Difference between revisions of "Firewall principle"

Line 154: Line 154:
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
IPTABLES=`which iptables`
 
IPTABLES=`which iptables`
 +
IP6TABLES=`which ip6tables`
 +
  
 
echo -e " ... Layer 2: ICMP v4"
 
echo -e " ... Layer 2: ICMP v4"

Revision as of 11:31, 7 June 2014

The firewall (FW) is a key component of your server's security.

Principle

This is how a firewall works:

FW principle


You can search Internet to get all the related theory. My aim is not to explain that over here but just to give you HOW to do that.


The following codes and examples are based iptables and ip6tables.



Default policy

This is how you defined a default policy.


Note:

  • You have to adjust the policy to your own settings
  • You should NOT set the INPUT in ACCEPT mode. That's risky!


IPTABLES=`which iptables`
IP6TABLES=`which ip6tables`

echo -e " "		
echo -e "------------------------"
echo -e " Flush existing rules "
echo -e "------------------------"

$IP6TABLES -F

$IPTABLES -t filter -F
$IPTABLES -t filter -X

# delete NAT rules
$IPTABLES -t nat -F
$IPTABLES -t nat -X

# delete MANGLE rules (packets modifications)
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X

echo -e " "		
echo -e "------------------------"
echo -e " Default policy"
echo -e "------------------------"
echo -e "              || --> OUTGOING    reject all "
echo -e "          --> ||     INCOMING    reject all "
echo -e "          --> || --> FORWARDING  accept all (each redirection needs configuration)"


# INCOMING = avoid intrusions
# OUTGOING = avoid disclosure of sensitive / private data
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT			

$IP6TABLES -P INPUT DROP
$IP6TABLES -P FORWARD ACCEPT
$IP6TABLES -P OUTPUT DROP

echo -e " ... Reject invalid packets"
$IPTABLES -A INPUT -p tcp -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p udp -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p icmp -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -p tcp -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -p udp -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -p icmp -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -p tcp -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -p udp -m state --state INVALID -j DROP

$IP6TABLES -A INPUT -p tcp -m state --state INVALID -j DROP
$IP6TABLES -A INPUT -p udp -m state --state INVALID -j DROP
$IP6TABLES -A INPUT -p icmp -m state --state INVALID -j DROP
$IP6TABLES -A OUTPUT -p tcp -m state --state INVALID -j DROP
$IP6TABLES -A OUTPUT -p udp -m state --state INVALID -j DROP
$IP6TABLES -A OUTPUT -p icmp -m state --state INVALID -j DROP
$IP6TABLES -A FORWARD -p tcp -m state --state INVALID -j DROP
$IP6TABLES -A FORWARD -p udp -m state --state INVALID -j DROP


echo " ... Avoid spoofing and local subnets"
# Reserved addresses. We shouldn't received any packets from them!
$IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -s 169.254.0.0/16 -j DROP
	
# Only localhost on Loopback interface + no forward
$IPTABLES -A INPUT ! -i lo -s 127.0.0.0/24 -j DROP	
$IPTABLES -A FORWARD -s 127.0.0.0/24 -J DROP
$IP6TABLES -A INPUT ! -i lo -s ::1/128 -J DROP
$IP6TABLES -A FORWARD -s ::1/128 -J DROP


# No IPv4 -> IPv6 tunneling
echo " ... Do not allow IPv4 @ tunnel in IPv6 !! Use native IPv6 instead !!"
$IP6TABLES -A INPUT -s 2002::/16 -j DROP		# 6to4 tunnels
$IP6TABLES -A FORWARD -s 2002::/16 -j DROP
$IP6TABLES -A INPUT -s 2001:0:/32 -j DROP		# Teredo tunnels
$IP6TABLES -A FORWARD -s 2001:0:/32 -j DROP
	
# Block IPv6 protocol in IPv4 frames
echo " ... Block IPv6 protocol in IPv4 frames"
$IPTABLES -A INPUT -p 41 -j DROP
$IPTABLES -A OUTPUT -p 41 -j DROP
$IPTABLES -A FORWARD -p 41 -j DROP


echo -e " ... Keep ESTABLISHED connections "
$IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
	
$IP6TABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT
$IP6TABLES -A FORWARD -m state --state ESTABLISHED -j ACCEPT
$IP6TABLES -A OUTPUT -m state --state ESTABLISHED -j ACCEPT	


echo -e " ... Keep RELATED connections (required for FTP)"
$IPTABLES -A INPUT -m state --state RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state RELATED -j ACCEPT

