[sclug] Firewalling on a server

Bob Franklin r.c.franklin at reading.ac.uk
Thu Jan 5 20:19:57 UTC 2006 

On Thu, 5 Jan 2006, Tom Chance wrote:

> Just a quick question - if you've got a server running a certain number 
> of services and you know the ports they use, then presumably it makes 
> sense to firewall off every other port?

Possibly.  If you have people on the box who might run things without you 
knowing (e.g. start their own webserver on a high port), then this can 
stop them.

The default behaviour is probably to send a ICMP Service Unavailable 
message, indicating nothing is listening on that port.  Nowards, a 
firewall will usually drop requests to blocked ports (making scanning 
trickier, and not flooding your upstream connection with ICMP messages; 
although the kernel usually limits this to something like 30 per second)


> Or would I stupidly block off incoming data on ports that I didn't 
> realise are needed, beyond those for SSH (22), SMTP (25), Apache (80), 
> IMAP (143), LDAPS (636) and MySQL (3306)? Looking in /etc/services there 
> are lots of ports that are mentioned for basic services like echo, 
> netstat, login, who, etc. I've looked down the list given by 'netstat 
> -a' but I've noticed that some are listed without my running the related 
> server (*:ircd is listed as LISTEN).

You have to be careful, because some ports are used for things that you 
can't immediately spot (e.g. DNS requests go out to port 53 and come back 
on some arbitrary high port [for normal clients] or port 53 [for BIND 
servers configured to do that - it's changeable, now].

On my Linux box at home that used to (until last night!) do my internet 
connection had the following:

   #iptables -A internet -s 10.0.0.0/8 -j block #spoof - DISABLE because NTL use these
   #iptables -A internet -s 172.16.0.0/12 -j block #spoof - DISABLE because NTL use these
   iptables -A internet -s 192.168.0.0/16 -j block #spoof - we use these
   iptables -A internet -j special
   iptables -A internet -p tcp --tcp-flags ACK ACK -j ACCEPT #established-tcp
   iptables -A internet -p tcp --dport 12345 --syn -j allow #ssh
   iptables -A internet -p udp --dport 53 -j ACCEPT #dns
   iptables -A internet -p udp --sport 67 --dport 68 -j ACCEPT #bootpc
   iptables -A internet -p udp --dport 123 -j ACCEPT #ntp
   iptables -A internet -p icmp -j ACCEPT
   iptables -A internet -j block

   # ... and assign it to the input chain on eth0
   iptables -A INPUT -i eth0 -j internet

... since my PC ran its own DNS server, NTP server and was a DHCP client, 
to get its address from NTL.

I ran a special SSH server on 12345 (actually a different one; I'm keeping 
it secret - but NOT 22) for me to get in.  Making it not 22 good, here, 
because it cuts down on knob-twisting (and the server only has me and a 
couple of people access it, so it doesn't need to be 'easy' on the 
standard port).


The last rule 'iptables -A INPUT -i eth0 -j internet' was just to use the 
'internet' table [built above] for eth0 (the server had eth1 and eth2, 
too, and I didn't want to have to put that as a condition in for each 
other rules).

I have a rule to jump to the 'special' table, also.  This is normally 
empty, but is a good place to shove temporary permits and forwardings as 
it means you're not mucking about with the main 'internet' table; you can 
just clear the 'special' table, when you're done mucking about and not 
worry about clearing one of the essential ones (to avoid accidentally 
getting the rule number wrong).


Some of the ports may be being listened on by [x]inetd; that acts a single 
process that listens on the ports of other services and fires them up, 
when it needs them (saving having to run a pile of daemons which are 
rarely used).


The 'block' table jumped to by the above is:

   iptables -A block -j LOG --log-level 5 --log-prefix "iptables(block): "
   iptables -A block -j REJECT

... if you wish to use this, it's up to you -- you may want to not bother 
logging and just throw things away; you can jump to 'DROP' or 'REJECT' 
directly (I never read the logs, but it was interesting spotting 
patterns).


[As an aside, I recommend running your own DNS server, if you use NTL, as 
their DNS servers are pants.]

   - Bob


-- 
  Bob Franklin <r.c.franklin at reading.ac.uk>          +44 (0)118 378 7147
  Systems and Communications, IT Services, The University of Reading, UK

More information about the Sclug mailing list