iptables - quick safety eval & limit max conns over time

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Peter Hanneman on Server Fault See other posts from Server Fault or by Peter Hanneman
Published on 2011-01-09T09:01:42Z Indexed on 2011/01/09 9:55 UTC
Read the original article Hit count: 294

Filed under:

Working on locking down a *nix server box with some fancy iptable(v1.4.4) rules. I'm approaching the matter with a "paranoid, everyone's out to get me" style, not necessarily because I expect the box to be a hacker magnet but rather just for the sake of learning iptables and *nix security more throughly. Everything is well commented - so if anyone sees something I missed please let me know! The *nat table's "--to-ports" point to the only ports with actively listening services. (aside from pings) Layer 2 apps listen exclusively on chmod'ed sockets bridged by one of the layer 1 daemons. Layers 3+ inherit from layer 2 in a similar fashion.

The two lines giving me grief are commented out at the very bottom of the *filter rules. The first line runs fine but it's all or nothing. :)

Many thanks,

Peter H.

*nat
#Flush previous rules, chains and counters for the 'nat' table
-F
-X
-Z

#Redirect traffic to alternate internal ports
-I PREROUTING --src 0/0 -p tcp --dport 80 -j REDIRECT --to-ports 8080
-I PREROUTING --src 0/0 -p tcp --dport 443 -j REDIRECT --to-ports 8443
-I PREROUTING --src 0/0 -p udp --dport 53 -j REDIRECT --to-ports 8053
-I PREROUTING --src 0/0 -p tcp --dport 9022 -j REDIRECT --to-ports 8022
COMMIT

*filter
#Flush previous settings, chains and counters for the 'filter' table
-F
-X
-Z

#Set default behavior for all connections and protocols
-P INPUT DROP
-P OUTPUT DROP
-A FORWARD -j DROP

#Only accept loopback traffic originating from the local NIC
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j DROP

#Accept all outgoing non-fragmented traffic having a valid state
-A OUTPUT ! -f -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

#Drop fragmented incoming packets (Not always malicious - acceptable for use now)
-A INPUT -f -j DROP

#Allow ping requests rate limited to one per second (burst ensures reliable results for high latency connections)
-A INPUT -p icmp --icmp-type 8 -m limit --limit 1/sec --limit-burst 2 -j ACCEPT

#Declaration of custom chains
-N INSPECT_TCP_FLAGS
-N INSPECT_STATE
-N INSPECT

#Drop incoming tcp connections with invalid tcp-flags
-A INSPECT_TCP_FLAGS -p tcp --tcp-flags ALL ALL -j DROP
-A INSPECT_TCP_FLAGS -p tcp --tcp-flags ALL NONE -j DROP
-A INSPECT_TCP_FLAGS -p tcp --tcp-flags ACK,FIN FIN -j DROP
-A INSPECT_TCP_FLAGS -p tcp --tcp-flags ACK,PSH PSH -j DROP
-A INSPECT_TCP_FLAGS -p tcp --tcp-flags ACK,URG URG -j DROP
-A INSPECT_TCP_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INSPECT_TCP_FLAGS -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
-A INSPECT_TCP_FLAGS -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INSPECT_TCP_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INSPECT_TCP_FLAGS -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
-A INSPECT_TCP_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

#Accept incoming traffic having either an established or related state
-A INSPECT_STATE -m state --state ESTABLISHED,RELATED -j ACCEPT
#Drop new incoming tcp connections if they aren't SYN packets
-A INSPECT_STATE -m state --state NEW -p tcp ! --syn -j DROP
#Drop incoming traffic with invalid states
-A INSPECT_STATE -m state --state INVALID -j DROP

#INSPECT chain definition
-A INSPECT -p tcp -j INSPECT_TCP_FLAGS
-A INSPECT -j INSPECT_STATE

#Route incoming traffic through the INSPECT chain
-A INPUT -j INSPECT

#Accept redirected HTTP traffic via HA reverse proxy
-A INPUT -p tcp --dport 8080 -j ACCEPT

#Accept redirected HTTPS traffic via STUNNEL SSH gateway (As well as tunneled HTTPS traffic destine for other services)
-A INPUT -p tcp --dport 8443 -j ACCEPT

#Accept redirected DNS traffic for NSD authoritative nameserver
-A INPUT -p udp --dport 8053 -j ACCEPT

#Accept redirected SSH traffic for OpenSSH server
#Temp solution:
-A INPUT -p tcp --dport 8022 -j ACCEPT
#Ideal solution:
#Limit new ssh connections to max 10 per 10 minutes while allowing an "unlimited" (or better reasonably limited?) number of established connections.
#-A INPUT -p tcp --dport 8022 --state NEW,ESTABLISHED -m recent --set -j ACCEPT
#-A INPUT -p tcp --dport 8022 --state NEW -m recent --update --seconds 600 --hitcount 11 -j DROP
COMMIT

*mangle
#Flush previous rules, chains and counters in the 'mangle' table
-F
-X
-Z
COMMIT

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about iptables

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle