Attached are the firewall rules for the new server. Your feedback would be greatly apretiated. There was an attempt to lock this server down as to avoid any and all possibility violation of policy. As a result, these rules are somewhat on the fanatical side. The idea is to make using a shell on the actual server as unpleasent as possible, for both legit users and attacker. Sorry - that' just the way life is.
If you feel you know this field, and yet you do not understand a certain rule, please ask. It may be that I know something you don't, but it may also be that you have spotted an error.
The exact IPs of some of the servers have been munged, as knowing which NTP servers we use allow a theoretical attack vector.
Also, and it goes without saying, feel free to use this script in your own setups. I have accompanying scripts that are aimed at making sure that the firewall settings don't fall out of date due to changes in other config files. Feel free to email me and ask for them.
Thanks,
Shachar-- Shachar Shemesh Open Source integration consultant Home page & resume - http://www.shemesh.biz/
# Generated by iptables-save v1.2.6a on Sun Mar 16 20:18:05 2003 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [1:52] # Inbound ICMP services :icmp_serv - [0:0] # Inbound TCP services :tcp_serv - [0:0] # Inbound UDP services :udp_serv - [0:0] # NTP servers :ntp_servers - [0:0] # Special outbound logging chain :outlog - [0:0] # Servers containing updates we need :update_servers - [0:0]
# Accept all loopback traffic. -A INPUT -i lo -j ACCEPT # If ICMP - jump to ICMP chain -A INPUT -p icmp -j icmp_serv # If packet is on an already established connection - accept it -A INPUT -m state --state ESTABLISHED -j ACCEPT # If a new (SYN) packet on an unestablished connection - run it through the tcp_serv chain -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j tcp_serv # If a new UDP packet - run through the udp_serv chain -A INPUT -p udp -j udp_serv # Unknown packets should be rejected. Try to hide the fact that there is a Firewall -A INPUT -p tcp -j REJECT --reject-with tcp-reset -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable # ICMP should be silently dropped if not authorized. This rule is merely so we can count how many such packets there are. -A INPUT -p icmp # Packets on known connections should be accepted. As we are less afraid of outbound rogue packets, we accept RELATED as well. -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # loopback packets should likewise be accepted. -A OUTPUT -o lo -j ACCEPT # Allow DNS and SMTP traffic to everywhere. -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT # Allow HTTP traffic only to the servers that are supposed to hand us updates. -A OUTPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j update_servers # Likewise to NTP traffic. -A OUTPUT -p udp -m udp --dport 123 -j ntp_servers # Grudgingly accept outbound ICMP traffic, but log it via the outlog chain -A OUTPUT -p icmp -j outlog # And traceroute -A OUTPUT -p udp -m udp --dport 33434:33524 -j outlog # Log the fact that an outbound packet was dropped. This should never happen, hense the high log priority. -A OUTPUT -j LOG --log-prefix "Default OUTPUT drop: " --log-level 2 # Accept inbound PING requests. -A icmp_serv -p icmp -m icmp --icmp-type 8 -j ACCEPT # Drop ICMP redirect, even if it's on an established connection. -A icmp_serv -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "ICMP redirect received: " --log-level 4 -A icmp_serv -p icmp -m icmp --icmp-type 5 -j DROP # Other ICMPs - accept if they are on a connection -A icmp_serv -m state --state RELATED -j ACCEPT # A list of NTP servers we query. # ntp1.server.com -A ntp_servers -d 64.49.220.24 -j ACCEPT # Special outbound handling - log and accept. -A outlog -j LOG --log-prefix "Outbound connection: " --log-level 5 -A outlog -j ACCEPT # Allowed TCP services. by order - HTTP, SMTP, SSH and DNS (TCP). -A tcp_serv -p tcp -m tcp --dport 80 -j ACCEPT -A tcp_serv -p tcp -m tcp --dport 25 -j ACCEPT -A tcp_serv -p tcp -m tcp --dport 22 -j ACCEPT -A tcp_serv -p tcp -m tcp --dport 53 -j ACCEPT # Accept related packets, but only if it's likely that they were, indeed, asked for. Port range is defined in /etc/network/options -A tcp_serv -p tcp -m state --state RELATED -m tcp --dport 50000:60000 -j ACCEPT # Listening UDP services. # DNS -A udp_serv -p udp -m udp --dport 53 -j ACCEPT # List of servers that update our software. This is a list of IPs rather than host names on purpose, to avoid problems with DNS poisening. # Each comment gives the name that resolves to this IP. They are referenced from /etc/apt/sources.list # www.example.com -A update_servers -d 192.0.34.166 -j ACCEPT COMMIT # Completed on Sun Mar 16 20:18:05 2003
