Secure iptables configuration
For anyone who runs their own Linux box out on the Internet, the proper configuration of the built in stateful packet filter can be a bit of a black art. It doesn’t have to be that way, quite honestly. To help out, I’m providing a cut down version of the configuration that I use for iptables on this machine. In this version, I use the following strategies:
- That which isn’t explicitly permitted is denied (i.e. default deny). Nothing should be dealt with by an application that I have not explicitly allowed through. Change this at your own peril.
- Filter all ICMP traffic as much as possible. This includes destination unreachable (type 3), and TTL (type 11) messages if they’re not involved in an existing connection.
- Try and catch anything spoofed. This means addresses showing up that are impossible and the “right” address showing up on the wrong interface.
- Make sure that all traffic leaving is correctly addressed. This isn’t a major concern until your system is compromised, during which time this can provide a small barrier to exploitation.
- Drop and log all TCP packets that have “impossible” flag settings. Some setting combinations are simply impossible and will never be generated by a legitimate client. A lot of these are related to scans and probes from tools like
nmap. - Limit damage possible by logging, e.g., denial of service.
I’ve removed a few things for my own reasons, but you can download the file here. I am not going to show it inline as it’s 200+ lines. This can then be used by editing it—it’s heavily commented—and putting it in /etc and then using the following command:
/sbin/iptables-restore < /etc/iptables.up.rules
For that to run automatically on boot, you should edit your network startup script. For example, on Debian-derived system, including Ubuntu, you need to edit /etc/network/interfaces and add a line:
pre-up iptables-restore < /etc/iptables.up.rules
This line should occur before any external network interfaces (such as eth0) so that the firewall is active before any packets can actually be processed.
Hope this is helpful, and if anyone has anything else they’d recommend, I’m more than interested in other people’s strategies. I have another version that is written for the OpenBSD pf system if someone wants it.
This entry was posted at 11:06 pm on 29 September 2008 and is filed under Security. You can follow any responses to this entry through the post-specific RSS 2.0 feed.
No comments found.
Both comments and pings are currently closed.