$IP6TABLES -A INPUT -m state --state RELATED -j ACCEPT
$IP6TABLES -A FORWARD -m state --state RELATED -j ACCEPT
$IP6TABLES -A OUTPUT -m state --state RELATED -j ACCEPT

# Allow localhost communication
echo -e " ... Allow localhost"
$IPTABLES -A INPUT -i lo -s 127.0.0.0/24 -d 127.0.0.0/24 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s 127.0.0.0/24 -d 127.0.0.0/24 -j ACCEPT

$IP6TABLES -A INPUT -i lo -j ACCEPT
$IP6TABLES -A OUTPUT -o lo  -j ACCEPT



Protocol(s) enforcement

IPTABLES=`which iptables`
IP6TABLES=`which ip6tables`


echo -e " ... Layer 2: ICMP v4"
# ICMP packets should not be fragmented
$IPTABLES -A INPUT --fragment -p icmp -j DROP

# Limit ICMP Flood
$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
	
# Avoid common attacks ... but blocks ping :(
# [Network, Host, Protocol, Port] unreacheable + [Destination Host, Destination network] prohibited
#$IPTABLES -A OUTPUT -p icmp --icmp-type 3 -j DROP


echo -e " ... Layer 2: ICMP v6 "
# Feedback for problems
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type 2 -j ACCEPT
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT
	
# Router and neighbor discovery 
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type 133 -j ACCEPT
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type 134 -j ACCEPT
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT

$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type 133 -j ACCEPT
$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type 134 -j ACCEPT
$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT
$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT
	
# Ping requests
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type 128 -j ACCEPT
$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type 128 -j ACCEPT

	
echo " ... Layer 4: TCP # check packets conformity"
# INCOMING packets check
# All new incoming TCP should be SYN first
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Avoid SYN Flood (max 3 SYN packets / second. Then Drop all requests !!)
$IPTABLES -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
# Avoid fragment packets
$IPTABLES -A INPUT -f -j DROP
# Check TCP flags -- flag 64, 128 = bogues
$IPTABLES -A INPUT -p tcp --tcp-option 64 -j DROP
$IPTABLES -A INPUT -p tcp --tcp-option 128 -j DROP
echo " ... Layer 4: TCP # Avoid NMAP Scans"
# XMAS-NULL
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# XMAS-TREE
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# SYN/RST Scan
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# SYN/FIN Scan
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN/ACK Scan
#$IPTABLES -A INPUT -p tcp --tcp-flags ALL ACK -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -j DROP
# FIN/RST Scan
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN/ACK Scan
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
# ACK/URG Scan
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
# FIN/URG/PSH Scan
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
# Stealth XMAS Scan
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
# XMAS-PSH Scan
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# End TCP connection
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
# Ports scans
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP




Allow services and network protocols

DHCP

DHCP client:

IPTABLES=`which iptables`

# DHCP client >> Broadcast IP request 
$IPTABLES -A OUTPUT -p udp -d 255.255.255.255 --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 255.255.255.255 --sport 67 --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 67 -j ACCEPT 
$IPTABLES -A OUTPUT -p udp --dport 68 -j ACCEPT


DNS

This will allow your computer to perform DNS requests:

IPTABLES=`which iptables`
IP6TABLES=`which ip6tables`

$IPTABLES -A OUTPUT -p udp --dport 53 -m limit --limit 100/s -j ACCEPT
$IPTABLES -A OUTPUT -p udp --sport 53 -m limit --limit 100/s -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -m limit --limit 100/s -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -m limit --limit 100/s -j ACCEPT


$IP6TABLES -A OUTPUT -p udp --dport 53 -m limit --limit 100/s -j ACCEPT
$IP6TABLES -A OUTPUT -p udp --sport 53 -m limit --limit 100/s -j ACCEPT
$IP6TABLES -A INPUT -p udp --dport 53 -m limit --limit 100/s -j ACCEPT
$IP6TABLES -A INPUT -p udp --sport 53 -m limit --limit 100/s -j ACCEPT


LAN communication

To allow communication in the local network, without any restrictions:

IPTABLES=`which iptables`
LAN_ADDRESS="172.16.50.0/24"

$IPTABLES -A INPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -j ACCEPT


FTP client

IPTABLES=`which iptables`

# FTP client - base rules
$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

# Active FTP
$IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

# Passive FTP
$IPTABLES -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT


VPN

Adjust the following to your own port, network ID and protocol:

