Clever firewall rules

From: Rob 'Feztaa' Park (fezziker@home.com)
Date: 09/14/01 

Date: Thu, 13 Sep 2001 17:41:03 -0600 (MDT)
From: Rob 'Feztaa' Park <fezziker@home.com>
To: focus-linux <focus-linux@lists.securityfocus.com>
Subject: Clever firewall rules
Message-ID: <Pine.LNX.4.33L2.0109131704140.2008-100000@feztron.ath.cx>

On Thu, 13 Sep 2001, Darin Wayrynen (dis)graced my inbox with this:

> Ok, stop teasing already! :-) What are you favorites [iptables rules]?

Well, here are the ones I think are good to have:

* iptables -A INPUT -i eth0 -p tcp -m state --state NEW ! --syn -j REJECT
     --reject with host-unreach

This one drops all incoming packets that are not SYN packets, and are not
part of existing connections. This will automatically prevent portscans
that use anything but SYN packets from seeing anything (So I'm invincible
to FIN, NULL, and XMAS packet scans).

* iptables -A INPUT -i eth0 -m state --state INVALID -j REJECT
     --reject-with host-unreach

I used to think this would automatically drop malformed packets like
NULL and XMAS, but then I read the man page on iptables and it seems more
like this rule does what the last one is supposed to do, so I'm sort of
confused as to whether #1 actually does anything (I'm starting to think
that all packets that aren't part of established connections are NEW for
SYN's, and INVALID for everything else.)

Either way, both rules are in my firewall, and it produces the results I'm
looking for. Having both certainly isn't hurting anything, and redundancy
is good in the security world :). Although, if anybody can clear up the
states for me, that'd be nice :)

* iptables -A INPUT -p icmp --icmp-type 8 -j REJECT --reject-with
     host-unreach

Prevents people from pinging me without crippling my ability to
ping/traceroute other people. Mainly this is just a minor annoyance for
people trying to portscan me with programs like nmap that ping the host
first, they just have to add -P0 and try again. Then again, this might
stop some really stupid script kiddies. I'm thinking about setting up a
similar rule that would log people who ping me, just for fun.

Oh, and I suppose this rule does immunize me against ping bomb attacks...

* iptables -A INPUT -i eth0 -f -j REJECT --reject-with host-unreach

Just drops fragments. I'm not really an expert on this, but I heard that
fragments can be used maliciously (in port scans and such) and have little
to no valid use nowadays, so I thought it might be smart to block them.

After those rules, I have some basic rules that just open the ports that I
need to have open (for ICQ, my webserver, etc), followed by...

* iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Accepting packets that are part of already existing connections. This
rule, combined with the first rule and the fact that my OUTPUT table is
entirely empty, is the main reason I love my firewall: it lets me connect
to other machines on any port at all, but only lets other machines connect
to the ports that I say. It's a far superior method than other rulesets
that say "Ok, close every port except this one, which I need for konq to
download web pages, and this one for fetchmail to download stuff, and this
one...)". In other words, it's easier to discriminate against bad packets
than it is to discriminate against bad ports.

And to wrap up my input table, I have two rules that reject all packets on
all tcp and udp ports (but only on eth0) . I realize that I could just set
the table's default rule to reject, but this way allows me to control
what icmp type to reject it with, and also I'd then have to write a rule
to accept all traffic on lo, which is uneccessary since the current config
has the same effect.

If anybody has any other good rules, I'd like to hear about them. And if
somebody knows something I don't about my rules, I'd like to hear about
that, too :) 

-- 
Rob 'Feztaa' Park
fezziker@home.com
ICQ#: 49781692
:wq!

Relevant Pages

  • Re: Trouble accessing Outlook Web Access from behind firewall
    ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
    (comp.security.firewalls)
  • Re: HELP ME
    ... > transparently either by using a stealth firewall or a totally transparent ... > firewall any attackers that try to connect to firewalled ports will get ... > [The firewall should be configured to drop offending packets silently, ... >> DO IF SOME TCP CONNECTION RECIVE TO MY BOX, THE KERNEL IGNORE IT AND ...
    (FreeBSD-Security)
  • Re: Have firewall/internal network, but still receiving probes from AOL user -- how?
    ... >my firewall in the first place? ... If you are NAT'd, you should not see any,, unsolicited packets unless ... forwards such as any game ports or other application ports you've forwarded ... performing a ping or traceroute, it's possible for someone else to ping in ...
    (comp.security.firewalls)
  • Re: how to measure the ping time between the visitor and my website ??
    ... At which point in your script is the ping command executed? ... > packets are allowed through the entire netork from you to them, ... > firewall, you will only get times to the firewall. ... outgoing data is routed through the least congested pipe. ...
    (comp.lang.php)
  • Re: is QRZ.com down?
    ... You said that "ping qrz.com" doesn't ... If the nslookup works, and tracert doesn't work at all, it could well be ... packets transmitted, 5 packets received, 0% packet loss ... MS Firewall to block these addresses (very easy for the inexperienced ...
    (rec.radio.amateur.boatanchors)