Ideal Firewall Policy Advice [#40923]

Submitted by st.anto@yahoo.com on Tue, 05/31/2016 - 07:03

Hey I have gone through some online resources and have finally come up with a firewall policy , can you take a look at this one and see if this look like a decent one , no hurry

# Generated by iptables-save v1.4.21 on Mon May 30 21:46:58 2016
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 80 --state NEW -j DROP  --update --seconds 60 --hitcount 10 --name DEFAULT --mask 255.255.255.255 --rsource 
-A INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 80 --state NEW  --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp -m state ! --tcp-flags FIN,SYN,RST,ACK SYN --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp -m limit --tcp-flags RST RST --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -m recent -j DROP  --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource 
-A INPUT -m recent  --remove --name portscan --mask 255.255.255.255 --rsource
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp -s 213.130.115.218/32 --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp -s 213.130.115.218/32 --dport 20000 -j ACCEPT
-A INPUT -p tcp -m tcp -s 213.130.115.218/32 --dport 22090 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m recent -j DROP  --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource 
-A OUTPUT -m state --state INVALID -j DROP
COMMIT
# Completed on Mon May 30 21:46:58 2016
# Generated by iptables-save v1.4.21 on Mon May 30 21:46:58 2016
*nat
:PREROUTING ACCEPT [36:2152]
:INPUT ACCEPT [16:968]
:OUTPUT ACCEPT [1:76]
:POSTROUTING ACCEPT [1:76]
COMMIT
# Completed on Mon May 30 21:46:58 2016
# Generated by iptables-save v1.4.21 on Mon May 30 21:46:58 2016
*mangle
:PREROUTING ACCEPT [2057:189936]
:INPUT ACCEPT [2057:189936]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1518:2371756]
:POSTROUTING ACCEPT [1518:2371756]
COMMIT
# Completed on Mon May 30 21:46:58 2016

1.Also are the rules processed in the order from Top to bottom ?

2.If they are processed from top to bottom shouldn't all the deny statements be on the top ?

Status:

Active

Comments

Submitted by st.anto@yahoo.com on Tue, 05/31/2016 - 07:04 Comment #1

# Generated by iptables-save v1.4.21 on Mon May 30 21:46:58 2016
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 80 --state NEW -j DROP  --update --seconds 60 --hitcount 10 --name DEFAULT --mask 255.255.255.255 --rsource 
-A INPUT -p tcp -m tcp -m state -m recent -i eth0 --dport 80 --state NEW  --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp -m state ! --tcp-flags FIN,SYN,RST,ACK SYN --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp -m limit --tcp-flags RST RST --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -m recent -j DROP  --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource 
-A INPUT -m recent  --remove --name portscan --mask 255.255.255.255 --rsource
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp -s 213.130.115.218/32 --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp -s 213.130.115.218/32 --dport 20000 -j ACCEPT
-A INPUT -p tcp -m tcp -s 213.130.115.218/32 --dport 22090 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m recent -j DROP  --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource 
-A OUTPUT -m state --state INVALID -j DROP
COMMIT
# Completed on Mon May 30 21:46:58 2016
# Generated by iptables-save v1.4.21 on Mon May 30 21:46:58 2016
*nat
:PREROUTING ACCEPT [36:2152]
:INPUT ACCEPT [16:968]
:OUTPUT ACCEPT [1:76]
:POSTROUTING ACCEPT [1:76]
COMMIT
# Completed on Mon May 30 21:46:58 2016
# Generated by iptables-save v1.4.21 on Mon May 30 21:46:58 2016
*mangle
:PREROUTING ACCEPT [2057:189936]
:INPUT ACCEPT [2057:189936]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1518:2371756]
:POSTROUTING ACCEPT [1518:2371756]
COMMIT
# Completed on Mon May 30 21:46:58 2016

Submitted by andreychek on Tue, 05/31/2016 - 07:50 Comment #2

Body:

View changes

Submitted by andreychek on Tue, 05/31/2016 - 07:55 Comment #3

Looks like a good start! I'd always suggest making sure you have a way to get at the console when applying a firewall, just in case something doesn't go as expected.

I do see a few things that aren't in there, such as SMTP's Submission port, 587, which can be used for authentication. And I don't see SSH on port 22 or FTP on port 21. Don't forget to add those if you need those services.

As far as the order goes -- yes, they are processed from top to bottom, and the order matters very much. However, it only matters within each chain/table.

That is, the INPUT table is different than the FORWARD and OUTPUT table.

Submitted by st.anto@yahoo.com on Tue, 05/31/2016 - 10:30 Comment #4

ok great, thanks, man , I have changed our SSH port and, I forgot about the 587 port

Submitted by st.anto@yahoo.com on Tue, 05/31/2016 - 10:31 Comment #5

but one question though shouldn't this -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT come below the deny statements ?

Submitted by andreychek on Tue, 05/31/2016 - 11:04 Comment #6

That rule you mentioned is in the correct location, it refers to traffic that has already has been those rules previously and shouldn't be at the end.