[Gllug] iptables (newbie) question
Grzegorz Piotr Jaskiewicz
gj at pointblue.com.pl
Sun May 2 15:30:24 UTC 2004
Doug Winter wrote:
>On Sun 02 May Murray wrote:
>
>
>>The only material difference I can see is that the initial setup uses
>>REJECT in some cases to send a "not here" response, where as the shorter
>>second option just pretends it's not there at all. This seems to me a
>>better option. Am I missing something?
>>
>>
>
>It's generally better to send the appropriate response according to the
>protocol. If a TCP port is closed, send a port not reachable message so
>the machine trying to contact it knows so. Similarly for udp and icmp.
>
>First, this is what the protocols are designed for in the first place,
>so you aren't breaking anything.
>
>Second this can help disguise the fact you are filtering, which may be
>helpful (just dropping packets doesn't make it look like you aren't
>there, because if you weren't there the last hop router would be
>responding, rather than just dropping packets on the floor).
>
>
>
Not really true. By default, when not filtering, kernel, OSes network
stack will reply with connection invalid, or whatever, depending on
protocol.
You should use REJECT if you don't care whether someone will or not get
resonse, if you feel that connection there is inaproprieate. DROP should
be used in places where information about if port is open or not
matters. Good example, port 113/TCP (authentication tap ident) which
should be -j REJECT (ed), otherwise some services (POP3, IMAP, SMTP,
IRC) will have to wait for timeout before letting you in.
From security point of view, it is good to :
only for -A INPUT chain
#remove all dodgey packets, it is essencial to do it here, you don't
have to log them thou
-A INPUT -m unclean -j LOG --log-prefix " Unclean INCOMMING package "
-A INPUT -m unclean -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#here reject any time critical connections, that cannot wait for timeouts
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with
icmp-port-unreachable
#here you allow connections, for some ports, UDP and TCP (never forget
about filtering UDP!)
#here you allow connections from certain hosts
-A INPUT -s 127.0.0.1 -p tcp -m tcp -j ACCEPT
-A INPUT -s 207.46.245.214 -p tcp -m tcp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
#drop all other tcp connections :
-A INPUT -p tcp -m tcp -j DROP
#If you're running DNS server, open that one, and drop all the others
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -j DROP
#And you might also:
-A INPUT -p icmp -m limit --limit 2/sec -j ACCEPT
-A INPUT -p icmp -j DROP
Removing unclean packets is important, because of the way Linux TCP
stack works. Some invalid packets are getting through the net,
unchecked. Imagine there will be security problem with one of other
modules, or stack it self. And try to run christmas tree scan against
your host to see the difference it makes (nmap -sX... as root).
Other thing, from my expierence. Some annoying bots, viruses, and all
other sort of bugs crawling around net they try to connect to you in a
loop, just to DoS you. Having REJECT will mean that they will try one
after another, while with DROP their OS will have to timeout connection
first.
Some spammers trying to send through my SMTP emails to every single
person they have on their list. So the best solution in that case was
just to scan SMTP server log, get list of offenders, and put --dport 25
-s <IP> -j DROP, and my 512kbps connection is lot more responsive :-)
I'll save you more examples ;)
--
GJ
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list