IPTABLES=`which iptables`

INT_ETH=eth0
IP_LAN_ETH=`/sbin/ifconfig $INT_ETH | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'`

INT_VPN=tun0
VPN_PORT="8080"
VPN_PROTOCOL="udp"
LAN_ADDRESS_VPN="172.16.60.0/24"

echo -e " "		
echo -e "------------------------"
echo -e " VPN configuration"
echo -e "------------------------"

echo " " 
echo -e "# VPN interface  : $INT_VPN"
echo -e "# VPN IP @       : $LAN_ADDRESS_VPN"
echo -e "# VPN port       : $VPN_PORT"
echo -e "# VPN protocol   : $VPN_PROTOCOL"
echo -e "-------------------------------------- "

# Allow devices communication $ETH0 <--> tun0
$IPTABLES -t nat -A POSTROUTING -s $LAN_ADDRESS_VPN -o $INT_ETH -j MASQUERADE
$IPTABLES -A FORWARD -s $LAN_ADDRESS_VPN -j ACCEPT

echo -e " ... Allow VPN connections"
$IPTABLES -A INPUT -p $VPN_PROTOCOL --dport $VPN_PORT -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport $VPN_PORT -j ACCEPT

echo -e " ... Allow everything to go through VPN - all INPUT,OUTPUT,FORWARD"
$IPTABLES -A INPUT -i $INT_VPN -m state ! --state INVALID -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_VPN -m state ! --state INVALID -j ACCEPT
$IPTABLES -A FORWARD -o $INT_VPN -m state ! --state INVALID -j ACCEPT

echo -e " ... Allow VPN network communication (required for client <> client comm.)"
$IPTABLES -A INPUT -s $LAN_ADDRESS_VPN -d $LAN_ADDRESS_VPN -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN_ADDRESS_VPN -d $LAN_ADDRESS_VPN -j ACCEPT



Servers

SSH

# SSH - max 3 connection request per minute
$IPTABLES -A INPUT -p tcp -m limit 3/min --limit-burst 3 --dport 22 -j ACCEPT


DHCP

This is how you enable a DHCP server with TFTP (netBoot) :

IPTABLES=`which iptables`

# Allow LAN communication
# ... Required for NFS and the NetBoot ...
$IPTABLES -A INPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
 
########################
# INPUT filters
########################
 
##### DHCP client ######
# Broadcast IP request 
$IPTABLES -A OUTPUT -p udp -d 255.255.255.255 --sport 68 --dport 67 -j ACCEPT
# Send / reply to IPs requests
$IPTABLES -A INPUT -p udp -s 255.255.255.255 --sport 67 --dport 68 -j ACCEPT
 
###### DHCP server ######
# Received client's requests [udp + tcp]
$IPTABLES -A INPUT -p udp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 68 --dport 67 -j ACCEPT

# NetBoot - TFTP server
$IPTABLES -A INPUT -p udp -s $LAN_ADDRESS --dport 69 -j ACCEPT
 
 
########################
# OUTPUT filters
########################
# DHCP [udp + tcp]
$IPTABLES -A OUTPUT -p udp --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 68 -j ACCEPT
 
# TFTP NetBoot 
$IPTABLES -A OUTPUT -p udp --dport 69 -j ACCEPT


Note the difference between the broadcast request that every computer should allow and the plain OUTPUT allow on ports 67,68 for the DHCP server !!



Advanced feature

Port forwarding

Principle

The aim is to reach a server located behind the actual server we are working on.


FW port forwarding - without NAT


FW port forwarding - with NAT


To do a port forwarding you have to:

  • Open the incoming port
  • Register the target server and allow POST-ROUTING operations on it
  • Route the incoming port to the target server + port number


Requirements:

  • Enable port forwading
  • The current server must be able to reach the target {server,port}


IpTables script

IPTABLES=`which iptables`

# Requirement: enable port forwarding in general
echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding

# 1. Open target port
$IPTABLES -A INPUT -p tcp --dport 3389 -j ACCEPT

# 2. Enable Port forwarding to Windows server 192.168.100.10
$IPTABLES -A POSTROUTING -d 192.168.100.10 -t nat -j MASQUERADE

# 3. Redirect services to target server
$IPTABLES -A PREROUTING -t nat -p tcp --dport 3389 -j DNAT --to 192.168.100.10:3389
$IPTABLES -A PREROUTING -t nat -p tcp --dport 81 -j DNAT --to 192.168.100.10:80