Iptables rules follows a distinct classification
Tables ---------> Chains ----------> Rules
For Desktop the default tables is filter it contains three chains INPUT, FORWARD and OUTPUT. The Input chain is for the incoming connection and the output chain is for the outgoing connection. For a strict policy deny input, output and the forward packets and then allow which ports are to be allowed.
Another important thing is you have allow certain icmp protocols,many tutorials tell you to drop the icmp protocol altogether but is unwise to do so. There are three icmp protocols one must allow they are
The state module has been depreciated in favour of conntrack module. The ctstate has five options
INVALID meaning that the packet is associated with no known connection
ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions
NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions
RELATED meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.
UNTRACKED : The packet is not tracked at all, which happens if you explicitly untrack it by using -j CT --notrack in the raw table.If a packet is marked within the raw table with the NOTRACK target, then that packet will show up as UNTRACKED in the state machine. This also means that all RELATED connections will not be seen, so some caution must be taken when dealing with the UNTRACKED connections since the state machine will not be able to see related ICMP messages et cetera.
SNAT : A virtual state, matching if the original source address differs from the reply destination.
DNAT: A virtual state, matching if the original destination differs from the reply source.
INPUT chain policy
iptables -P INPUT DROP
we are rejecting new connection if it does not have syn bit set in the packet header
iptables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
Accepting localhost connections and established and related connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 30 -j ACCEPT
Dropping spoofing packets that originate from internet
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP
Dropping Invalid bit set in packets
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
Dropping Null scan
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
Dropping Xmas Scan
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
Dropping Fragments
iptables -A INPUT -f -j DROP
Dropping Fin scan
iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
Dropping udp packets if it's length is too small
iptables -A INPUT -p udp -m length --length 0:28 -j DROP
Limit ICMP and accept certain protocols and drop rest of them
iptables -A INPUT -p icmp -m limit --limit 1/second --limit-burst 5 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp -j DROP
Drop Invalid Packets and log them
iptables -A INPUT -m conntrack --ctstate INVALID,UNTRACKED -m limit --limit 2/min -j LOG --log-prefix "INVALID: " --log-level 7
iptables -A INPUT -m conntrack --ctstate INVALID,UNTRACKED -j DROP
FORWARD POLICY
iptables -P FORWARD DROP
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
OUTPUT POLICY
iptables -P OUTPUT DROP
Accepting Localhost and internet
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
Allowing certain icmp protocols and rejecting rest of them
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A OUTPUT -p icmp -j DROP
Logging Invalid Output and rejecting Invalid packets
iptables -A OUTPUT -m conntrack --ctstate INVALID,UNTRACKED -m limit --limit 2/min -j LOG --log-prefix "INVALID-OUTPUT: " --log-level 7
iptables -A OUTPUT -m conntrack --ctstate INVALID,UNTRACKED -j DROP
After all this you have save your rules otherwise it will be gone after you reboot your computer.To do this you must first have iptables-persistent package installed on your computer. To save the rules run
iptables-save > /etc/iptables.conf
to reload your rules on next boot add the following lines in
/etc/network/interfaces after the lo section
iptables-restore < /etc/iptables.conf
and save the file.
:msg, contains "INVALID-INPUT: " /var/log/Input.log
:msg, contains "INVALID-OUTPUT: " /var/log/output.log
& stop
then run service rsyslog restart as root.Now all invalid packets will be logged in these two files.
2.https://www.cyberciti.biz/faq/linux-iptables-multiport-range/
3.https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture
4.https://serverfault.com/questions/84963/why-not-block-icmp/84981
5.https://john.albin.net/essential-icmp
6.https://unix.stackexchange.com/questions/108169/what-is-the-difference-between-m-conntrack-ctstate-and-m-state-state
7.https://askubuntu.com/questions/634788/iptables-allow-just-internet-connection
8.All about ICMP messages
9.https://www.thegeekstuff.com/2011/03/iptables-inbound-and-outbound-rules/
10.https://www.cs.montana.edu/courses/309/topics/11-security/IPTables_discussion.html
11.https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands
12.https://www.booleanworld.com/depth-guide-iptables-linux-firewall/
13.https://unix.stackexchange.com/questions/191607/iptables-and-return-target
14.https://askubuntu.com/questions/939562/why-dont-my-iptables-log
15.Linux Firewalls by Steve suehring and Robert Ziegler.Third Edition
Tables ---------> Chains ----------> Rules
For Desktop the default tables is filter it contains three chains INPUT, FORWARD and OUTPUT. The Input chain is for the incoming connection and the output chain is for the outgoing connection. For a strict policy deny input, output and the forward packets and then allow which ports are to be allowed.
