Thinking about starting IPTables..

I started thinking about how Linux (RH9/Fedora) starts the IPTables
FW...

It may not be correct...

I think the installation of the FW rules should be done as follows
(looking at the init.d scripts)

1: the rules and chains and tables must be cleaned out, flushed and
deleted.
2: Everything must get a DROP policy.
3: preliminary and general rules(that do not need DNS) must be set,
eg. wrong address combinations must be filtered out, or address/port
combinations etc.
3: then the interfaces must be initialized, after which no real
traffic can get through. (DROP policies)
4: "named" is started
5: the FW is opened for named
6: other services/servers are started, each service immediately
followed by the FW rules that open the FW up for THAT service, eg.
ntpd, followed by the opening of the FW for ntp-traffic.
7: all the rest of the FW rules that are not service/server specific,
like NAT rules.


The way IPtables is started in standard RH9, seems to leave open a
very small time window for some services/servers/ports.

Or am I wrong ?


frgr
Erik

ps:

wouldn't it be nice if, e.g. "named stop" would not only stop the
named server, but would also delete the IPTables rules that were
executed/activated during "named start" ?

Erik <et57 at correos calor dot com> writes:

> wouldn't it be nice if, e.g. "named stop" would not only stop the
> named server, but would also delete the IPTables rules that were
> executed/activated during "named start" ?

file `which named`

ie, write a script to do it yourself. ;)

~Tim
--
20:21:57 up 10 days, 1:12, 0 users, load average: 0.06, 0.02, 0.07
piglet@stirfried.vegetable.org.uk |Not every discomfort should
http://spodzone.org.uk/cesspit/ |be criminalised. (Bill Unruh)

Erik wrote:
> I started thinking about how Linux (RH9/Fedora) starts the IPTables
> FW...
>
> It may not be correct...
>
> I think the installation of the FW rules should be done as follows
> (looking at the init.d scripts)
>
> [snip]
>
> The way IPtables is started in standard RH9, seems to leave open a
> very small time window for some services/servers/ports.
>
> Or am I wrong ?

Possibly when you restart iptables, but when you boot, iptables starts
before the network. How often do you reload rules?

On Fri, 06 Aug 2004 20:39:00 GMT, Allen Kistler <ackistler@oohay.moc>
wrote:

>Erik wrote:
>> I started thinking about how Linux (RH9/Fedora) starts the IPTables
>> FW...
>>
>> It may not be correct...
>>
>> I think the installation of the FW rules should be done as follows
>> (looking at the init.d scripts)
>>
>> [snip]
>>
>> The way IPtables is started in standard RH9, seems to leave open a
>> very small time window for some services/servers/ports.
>>
>> Or am I wrong ?
>
>Possibly when you restart iptables, but when you boot, iptables starts
>before the network. How often do you reload rules?

many, many times: it's a sytem under development.
and it's ME under development ;-)

frgr
Erik

Erik wrote:

> 4: "named" is started
> 5: the FW is opened for named
> 6: other services/servers are started, each service immediately
> followed by the FW rules that open the FW up for THAT service, eg.
> ntpd, followed by the opening of the FW for ntp-traffic.

> The way IPtables is started in standard RH9, seems to leave open a
> very small time window for some services/servers/ports.
>
> Or am I wrong ?

As long as the script starts with DROP, and then opens the ports you wish you're fine. Having a port like UDP port 53 open for DNS before bind starts isn't really a problem. There's not much they can do with a port that has nothing listening. An inbound packet that hits a port without a service listening just gets a TCP RST packet as a response, so they can't really open up a connection to do any harm.

You are *much* more vulnerable *after* Bind/named starts. CERT is littered with reports of various services like Bind having security flaws, buffer overflows, etc. Once there is a service/daemon listening the Bad Guys(tm) have something they can work with, and try and exploit.

bryan