Unix/Linux Go Back    


Security Discuss UNIX and Linux computer and network security, cyber security, cyber attacks, IT security, and more.

Need help for iptables rules

Security


Tags
iptables, iptables rules

Closed    
 
Thread Tools Search this Thread Display Modes
    #1  
Old Unix and Linux 12-29-2016
Thomas342 Thomas342 is offline
Banned
 
Join Date: Dec 2016
Last Activity: 15 August 2017, 6:42 AM EDT
Posts: 4
Thanks: 2
Thanked 0 Times in 0 Posts
Need help for iptables rules

Hello,

I did 2 scripts. The second one is, I hope, more secure.
What do you think?


Basic connection (no server, no router, no DHCP and the Ipv6 is disabled)

#######script one
####################


Code:
iptables -F
iptables -X -t filter
iptables -P INPUT DROP 
iptables -P FORWARD DROP 
iptables -P OUTPUT ACCEPT

#lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT

#CONNECTION
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

#PING ACCEPTED AND OPENING PORTS THAT I NEED
iptables -A INPUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT
iptables -A INPUT -p udp --dport xxxx -j ACCEPT

#LOG
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
iptables -A FORWARD -j LOG



######SCRIPT 2 ### SCRIPT (MORE SECURE) #####
#######################

Code:
iptables -F
iptables -X -t filter
iptables -P INPUT -j DROP
iptables -P FORWARD DROP 
iptables -P OUTPUT -j DROP

modprobe ip-conntrack

#lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT

#connection
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT

#PING ACCEPTED AND OPENING PORTS THAT I NEED
iptables -A INPUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -d 0.0.0.0/0 -p tcp --sport xxxx -m state --state ESTABLISHED -j ACCEPT (I don't know if I must add 0.0.0.0/0 or 192.168.0.0/24)
iptables -A INPUT -m limit --limit 7/s -j LOG

#LOG
iptables -A OUTPUT -m limit --limit 7/s -j LOG
iptables -A FORWARD -m limit --limit 7/s -j LOG


Thanks in advance
Sponsored Links
    #2  
Old Unix and Linux 12-29-2016
jim mcnamara jim mcnamara is offline Forum Staff  
...@...
 
Join Date: Feb 2004
Last Activity: 22 September 2017, 12:35 PM EDT
Location: NM
Posts: 11,181
Thanks: 560
Thanked 1,093 Times in 1,009 Posts
I see the line for your DSL router or whatever 192... is. What is your goal? You can inadvertantly block your DNS server that way, for example.

Do not forget that you can render the system almost unusable with one single "interesting" line in your script. If you have iptables enabled now and have access - keep a copy of the current setup.
Sponsored Links
    #3  
Old Unix and Linux 12-30-2016
Thomas342 Thomas342 is offline
Banned
 
Join Date: Dec 2016
Last Activity: 15 August 2017, 6:42 AM EDT
Posts: 4
Thanks: 2
Thanked 0 Times in 0 Posts
Hello,

Thanks for your reply.

Quote:
II see the line for your DSL router or whatever 192... is. What is your goal?
I wanted to make this rule more secure:

Code:
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT

My pc is not acting as a router or a server. If I want to open a port (example: for a vpn), what rule do I need?
Normally the rule is:

Code:
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT

But this rule is not very secure because if I well understood, it allows everyone to get my tcp port xxx.
What can I do to make the rule more secure? Is it possible?

Thanks.
    #4  
Old Unix and Linux 12-30-2016
jim mcnamara jim mcnamara is offline Forum Staff  
...@...
 
Join Date: Feb 2004
Last Activity: 22 September 2017, 12:35 PM EDT
Location: NM
Posts: 11,181
Thanks: 560
Thanked 1,093 Times in 1,009 Posts
tcp ports are dictated by IANA So if you decide to "secure" port 25, nobody will be able to connect using ftp.

This link has 140 pages, just read a few.
Service Name and Transport Protocol Port Number Registry

My point is: you can break all kinds of services without knowing why. And if someone attacks a random port and there is no service behind it to respond, the attacks fails. So no need to block it. This is why attacks go for a lot of known ports. So known ports may require a minor tweak.

Are you trying to harden your box for a reason? A lot of linux boxes have special apps to help you. What OS and version of it do you have?
uname -a will show that, so please post it.

Edit: It is not uncommon to harden a UNIX and break some applications.

Last edited by jim mcnamara; 12-30-2016 at 08:02 PM..
The Following 2 Users Say Thank You to jim mcnamara For This Useful Post:
RavinderSingh13 (12-31-2016), Thomas342 (01-01-2017)
Sponsored Links
    #5  
Old Unix and Linux 01-01-2017
Thomas342 Thomas342 is offline
Banned
 
Join Date: Dec 2016
Last Activity: 15 August 2017, 6:42 AM EDT
Posts: 4
Thanks: 2
Thanked 0 Times in 0 Posts
Are you trying to harden your box for a reason? A lot of linux boxes have special apps to help you. What OS and version of it do you have?
uname -a will show that, so please post it.


