Sunday, July 21, 2019

HOW TO:Iptables rules for Debian Linux Desktop

Iptables rules follows a distinct classification 

Tables ---------> Chains  ----------> Rules

For Desktop the default tables is filter  it contains three chains INPUT, FORWARD and OUTPUT. The Input chain is for the incoming connection and the output chain is for the outgoing connection. For a strict policy deny input, output and the forward packets and then allow which ports are to be allowed.

Another important thing is you have allow certain icmp protocols,many tutorials tell you to drop the icmp protocol altogether but is unwise to do so. There are three icmp protocols  one  must allow they are 
  1. Ping
  2. Destination unreachable and 
  3. Time exceeded
Ping is a diagnostic tool that  helps to check if the network is  working  or not. If one is worried about ping of death or anything  you can always limit how much icmp packets you receive. 

The state module has been depreciated in favour of conntrack module. The ctstate has five options 

INVALID meaning that the packet is associated with no known connection

ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions

NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions

RELATED meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.

 UNTRACKED : The packet is not tracked at all, which happens if you explicitly untrack it by using -j CT --notrack in the raw table.If  a packet is marked within the raw table with the NOTRACK target, then that packet will show up as  UNTRACKED in the state machine. This also means that all RELATED connections will not be seen, so some caution must be taken when dealing with the UNTRACKED connections since the state machine will not be able to see related ICMP messages et cetera. 

SNAT :  A virtual state, matching if the original source address differs from the reply destination.  

DNAT:  A virtual state, matching if the original destination differs from the reply source. 

INPUT chain policy

iptables -P INPUT DROP 

we are rejecting new connection if it does not have syn bit set in the packet header

iptables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP 

Accepting  localhost connections  and established and related connections

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 30 -j ACCEPT

Dropping spoofing packets that originate from internet

iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP

Dropping Invalid bit set in packets

iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP

iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP

iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
 

Dropping Null scan

 iptables -A INPUT  -p tcp --tcp-flags ALL NONE -j DROP   

Dropping Xmas Scan

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP


Dropping Fragments

iptables -A INPUT -f -j DROP

Dropping Fin scan

iptables -A INPUT -p tcp --tcp-flags  ALL FIN -j DROP  

Dropping udp packets if it's length is too small

iptables -A INPUT -p udp -m length --length 0:28 -j DROP

Limit ICMP and accept certain protocols and drop rest of them

iptables -A INPUT -p icmp -m limit --limit 1/second --limit-burst 5 -j ACCEPT
iptables -A INPUT  -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT  -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT  -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp -j DROP 

Drop Invalid Packets and log them

iptables -A INPUT -m conntrack --ctstate INVALID,UNTRACKED -m limit --limit 2/min -j LOG --log-prefix "INVALID: " --log-level 7
iptables -A INPUT -m conntrack --ctstate INVALID,UNTRACKED -j DROP
 

FORWARD POLICY

iptables -P FORWARD  DROP
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP

OUTPUT POLICY

iptables -P OUTPUT   DROP

Accepting Localhost and internet  

iptables -A OUTPUT -o lo  -j ACCEPT 
iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

Allowing certain icmp protocols and rejecting rest of them 

iptables -A OUTPUT  -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT  -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A OUTPUT  -p icmp -j DROP

Logging Invalid Output and rejecting Invalid packets

iptables -A OUTPUT  -m conntrack --ctstate INVALID,UNTRACKED -m limit --limit 2/min -j LOG  --log-prefix "INVALID-OUTPUT: " --log-level 7
iptables -A OUTPUT  -m conntrack --ctstate INVALID,UNTRACKED -j DROP 


After all this you have save your rules otherwise it will be gone after you reboot your computer.To do this you must first have iptables-persistent package installed on your computer. To save the rules run

iptables-save > /etc/iptables.conf

to reload  your rules on next boot add the following lines in  
/etc/network/interfaces  after the lo section

iptables-restore < /etc/iptables.conf

and save the file. 

Iptable Logs 

 

By default all the logs are  in /var/log/kern.log. To log in a different file you must have rsyslog installed. Goto the folder /etc/rsyslog.d and create a file called iptables.conf and also at the sametime create a folder /var/log called iptables and in it create two files one for input and the other for output.

:msg, contains  "INVALID-INPUT: "  /var/log/Input.log
:msg, contains  "INVALID-OUTPUT: " /var/log/output.log

& stop 

then run service rsyslog restart as root.Now all invalid packets  will be logged in these two files.



References

1.https://manpages.debian.org/unstable/iptables/iptables-extensions.8.en.html 
2.https://www.cyberciti.biz/faq/linux-iptables-multiport-range/
3.https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture
4.https://serverfault.com/questions/84963/why-not-block-icmp/84981 
5.https://john.albin.net/essential-icmp 
6.https://unix.stackexchange.com/questions/108169/what-is-the-difference-between-m-conntrack-ctstate-and-m-state-state
7.https://askubuntu.com/questions/634788/iptables-allow-just-internet-connection 
8.All about ICMP messages
9.https://www.thegeekstuff.com/2011/03/iptables-inbound-and-outbound-rules/
10.https://www.cs.montana.edu/courses/309/topics/11-security/IPTables_discussion.html 
11.https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands 
12.https://www.booleanworld.com/depth-guide-iptables-linux-firewall/
13.https://unix.stackexchange.com/questions/191607/iptables-and-return-target
14.https://askubuntu.com/questions/939562/why-dont-my-iptables-log
15.Linux Firewalls by Steve suehring and Robert Ziegler.Third Edition

No comments:

Post a Comment

Popular Posts