Another important thing is you have allow certain icmp protocols,many tutorials tell you to drop the icmp protocol altogether but is unwise to do so. There are three icmp protocols one must allow they are
- Ping
- Destination unreachable and
- Time exceeded
The state module has been depreciated in favour of conntrack module. The ctstate has five options
INVALID meaning that the packet is associated with no known connection
ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions
NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions
RELATED meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.
UNTRACKED : The packet is not tracked at all, which happens if you explicitly untrack it by using -j CT --notrack in the raw table.If a packet is marked within the raw table with the NOTRACK target, then that packet will show up as UNTRACKED in the state machine. This also means that all RELATED connections will not be seen, so some caution must be taken when dealing with the UNTRACKED connections since the state machine will not be able to see related ICMP messages et cetera.
SNAT : A virtual state, matching if the original source address differs from the reply destination.
DNAT: A virtual state, matching if the original destination differs from the reply source.
INPUT chain policy
iptables -P INPUT DROP
we are rejecting new connection if it does not have syn bit set in the packet header
iptables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
Accepting localhost connections and established and related connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 30 -j ACCEPT
Dropping spoofing packets that originate from internet
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP
Dropping Invalid bit set in packets
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
Dropping Null scan
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
Dropping Xmas Scan
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
Dropping Fragments
iptables -A INPUT -f -j DROP
Dropping Fin scan
iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
Dropping udp packets if it's length is too small
iptables -A INPUT -p udp -m length --length 0:28 -j DROP
Limit ICMP and accept certain protocols and drop rest of them
iptables -A INPUT -p icmp -m limit --limit 1/second --limit-burst 5 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp -j DROP
Drop Invalid Packets and log them
iptables -A INPUT -m conntrack --ctstate INVALID,UNTRACKED -m limit --limit 2/min -j LOG --log-prefix "INVALID: " --log-level 7
iptables -A INPUT -m conntrack --ctstate INVALID,UNTRACKED -j DROP
FORWARD POLICY
iptables -P FORWARD DROP
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
OUTPUT POLICY
iptables -P OUTPUT DROP
Accepting Localhost and internet
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
Allowing certain icmp protocols and rejecting rest of them
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A OUTPUT -p icmp -j DROP
Logging Invalid Output and rejecting Invalid packets
iptables -A OUTPUT -m conntrack --ctstate INVALID,UNTRACKED -m limit --limit 2/min -j LOG --log-prefix "INVALID-OUTPUT: " --log-level 7
iptables -A OUTPUT -m conntrack --ctstate INVALID,UNTRACKED -j DROP
After all this you have save your rules otherwise it will be gone after you reboot your computer.To do this you must first have iptables-persistent package installed on your computer. To save the rules run
iptables-save > /etc/iptables.conf
to reload your rules on next boot add the following lines in
/etc/network/interfaces after the lo section
iptables-restore < /etc/iptables.conf
and save the file.
Iptable Logs
By default all the logs are in /var/log/kern.log. To log in a different file you must have rsyslog installed. Goto the folder /etc/rsyslog.d and create a file called iptables.conf and also at the sametime create a folder /var/log called iptables and in it create two files one for input and the other for output.
:msg, contains "INVALID-INPUT: " /var/log/Input.log
:msg, contains "INVALID-OUTPUT: " /var/log/output.log
& stop
then run service rsyslog restart as root.Now all invalid packets will be logged in these two files.
References
1.https://manpages.debian.org/unstable/iptables/iptables-extensions.8.en.html2.https://www.cyberciti.biz/faq/linux-iptables-multiport-range/
3.https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture
4.https://serverfault.com/questions/84963/why-not-block-icmp/84981
5.https://john.albin.net/essential-icmp
6.https://unix.stackexchange.com/questions/108169/what-is-the-difference-between-m-conntrack-ctstate-and-m-state-state
7.https://askubuntu.com/questions/634788/iptables-allow-just-internet-connection
8.All about ICMP messages
9.https://www.thegeekstuff.com/2011/03/iptables-inbound-and-outbound-rules/
10.https://www.cs.montana.edu/courses/309/topics/11-security/IPTables_discussion.html
11.https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands
12.https://www.booleanworld.com/depth-guide-iptables-linux-firewall/
13.https://unix.stackexchange.com/questions/191607/iptables-and-return-target
14.https://askubuntu.com/questions/939562/why-dont-my-iptables-log
15.Linux Firewalls by Steve suehring and Robert Ziegler.Third Edition
No comments:
Post a Comment