View previous topic :: View next topic |
Author |
Message |
original_PQ n00b
Joined: 22 Sep 2002 Posts: 24
|
Posted: Sun Sep 22, 2002 9:59 pm Post subject: Security Guide example firewall as good as nothing? |
|
|
I copied almost the whole example firewall script from The Gentoo Security Guide.
It was very stupid of me not to test the blocked ports after installing, because I just found after few weeks that the script has a huge hole. The firewall lets (almost) everything through!
I found out that it's the delay-flags chain (the last instruction) that lets all incoming connections through. I commented the whole chain out and the hole was gone.
Now, could someone tell me, have I done something wrong or is there a major flaw in the example script?
Or have I just understood it wrong?
No need to say that I didn't understand everything about every instruction.
Here's my script:
Code: |
ebegin "Setting internal rules"
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -N icmp_allowed
$IPTABLES -F icmp_allowed
$IPTABLES -A icmp_allowed -p icmp -j ACCEPT
$IPTABLES -A INPUT -j icmp_allowed
$IPTABLES -P FORWARD DROP
$IPTABLES -N check-flags
$IPTABLES -F check-flags
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -N delay-flags
$IPTABLES -F delay-flags
$IPTABLES -A delay-flags -m limit --limit 1/second -p tcp --tcp-flags ALL RST -j ACCEPT
$IPTABLES -A delay-flags -m limit --limit 1/second -p tcp --tcp-flags ALL FIN -j ACCEPT
$IPTABLES -A delay-flags -m limit --limit 1/second -p tcp --tcp-flags ALL SYN -j ACCEPT
$IPTABLES -A INPUT -j check-flags
## $IPTABLES -A INPUT -j delay-flags
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -N allow-ssh-in
$IPTABLES -F allow-ssh-in
$IPTABLES -A allow-ssh-in -p tcp --dport ssh -j ACCEPT
$IPTABLES -A INPUT -j allow-ssh-in
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -P INPUT DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -j icmp_allowed
$IPTABLES -A OUTPUT -j check-flags
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A OUTPUT -j ACCEPT
$IPTABLES -P OUTPUT DROP
|
Now that I come to think of it... I did test my firewall. Or did I... |
|
Back to top |
|
|
klieber Bodhisattva
Joined: 17 Apr 2002 Posts: 3657 Location: San Francisco, CA
|
Posted: Sun Sep 22, 2002 11:31 pm Post subject: |
|
|
I've never particularly cared for that firewall ruleset -- it's very convoluted, IMO. Not sure exactly where the problem is and I don't feel like spending the time to trace the logic through and figure it out.
At first glance, I don't see a default deny rule, especially on the delay-flags chain, but like I said, I didn't spend that much time looking at it.
I highly recommend Oskar Andreasson's IPTables Tutorial. The code is cleanly delineated and (gasp) has plenty of comments to help folks new to IPTables follow the logic. In addition to being a great tutorial, it also contains several sample scripts for vanilla firewalls, firewalls with a DMZ and firewalls for DHCP users as well as others.
The rulesets have been carefully vetted by several people and the overall tutorial has gone through several revisions, so its a fairly mature script. Definitely worth checking out.
(And, for the record, I use the rc.DHCP.firewall.txt script as a basis for the script on my firewall)
--kurt _________________ The problem with political jokes is that they get elected |
|
Back to top |
|
|
masseya Bodhisattva
Joined: 17 Apr 2002 Posts: 2602 Location: Baltimore, MD
|
Posted: Mon Sep 23, 2002 9:04 am Post subject: |
|
|
Wow, thanks for all those links klieber. They are very helpful! _________________ if i never try anything, i never learn anything..
if i never take a risk, i stay where i am.. |
|
Back to top |
|
|
original_PQ n00b
Joined: 22 Sep 2002 Posts: 24
|
Posted: Mon Sep 23, 2002 4:10 pm Post subject: |
|
|
Yeah, thanks klieber!
That delay-flags ruleset is directly from the Security Guide example, and if it has that kind of a hole...
Well, it shouldn't be part of the example, IMHO.
I thought the delay-flags ruleset is for dropping certain types of packets from the chain if they occur too often (a.k.a flood protection). Obviously it does something else.
Perhaps I'm whining in a wrong place. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|