Linux Firewall
This is a discussion on Linux Firewall within the Linux Security forums, part of the System Security and Security Related category; I run a stand-alone Linux workstation connected to broadband via a nat-enabled router. Does the following firewall script ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-23-2006
|
|||
|
|||
Linux Firewall
I run a stand-alone Linux workstation connected to broadband via a
nat-enabled router. Does the following firewall script make sense to you guys(it seems to work)? Any suggestions and comments would be much appreciated. Also, I have only recently migrated to Linux (Suse) from M$ XP Pro. In XP I could see and stop unnecessary services and I would like to do the same in Suse. Which services are considered a potential security risk in Linux/ Suse and how can they be stopped? Mark ************************* INTERFACE="eth0" IPADDR="10.0.0.1" BCASTADDR="10.0.0.255" TCP_IN="25 80 110 119 225 443" TCP_OUT="25 80 110 119 225 443" UDP_IN="53 68 123 4569 5060" UDP_OUT="53 67 123 4569 5060" FW="usr/sbin/iptables" NEW="${FW} --append" $FW --flush $FW --delete-chain for ch in INPUT OUTPUT FORWARD; do $FW -P $ch DROP done $NEW OUTPUT -p udp -d ${BCASTADDR} -j DROP $NEW INPUT -i '!' ${INTERFACE} -j ACCEPT $NEW INPUT -s 127.0.0.0/8 -j ACCEPT $NEW OUTPUT -o '!' ${INTERFACE} -j ACCEPT $NEW INPUT -s ${IPADDR} -j DROP $NEW INPUT -d '!' ${IPADDR} -j DROP $NEW INPUT -s 172.16.0.0/16 -j DROP $NEW INPUT -d 172.16.0.0/16 -j DROP $NEW INPUT -s 192.168.0.0/16 -j DROP $NEW INPUT -d 192.168.0.0/16 -j DROP for port in ${TCP_IN}; do $NEW INPUT -p tcp --sport ${port} -m state --state ESTABLISHED -j ACCEPT done for port in ${UDP_IN}; do $NEW INPUT -p udp --sport ${port} -m state --state ESTABLISHED -j ACCEPT done for port in ${TCP_OUT}; do $NEW OUTPUT -p tcp --dport ${port} -m state --state NEW,ESTABLISHED -j ACCEPT done for port in ${UDP_OUT}; do $NEW OUTPUT -p udp --dport ${port} -m state --state NEW,ESTABLISHED -j ACCEPT done $NEW INPUT -p icmp -j DROP $NEW OUTPUT -p icmp -j DROP $NEW INPUT -j DROP $NEW OUTPUT -j DROP *********************************** Regards, Mark 
|
|
05-24-2006
|
|||
|
|||
|
Re: Linux Firewall
Mark Tschudin <mark@tschudin.co.uk> pise na comp.os.linux.security:
> I run a stand-alone Linux workstation connected to broadband via a > nat-enabled router. > > Does the following firewall script make sense to you guys(it seems to > work)? Any suggestions and comments would be much appreciated. [CUT] > for port in ${UDP_OUT}; do > $NEW OUTPUT -p udp --dport ${port} -m state --state NEW,ESTABLISHED > -j ACCEPT > done udp is stateless protocol, so state switch is extra here, to be precise udp has no state... and one more thing ... from my point of view it's pointles to filter outgoing traffic.... -- ____ __ ___| | ___ Ignorance is .~. hrvoje.spoljar@><.pbf.hr (_-< '_ \/ _ \ |_/ -_) bliss, but / V \ irc # RoCkY /__/ .__/\___/__/\___| knowledge is /( )\ icq : 53000945 |_| power! ^-^ http://spole.pbf.hr
|
|
05-24-2006
|
|||
|
|||
|
Re: Linux Firewall
On 24/05/06 15:46, Hrvoje Spoljar wrote:
>> for port in ${UDP_OUT}; do >> $NEW OUTPUT -p udp --dport ${port} -m state --state NEW,ESTABLISHED >> -j ACCEPT >> done > > udp is stateless protocol, so state switch is extra here, to be precise udp has > no state... > and one more thing ... from my point of view it's pointles to filter outgoing > traffic.... > Appreciated, I thought udp was stateless but picked the script from another webiste and (it seems wrongly) assumed that these people knew more than I did. I am only just learning about firewalls, but Why do you think it's pointless to filter outgoing traffic? Mark
|
|
05-25-2006
|
|||
|
|||
|
Re: Linux Firewall
In article <slrne78sid.9ji.fcbyr@nox.baraba.net>,
Hrvoje Spoljar <fcbyr@k.cos.ue> wrote: :Mark Tschudin <mark@tschudin.co.uk> pise na comp.os.linux.security: :> I run a stand-alone Linux workstation connected to broadband via a :> nat-enabled router. :> :> Does the following firewall script make sense to you guys(it seems to :> work)? Any suggestions and comments would be much appreciated. :[CUT] : :> for port in ${UDP_OUT}; do :> $NEW OUTPUT -p udp --dport ${port} -m state --state NEW,ESTABLISHED :> -j ACCEPT :> done : :udp is stateless protocol, so state switch is extra here, to be precise udp has :no state... :and one more thing ... from my point of view it's pointles to filter outgoing :traffic.... Yes, UDP is a stateless protocol, but the filter engine still has to maintain connection tracking entries so that replies to UDP packets can be associated with the packet that requested them. For example, you could allow a DNS reply with "--state ESTABLISHED" without opening up your system to all UDP packets from source port 53. It's a fundamental requirement for stateful packet inspection. I agree, though, that for the rule as written the state matcher is pointless. The only conntrack states that would not be accepted are RELATED, which AFAIK doesn't apply to any UDP traffic, or INVALID, which isn't going anywhere anyway. -- Bob Nichols AT comcast.net I am "RNichols42"
|
|
05-25-2006
|
|||
|
|||
|
Re: Linux Firewall
On Wed, 24 May 2006 18:36:32 +0100, Mark <me4all@gmx.net> wrote:
>On 24/05/06 15:46, Hrvoje Spoljar wrote: .... >> udp is stateless protocol, so state switch is extra here, to be precise udp has >> no state... >> and one more thing ... from my point of view it's pointles to filter outgoing >> traffic.... >> > >Appreciated, I thought udp was stateless but picked the script from >another webiste and (it seems wrongly) assumed that these people knew >more than I did. Iptables does maintain a 'pretend' connection state for udp, you can see this by monitoring conntrack: ~# grep udp /proc/net/ip_conntrack udp 17 149 src=192.168.1.31 dst=192.168.1.1 sport=1518 dport=53 src=192.168.1.1 dst=192.168.1.31 sport=53 dport=1518 [ASSURED] use=1 udp 17 152 src=127.0.0.1 dst=127.0.0.1 sport=1101 dport=53 src=127.0.0.1 dst=127.0.0.1 sport=53 dport=1101 [ASSURED] use=1 This is how, for example, iptables allows expected udp DNS replies in with the 'ESTABLISHED,RELATED' rule without specifically defining and opening a dns_query_port. >I am only just learning about firewalls, but Why do you think it's >pointless to filter outgoing traffic? What's your rationale for filtering outgoing traffic? There's a lot of stupid firewall setups out there on the 'net. See: <http://netfilter.org/> for some decent (mostly) info. Grant. -- WinXP: Access Start->Turn Off Computer, then while holding Ctrl-Alt-Shift, left click on Cancel. This terminates Windows Explorer...
|
|
05-25-2006
|
|||
|
|||
|
Re: Linux Firewall
Mark wrote:
> On 24/05/06 15:46, Hrvoje Spoljar wrote: > >>> for port in ${UDP_OUT}; do >>> $NEW OUTPUT -p udp --dport ${port} -m state --state NEW,ESTABLISHED >>> -j ACCEPT >>> done >> >> udp is stateless protocol, so state switch is extra here, to be precise >> udp has no state... >> and one more thing ... from my point of view it's pointles to filter >> outgoing traffic.... >> > > Appreciated, I thought udp was stateless but picked the script from > another webiste and (it seems wrongly) assumed that these people knew > more than I did. > > I am only just learning about firewalls, but Why do you think it's > pointless to filter outgoing traffic? If you want a high grade of security, you should filter outgoing traffic. Assume that a machine on the inside got infected by some virus/bad software that want to do a 2000/tcp (or whaterver), it will be stopped by the firewall. If you accept all outgoing traffic, it won't... By default, my firewall is closed... then I add rules to allow the traffic I need regardless the direction of the traffic. -- Jørn Dahl-Stamnes http://www.dahl-stamnes.net/dahls/
|
Linear Mode