No but you can't be too careful. And sometimes my laptop is connected to free WiFi.
I 've got two laptops: ubuntu and debian
1)Linux 4.4.0-57-generic #78-Ubuntu SMP Fri Dec 9 23:46:51 UTC 2016 i686 i686 i686 GNU/Linux
2)Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/LINUX

My point is: you can break all kinds of services without knowing why. And if someone attacks a random port and there is no service behind it to respond, the attacks fails. So no need to block it. This is why attacks go for a lot of known ports. So known ports may require a minor tweak.
You mean I'do better to change default ports rather than block them?

Thanks.
Sponsored Links
    #6  
Old Unix and Linux 01-01-2017
Peasant's Unix or Linux Image
Peasant Peasant is offline Forum Advisor  
Registered User
 
Join Date: Mar 2011
Last Activity: 22 September 2017, 1:30 AM EDT
Posts: 1,070
Thanks: 31
Thanked 313 Times in 274 Posts
With 'free wifi' most harmfull stuff is not actually related to your firewall (unless you block everything, which makes no sense).

A person who owns that wifi network in one way or another can :

1. Use fake DNS and create fake pages for folks inside that network.
2. Sniff network traffic, especially unencrypted/poorly encrypted traffic and analyze it or/and save it for later (perhaps even years, to brute force it later when he gets a new gpu Linux )

A lot of other things for an imaginative mind.

Conclusion is if the for anything but casual surfing (no banking, no credentials input), unless you know for a fact that no such things exist in that network.
If using be sure to check the certificates of pages you are leaving credentials at, and use strong encryption.

Hope the helps
Regards
Peasant.
The Following User Says Thank You to Peasant For This Useful Post:
Thomas342 (01-03-2017)
Sponsored Links
    #7  
Old Unix and Linux 01-03-2017
Thomas342 Thomas342 is offline
Banned
 
Join Date: Dec 2016
Last Activity: 15 August 2017, 6:42 AM EDT
Posts: 4
Thanks: 2
Thanked 0 Times in 0 Posts
OK. thanks

@ jim mcnamara
"So known ports may require a minor tweak"
Could you give me an example please?


@Peasant
What do you mean by "use strong encryption"? Modules (https everywhere,...) in firefox or softwares like VPN,...?

I did three scripts.
Are they good? Which is the best?
This rule:
iptables -X -t filter
Some says that I'm referring to a table called "filter" which doesn't exist. What should I add to make the filter table exist?




BASIC CONNECTION (my laptop is acting neither as a server nor as a router; no DHCP and the Ipv6 is disabled)

#######script one
####################



Code:
iptables -F
iptables -X -t filter
iptables -P INPUT DROP 
iptables -P FORWARD DROP 
iptables -P OUTPUT ACCEPT

#lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT

#CONNECTION
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

#PING ACCEPTED AND OPENING PORTS THAT I NEED
iptables -A INPUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT
iptables -A INPUT -p udp --dport xxxx -j ACCEPT

#LOG
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
iptables -A FORWARD -j LOG



######SCRIPT 2 ###
#######################

Code:
iptables -F
iptables -X -t filter
iptables -P INPUT -j DROP
iptables -P FORWARD DROP 
iptables -P OUTPUT -j DROP

modprobe ip-conntrack

#lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT

#connection
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT

#PING ACCEPTED AND OPENING PORTS THAT I NEED
iptables -A INPUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT
iptables -A INPUT -p udp --dport xxxx -j ACCEPT
##I deleted this line####
##iptables -A INPUT -d 0.0.0.0/0 -p tcp --sport xxxx -m state --state ESTABLISHED -j ACCEPT (I don't know if I must add 0.0.0.0/0 or 192.168.0.0/24)
#########

#LOG
iptables -A INPUT -m limit --limit 7/s -j LOG
iptables -A OUTPUT -m limit --limit 7/s -j LOG
iptables -A FORWARD -m limit --limit 7/s -j LOG


##SCRIPT 3####
###############


Code:
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT

#PING ACCEPTED AND OPENING PORTS THAT I NEED
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT
iptables -A INPUT -p udp --dport xxxx -j ACCEPT

#connection
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT

#LOG
iptables -A INPUT -m limit --limit 7/s -j LOG --log-prefix "ICATCH:" --log-level info
iptables -A OUTPUT -m limit --limit 7/s -j LOG --log-prefix "OCATCH:" --log-level info
iptables -A FORWARD -m limit --limit 7/s -j LOG --log-prefix "FCATCH:" --log-level info

THANKS IN ADVANCE
Sponsored Links
Closed

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Linux More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
iptables Rules for my network Vaibhav.T Red Hat 0 03-26-2013 06:54 PM
Iptables/Firewall rules for multicast IP. rama krishna Red Hat 0 08-29-2012 04:16 PM
iptables rules (ubuntu) Greenice Ubuntu 0 02-11-2012 04:55 AM
Editing rules on iptables garric Security 4 09-13-2011 05:22 PM
Iptables rules at boot solaris_user IP Networking 2 01-06-2010 06:49 PM



All times are GMT -4. The time now is 06:29 PM.