Hello everyone, today I bring you a second part of this series of tutorials on firewall with iptables, very simple so that you can copy and paste, I think that at the end of the day it is what all beginners look for or even the most experienced, why we have to reinvent the wheel 100 times, right?
This time I tell them to try to focus on the very specific case of whether we want our firewall to be much more aggressive with an OUTPUT DROP policy. This post is also at the request of a reader of this page and my post. (Inside my mind wiiiiiiiiiiiii)
Let's talk a little about the "pros and cons" of establishing Output Drop policies, the one against which I can tell you mainly is that it makes the job much more tedious and laborious, however the pro is that at the network level you will have security than if you sat down To think, design and plan the policies well, you will have a much more secure server.
In order not to ramble or get off topic, I am going to quickly explain to you with an example how more or less your rules should be
iptables -A OUTPUT -o eth0 -p tcp –sport 80 -m state –state ESTABLISHED -j ACCEPT
-A because we added the rule
-o refers to outbound traffic, then the interface is placed if not specified because it matches all.
-sport port of origin, plays an important role because in most cases we do not know from which port they are going to make the request, if so we could use dport
–Dport destination port, when we specifically know in advance that the outgoing connection must only go to a specific port. It has to be for something very punctual like a remote mysql server for example.
-m state –state ESTABLISHED This is already an adornment of maintaining the already established connections, we could delve into it in a future post
-d to speak of destination, if it could be specified, for example ssh to a specific machine by its ip
#!/bin/bash# We clean iptables tables -F iptables -X # We clean NAT iptables -t nat -F iptables -t nat -X # mangle table for things like PPPoE, PPP, and ATM iptables -t mangle -F iptables -t mangle -X # Policies I think this is the best way for beginners and # still not bad, I'll explain output all because they are outgoing connections #, input we discard everything, and no server should forward. iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #Intranet LAN intranet = eth0 #Extranet wan extranet = eth1 # Keep state. Everything that is already connected (established) we leave it like this iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED, RELATED -j ACCEPT # Loop device. iptables -A INPUT -i lo -j ACCEPT # Iptables loopback output -A OUTPUT -o lo -j ACCEPT # http, https, we do not specify the interface because # we want it to be all iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT # departure # http, https, we don't specify the interface because # we want it to be for all but if we specify the output port iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT iptables -A OUTPUT -p tcp --sport 443 -j ACCEPT # ssh only internally and from this range of ip's iptables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 7659 -j ACCEPT # output # ssh only internally and from this range of ip's iptables -A OUTPUT -p tcp -d 192.168.xx / 24 -o $ intranet --sport 7659 -j ACCEPT # monitoring for example if they have zabbix or some other snmp service iptables -A INPUT -p tcp -s 192.168.1.1 -i $ intranet --dport 10050 -j ACCEPT # departure # monitoring for example if they have zabbix or some other snmp service iptables -A OUTPUT -p tcp -d 192.168.1.1 -o $ intranet --dport 10050 -j ACCEPT # icmp, ping good is your decision iptables -A INPUT -p icmp -s 192.168.xx / 24 -i $ intranet -j ACCEPT # departure # icmp, ping good is your decision iptables -A OUTPUT -p icmp -d 192.168.xx / 24 -o $ intranet -j ACCEPT #mysql with postgres is port 5432 iptables -A INPUT -p tcp -s 192.168.xx --sport 3306 -i $ intranet -j ACCEPT # output - question also asked by a user to make a very specific # rule server: 192.168.1.2 mysql: 192.168.1.3 #mysql with postgres is port 5432 iptables -A OUTPUT -p tcp -s 192.168.1.2 -d 192.168.1.3 --dport 3306 -o $ intranet -j ACCEPT #sendmail bueeeh if you want to send some mail #iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT # Anti-SPOOFING 09/07/2014 # SERVER_IP = "190.xxx" # server IP - the real wan ip of your LAN_RANGE server = "192.168.xx / 21" # LAN range of your network or your vlan # IP's that should never enter the extranet, it is to use a bit of # logic if we have a purely WAN interface, it should never enter # traffic LAN type through that interface SPOOF_IPS = "0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" # Default action - to be performed when any rule matches ACTION = " DROP "# Packets with the same ip as my server through the wan iptables -A INPUT -i $ extranet -s $ SERVER_IP -j $ ACTION iptables -A OUTPUT -o $ extranet -s $ SERVER_IP -j $ ACTION # Packets with the LAN Range for the wan, I put it like this in case you have # any particular network, but this is redundant with the following # rule inside the "for" loop iptables -A INPUT -i $ extranet -s $ LAN_RANGE -j $ ACTION iptables -A OUTPUT -o $ extranet -s $ LAN_RANGE -j $ ACTION ## All SPOOF Networks not allowed by the wan for ip in $ SPOOF_IPS do iptables -A INPUT -i $ extranet -s $ ip -j $ ACTION iptables -A OUTPUT -o $ extranet -s $ ip -j $ ACTION done
In the next review we will do port range and also establish policies organized by names, among other things ... I await your comments and requests.