[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

Wed Jun 29 15:41:24 UTC 2016
l at avc.su <l at avc.su>

Hello Leon.

In addition to everything else mentioned in this thread, I'd recommend you a great book on the topic.
"Attack Detection and Response with iptables, psad, and fwsnort by Michael Rash"
It contains a really nice and detailed guide on iptables and most common attacks, nmap, psad and snort. 

Regarding your config, I'd like to point several things:
1. You're not dropping packets in status 'INVALID' on top of your script, which is strange regarding you have 3 rules to detect other non-standard behavior;
2. Since you're blocking outgoing UDP, you should be certain that all UDP services are set up to use TCP instead and add corresponding rules for them. I'm talking about DNS queries and NTP time sync requests (as most common, but not limited to). These services using UDP, but you disabled it and haven't created outgoing rule for DNS over TCP or NTP using TCP. You can't do DNS queries, and it's almost always painful for any service you're running on your server;
3. Seems strange that you haven't added SMTP to the list of allowed outgoing connections.



29.06.2016, 13:01, "Leon Vergottini" <leonv at cornerstone.ac.za>:
>  Dear Members
>
>  I hope you are all doing well.
>
>  I am busy teaching myself iptables and was wondering if I may get some
>  advise. The scenario is the following:
>
>     1. Default policy is to block all traffic
>     2. Allow web traffic and SSH
>     3. Allow other applications
>
>  I have come up with the following:
>
>  #!/bin/bash
>
>  # RESET CURRENT RULE BASE
>  iptables -F
>  service iptables save
>
>  # DEFAULT FIREWALL POLICY
>  iptables -P INPUT DROP
>  iptables -P FORWARD DROP
>  iptables -P OUTPUT DROP
>
>  # ------------------------------------------------------
>  # INPUT CHAIN RULES
>  # ------------------------------------------------------
>
>  # MOST COMMON ATTACKS
>  iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
>  iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
>  iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
>
>  # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS
>  iptables -A INPUT -i lo -j ACCEPT
>  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>  # SSH
>  iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
>
>  # WEB SERVICES
>  iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
>  iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
>  iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
>
>  # EMAIL
>  iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
>  iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
>
>  # OTHER APPLICATIONS
>  iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT
>  iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT
>
>  # ------------------------------------------------------
>  # OUTPUT CHAIN RULES
>  # ------------------------------------------------------
>  # UDP
>  iptables -A OUTPUT -p udp -j DROP
>
>  # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS
>  iptables -A OUTPUT -i lo -j ACCEPT
>  iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>  # SSH
>  iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
>
>  # WEB SERVICES
>  iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
>  iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
>  iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
>
>  # EMAIL
>  iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
>  iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
>
>  # OTHER APPLICATIONS
>  iptables -A INPUT -p tcp -m tcp --dport 11009 -j ACCEPT
>  iptables -A INPUT -p tcp -m tcp --dport 12009 -j ACCEPT
>
>  # ------------------------------------------------------
>  # SAVE & APPLY
>  # ------------------------------------------------------
>
>  service iptables save
>  service iptables restart
>
>  To note:
>
>     1. The drop commands at the beginning of each chain is for increase
>     performance. It is my understanding that file gets read from top to bottom
>     and applied accordingly. Therefore, applying them in the beginning will
>     increase the performance by not reading through all the rules only to apply
>     the default policy.
>     2. I know the above point will not really affect the performance, so it
>     is more of getting into a habit of structuring the rules according to best
>     practice, or at least establishing a pattern for myself.
>
>  How secure is this setup? Is there any mistakes or things that I need to
>  look out for?
>
>  Thank you in advance for your feedback.
>
>  Kind Regards
>  Leon
>  _______________________________________________
>  CentOS mailing list
>  CentOS at centos.org
>  https://lists.centos.org/mailman/listinfo/centos

29.06.2016, 13:01, "Leon Vergottini" <leonv at cornerstone.ac.za>:
> Dear Members
>
> I hope you are all doing well.
>
> I am busy teaching myself iptables and was wondering if I may get some
> advise. The scenario is the following:
>
>    1. Default policy is to block all traffic
>    2. Allow web traffic and SSH
>    3. Allow other applications
>
> I have come up with the following:
>
> #!/bin/bash
>
> # RESET CURRENT RULE BASE
> iptables -F
> service iptables save
>
> # DEFAULT FIREWALL POLICY
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> # ------------------------------------------------------
> # INPUT CHAIN RULES
> # ------------------------------------------------------
>
> # MOST COMMON ATTACKS
> iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
> iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
> iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
>
> # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # SSH
> iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
>
> # WEB SERVICES
> iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
>
> # EMAIL
> iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
>
> # OTHER APPLICATIONS
> iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT
>
> # ------------------------------------------------------
> # OUTPUT CHAIN RULES
> # ------------------------------------------------------
> # UDP
> iptables -A OUTPUT -p udp -j DROP
>
> # LOOPBACK, ESTABLISHED & RELATED CONNECTIONS
> iptables -A OUTPUT -i lo -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # SSH
> iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
>
> # WEB SERVICES
> iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
>
> # EMAIL
> iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
>
> # OTHER APPLICATIONS
> iptables -A INPUT -p tcp -m tcp --dport 11009 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --dport 12009 -j ACCEPT
>
> # ------------------------------------------------------
> # SAVE & APPLY
> # ------------------------------------------------------
>
> service iptables save
> service iptables restart
>
> To note:
>
>    1. The drop commands at the beginning of each chain is for increase
>    performance. It is my understanding that file gets read from top to bottom
>    and applied accordingly. Therefore, applying them in the beginning will
>    increase the performance by not reading through all the rules only to apply
>    the default policy.
>    2. I know the above point will not really affect the performance, so it
>    is more of getting into a habit of structuring the rules according to best
>    practice, or at least establishing a pattern for myself.
>
> How secure is this setup? Is there any mistakes or things that I need to
> look out for?
>
> Thank you in advance for your feedback.
>
> Kind Regards
> Leon
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos