linux:linux-hardening:iptables

Secure Server Build

IPTables

The default should be “Disallow everything except the specific network services required by the application”.

Do not use system-config-securitylevel it overwrites the iptables file

Changes are made by editing /etc/sysconfig/iptables

Starting IPTables

service iptables on

Change the Default Policies

Change the default policy to DROP (from ACCEPT) for the INPUT and FORWARD built-in chains: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0]

Sample IP Tables for IPMS project

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [8636929:1948084600] 

### Default Policy 
-A RH-Firewall-1-INPUT -i lo -j ACCEPT 

# accepting all established 
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

# ICMP 
# Default policy is DROP so will comment all Drop entries from your table
-A RH-Firewall-1-INPUT -s 83.70.168.102 -p icmp -m icmp --icmp-type any -j ACCEPT
#-A RH-Firewall-1-INPUT -s 83.0.0.0/255.0.0.0 -i eth2 -p icmp -j DROP 
#-A RH-Firewall-1-INPUT -s 84.0.0.0/255.0.0.0 -i eth2 -p icmp -j DROP 
#-A RH-Firewall-1-INPUT -s 85.0.0.0/255.0.0.0 -i eth2 -p icmp -j DROP 
#-A RH-Firewall-1-INPUT -s 86.0.0.0/255.0.0.0 -i eth2 -p icmp -j DROP 
#-A RH-Firewall-1-INPUT -s 95.0.0.0/255.0.0.0 -i eth2 -p icmp -j DROP 
#-A RH-Firewall-1-INPUT -s 151.177.0.0/255.255.0.0 -i eth2 -p icmp -j DROP 
#-A RH-Firewall-1-INPUT -s 159.134.0.0/255.255.0.0 -i eth2 -p icmp -j DROP 
#-A RH-Firewall-1-INPUT -s 213.94.0.0/255.255.0.0 -i eth2 -p icmp -j DROP 
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 

# IP Encapsulating Security Payload
-A RH-Firewall-1-INPUT -p esp -j ACCEPT 

# IP Authentication Header
-A RH-Firewall-1-INPUT -p ah -j ACCEPT 

# multicast DNS
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT 

# ports are used for IPP…printing is disabled on this server as part of hardening
#-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT 
#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT 

# these 2 ports are used for FTP… FTP is disabled on this server as part of hardening
#-A RH-Firewall-1-INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 20:21 -j ACCEPT 

# SSH port leaving it open.  Might want to specify a network to accept ssh from
-A RH-Firewall-1-INPUT -i bond0 -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT 

# ports are used for TFTP…TFTP is disabled on this server as part of hardening
#-A RH-Firewall-1-INPUT -i eth2 -p udp -m state --state NEW -m udp --dport 69 -j ACCEPT 

# SNMP  need to specify network here
# -A RH-Firewall-1-INPUT -i bond0 -p udp -m state --state NEW -m udp --dport 162 -j ACCEPT 

#NTP  need to specify source here
# -A RH-Firewall-1-INPUT -i bond0 -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT 

# Not sure what this is for so commenting it out
# -A RH-Firewall-1-INPUT -i eth2 -p udp -m state --state NEW -m udp --dport 1162 -j ACCEPT 

# are used for RDP and RCP  both are  disabled on this server as part of hardening
# -A RH-Firewall-1-INPUT -i eth2 -p udp -m state --state NEW -m udp --dport 514 -j ACCEPT 

# are used for RMI  registry This is not installed or configured on this server as part of hardening
# -A RH-Firewall-1-INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport 1099 -j ACCEPT 

# Not sure what this is for so commenting it out
#-A RH-Firewall-1-INPUT -s 5.1.22.6 -i eth1 -p tcp -m state --state NEW -m tcp --dport 1828 -j ACCEPT 
#-A RH-Firewall-1-INPUT -s 5.1.22.13 -i eth1 -p tcp -m state --state NEW -m tcp --dport 1828 -j ACCEPT 

# I assume these are the IPs and ports used fro Backups?
-A RH-Firewall-1-INPUT -s 5.1.22.6 -i eth1 -p tcp -m state --state NEW -m tcp --dport 6070 -j ACCEPT 
-A RH-Firewall-1-INPUT -s 5.1.22.13 -i eth1 -p tcp -m state --state NEW -m tcp --dport 6070 -j ACCEPT 

# Not sure what this is for (BMC patrol?) so commenting it out
-A RH-Firewall-1-INPUT -s 159.134.25.144 -p tcp -m state --state NEW -m tcp --dport 3181 -j ACCEPT 
# -A RH-Firewall-1-INPUT -s 159.134.25.153 -p tcp -m state --state NEW -m tcp --dport 3181 -j ACCEPT 

# Not sure what this is for so commenting it out
# -A RH-Firewall-1-INPUT -s 159.134.25.153 -p tcp -m state --state NEW -m tcp --dport 50005 -j ACCEPT 

# Not sure what this is for so commenting it out
# -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 12321 -j ACCEPT 

# Netbios Already blocked by default policy
# -A RH-Firewall-1-INPUT -p udp -m udp --dport 137:138 -j DROP

#
# Specific to this server
#
# HTTP Public Internet Access…
-A RH-Firewall-1-INPUT –p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT 

# Remedy ITSM to Remedy AR and Integration Server
-A RH-Firewall-1-INPUT –s 10.137.6.1 –p tcp -m state --state NEW -m tcp --dport 20011 -j ACCEPT 

#  GT Access for Support via main Teamed NIC's
# max
-A RH-Firewall-1-INPUT –s 10.40.19.4 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A RH-Firewall-1-INPUT –s 10.40.19.4 -p udp -m state --state NEW -m udp --dport 22 -j ACCEPT
# sysmon01
-A RH-Firewall-1-INPUT –s 10.152.16.104 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A RH-Firewall-1-INPUT –s 10.152.16.104 -p udp -m state --state NEW -m udp --dport 22 -j ACCEPT 

# GT Access from Netbackup Servers to Remedy ITSM DMZ Servers for Backups
# bkpmst20
-A RH-Firewall-1-INPUT –s 10.40.35.7 -p tcp -m state --state NEW -m tcp --dport 13724 -j ACCEPT 
-A RH-Firewall-1-INPUT –s 10.40.35.7 -p udp -m state --state NEW -m udp --dport 13724 -j ACCEPT 
# bkpmst21
-A RH-Firewall-1-INPUT –s 10.40.35.3 -p tcp -m state --state NEW -m tcp --dport 13724 -j ACCEPT 
-A RH-Firewall-1-INPUT –s 10.40.35.3 -p udp -m state --state NEW -m udp --dport 13724 -j ACCEPT 
# bkpmed21
-A RH-Firewall-1-INPUT –s 10.136.12.6 -p tcp -m state --state NEW -m tcp --dport 13724 -j ACCEPT 
-A RH-Firewall-1-INPUT –s 10.136.12.6 -p udp -m state --state NEW -m udp --dport 13724 -j ACCEPT 

# GT Access from Patrol PEM Servers to Remedy ITSM DMZ Servers for Monitoring
# w2k-esm1 159.134.25.144
-A RH-Firewall-1-INPUT -s 159.134.25.144 -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-A RH-Firewall-1-INPUT –s 159.134.25.144 -p tcp -m state --state NEW -m tcp --dport 3181:3182:3185:3281:3283  -j ACCEPT 
-A RH-Firewall-1-INPUT –s 159.134.25.144 -p udp -m state --state NEW -m udp --dport 3181:3182:3185:3281:3283  -j ACCEPT
# w2k-esm1 159.134.25.153
-A RH-Firewall-1-INPUT -s 159.134.25.153 -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-A RH-Firewall-1-INPUT –s 159.134.25.153 -p tcp -m state --state NEW -m tcp --dport 50005:3181  -j ACCEPT 
-A RH-Firewall-1-INPUT –s 159.134.25.153 -p udp -m state --state NEW -m udp --dport 50005:3181: -j ACCEPT

# ESM Group Access
# ppatcehellpc
-A RH-Firewall-1-INPUT -s 10.201.136.0/24 -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-A RH-Firewall-1-INPUT –s 10.201.136.0/24 -p tcp -m state --state NEW -m tcp --dport 3182:3183:3185:3281:3282:3283:3389  -j ACCEPT 
-A RH-Firewall-1-INPUT –s 10.201.136.0/24 -p udp -m state --state NEW -m udp --dport 3182:3183:3185:3281:3282:3283:3389  -j ACCEPT
# ppatcehellpc (Home)  NO IP Provided…
#-A RH-Firewall-1-INPUT -s 10.201.136.0/24-p icmp -m icmp --icmp-type echo-request -j ACCEPT
#-A RH-Firewall-1-INPUT –s 10.201.136.0/24 -p tcp -m state --state NEW -m tcp --dport 3182:3183:3185:3281:3282:3283:3389  -j ACCEPT 
#-A RH-Firewall-1-INPUT –s 10.201.136.0/24 -p udp -m state --state NEW -m udp --dport 3182:3183:3185:3281:3282:3283:3389  -j ACCEPT
# ppatchellpc (Dundrum)
-A RH-Firewall-1-INPUT -s 10.40.23.55-p icmp -m icmp --icmp-type echo-request -j ACCEPT
-A RH-Firewall-1-INPUT –s 10.40.23.55 -p tcp -m state --state NEW -m tcp --dport 3182:3183:3185:3281:3282:3283:3389  -j ACCEPT 
-A RH-Firewall-1-INPUT –s 10.40.23.55 -p udp -m state --state NEW -m udp --dport 3182:3183:3185:3281:3282:3283:3389  -j ACCEPT
# pemdev01
-A RH-Firewall-1-INPUT -s 10.152.32.0/24 -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-A RH-Firewall-1-INPUT –s 10.152.32.0/24 -p tcp -m state --state NEW -m tcp --dport 3181:3182:3185:3281:3283  -j ACCEPT 
-A RH-Firewall-1-INPUT –s 10.152.32.0/24 -p udp -m state --state NEW -m udp --dport 3181:3182:3185:3281:3283  -j ACCEPT
# pemprd01
-A RH-Firewall-1-INPUT -s 159.134.25.0/24 -p icmp -m icmp --icmp-type echo-request -j ACCEPT
-A RH-Firewall-1-INPUT –s 159.134.25.0/24 -p tcp -m state --state NEW -m tcp --dport 3181:3182:3185:3281:3283  -j ACCEPT 
-A RH-Firewall-1-INPUT –s 159.134.25.0/24 -p udp -m state --state NEW -m udp --dport 3181:3182:3185:3281:3283  -j ACCEPT


# Logging
-A RH-Firewall-1-INPUT -j LOG --log-prefix "LOGDROP " --log-level debug
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 

# Drop ALL packages that get to this level
 -A RH-Firewall-1-INPUT -j DROP
COMMIT

To prevent your /var/log/messages from being overrunn by dropped messages add

 kern.=debug /var/log/iptables.log
 kern.*;kern.!=debug /var/log/messages

to /etc/syslog.conf remember to touch the /var/log/dropped-custom.log so that the file actually exists