pls CMIIW, if we
> allow NEW in the above rules, then ALL traffic will be matched, and thus
> rendering all subsequent rules useless. Again pls CMIIW :)

With IPTABLES once a rule matches and is accepted it stops processing the 
packet and sends it on it's way.  NEW does not stop IPTABLES from processing 
the packet as it is supposed to, it just applies the rule if the packet is 
new.  This is why you place ESTABLISHED,RELATED at the top of your rule sets 
and use the NEW statement in your rules.

Let us take a look at the following rules set for an example.
This could be applied to a web server in a DMZ.

iptables INPUT   -p DROP
iptables OUTPUT  -p DROP
iptables FORWARD -p DROP
iptables INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables INPUT -i eth0 -j DROP **(I always place this statement)**
iptables OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables OUTPUT -o eth1 -j DROP **(I always place this statement) **

First an explanation.  This rules set allows connections to a web server but 
does not allow the web server to start it's own connections.  It is used to 
block an affected web server from infecting other systems.  On the OUTPUT 
rule set if you place a LOGing rule you would then see when the server was 
affected and just how much traffic it tries to push.

As a packet enters the firewall for port 80 and checks it against it's rule 
set.

The first rule it comes to is ESTABLISHED,RELATED.  Since there is nothing in 
the conntrack table for an entry.  Since none are there it sends the packet 
on it's way.

The next rule is for port 80.  The packet is compared to this rule to see if 
it matches.  It also checks the conntrack table to see if it is there.  since 
it is not it is considered a NEW connection so the rule say it is a match.  
It adds the information needed to the conntrack table and ACCPEPTs the 
packet. Processing finished.

Now the next packet enters the firewall and it is first checked by the 
ESTABLISHED,RELATED rule.  Since this packet comes from the same source and 
there is an entry in the conntrack table for this source the rule matches and 
the packet is allowed to pass.  Processing is finished.

This continues all the time.  Every packet is checked against the 
ESTABLISHED,RELATED rule and if the source is listed for that port then the 
firewall allows it through without further processing.  This is done to speed 
up the firewall.  Every rule has to be processed until one is matched as 
ACCEPT.  This requires processing power.  The less the system has to process 
a packet the faster it becomes.

Now lets say you don't use the NEW as in your rules set.  Now every packet has 
to traverse the rule set each time because there is no NEW rule to add it to 
the conntracking table.  Now lets say that you have a couple hundred rules in 
your firewall.  Now the packet has to traverse the entire rule set everything 
it comes in.  This will slow down your firewall.  This type of firewall is 
known as CONNECTIONLESS. meaning it doesn't care if the packet was seen 
before or not, it must traverse the chain.

I hope this has given you a better understanding of how IPTABLES works.

>  > Third question is have you enables connection tracking?  If you are
>  > using ESTABLISHED,RELATED then the system needs a way to keep track of
>  > the connection.
>
>  I believe Centos has them enabled and it will automatically loaded when
> the rules are fired up. Pls CMIIW.

It load the conntracking table but there are more.  This was just to get you 
thinking.

>  > If you want a 100% secure firewall then you will not allow any INPUT.
>  >  All modification would have to be done from the box using a keyboard.
>  >  If this is not an option then you can allow access from a trusted IP
>  > only and setup other security options.
>
>  Yes, this is my mistake assuming wrongly. Worth noted for the OP and
> everyone.
>
>  > >  #For masquerading:
>  > >  iptables -t nat -A POSTROUTING -o eth0 -d ! 192.168.0.0/24 -j
>  > > MASQUERADE
>  >
>  > If the WAN port is connected directly to the Internet then you should
>  > MASQ all out going traffic and anything that is heading to
>  > 192.168.0.0/24 should be dropped.
>
>  You mean it should be:
>  iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ?

Correct.  If you are not MASQ all traffic that leave this interface and it 
leave with 192.168.0.0/24 then the machine on the Internet will not know how 
to get back to your network.  192.168.0.0/24 is not routed on the Internet.

>  > >  #Finally dropping all other traffic (positive list firewall):
>  > >  iptables -P INPUT DROP
>  > >  iptables -P OUTPUT DROP
>  > >  iptables -P FORWARD DROP
>  >
>  > This should be at the top for the firewall not the ACCEPT you have there
>  > now.
>  >
>  > For your reading enjoyment.
>  > http://iptables.rlworkman.net/chunkyhtml/index.html
>
>  Yes, the Oscar's tutorial seems to be the most popular one.

Yes there is a lot of good information in there.

I hope I was able to help you with your quest.


-- 

Regards
Robert

Smile... it increases your face value!
Linux User #296285
http://counter.li.org