From: Kevin Day Date: Sun, 17 Jan 2016 20:20:56 +0000 (-0600) Subject: Update: add new rules to firewall (while fixing accident in previous commit) X-Git-Tag: 0.5.0~535 X-Git-Url: https://git.kevux.org/?a=commitdiff_plain;h=4c0e3e859e5238dc50a900ebf725e3cf89f9c1d1;p=fll Update: add new rules to firewall (while fixing accident in previous commit) The earlier commit that applied stale changes apparently had deleted all the rules in the firewall file. This data has been added back in addition to the new rules and structure. --- diff --git a/level_3/firewall/data/settings/firewall-first b/level_3/firewall/data/settings/firewall-first index aebb240..8219387 100644 --- a/level_3/firewall/data/settings/firewall-first +++ b/level_3/firewall/data/settings/firewall-first @@ -1,4 +1,343 @@ # fss-0002 main: - rule tty + # initialize the firewall + direction none + action none + + rule -F + rule -Z + + tool iptables + rule -t nat -F + rule -t mangle -F + tool ip46tables + + # setup initial operations + chain INPUT + direction input + action append + + + # Process all loopback connections and filter out (and log) invalid connections. + # Valid connections will return and follow all remaining rules below. + device lo + chain OUTPUT + direction output + rule -j output-loopback + + chain INPUT + direction input + rule -j input-loopback + device all + + + # Handle all packets parked INVALID in separate chains. + chain OUTPUT + #rule -m state --state INVALID -j output-invalid + rule -m conntrack --ctstate INVALID -j output-invalid + + chain INPUT + #rule -m state --state INVALID -j input-invalid + rule -m conntrack --ctstate INVALID -j input-invalid + + + # Drop multicasts and broadcasts, they should not exist for a router and in most cases should be avoided. + # unicasts are the normal behavior and blocking them would be very unusual. + chain OUTPUT + rule -m pkttype --pkt-type broadcast -j output-casting + rule -m pkttype --pkt-type multicast -j output-casting + #rule -m pkttype --pkt-type unicast -j output-casting + + chain INPUT + rule -m pkttype --pkt-type broadcast -j input-casting + rule -m pkttype --pkt-type multicast -j input-casting + #rule -m pkttype --pkt-type unicast -j input-casting + + + # handle tcp-security before accepting established or related packets. + protocol tcp + rule -j input-tcp-security + rule -j output-tcp-security + protocol none + + + # Allow ALL input and output connections that have already been established by this host (and made it this far in the chain process). + chain OUTPUT + #rule -m state --state ESTABLISHED,RELATED -j ACCEPT + rule -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + + chain INPUT + #rule -m state --state ESTABLISHED,RELATED -j ACCEPT + rule -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + + + # send all tcp packets to the tcp queue. + chain OUTPUT + protocol tcp + rule -m state --state NEW -j output-tcp + + chain INPUT + rule -m state --state NEW -j input-tcp + + + # send all udp packets to the udp queue + chain OUTPUT + protocol udp + rule -m state --state NEW -j output-udp + + chain INPUT + rule -m state --state NEW -j input-udp + + + # send all ipv4 icmp packets to the icmp queue. + tool iptables + chain OUTPUT + protocol icmp + rule -m state --state NEW -j output-icmp + + chain INPUT + rule -m state --state NEW -j input-icmp + + # send all ipv6 icmp packets to the icmp queue (alternatively put this in its own chain, such as input-icmpv6 and output-icmpv6). + tool ip6tables + chain OUTPUT + protocol icmpv6 + rule -m state --state NEW -j output-icmp + + chain INPUT + rule -m state --state NEW -j input-icmp + + + # send all remaining packets to the unknown queue + chain OUTPUT + protocol udp + rule -m state --state NEW -j output-unknown + + chain INPUT + rule -m state --state NEW -j input-unknown + + +output-tcp: + direction output + protocol tcp + + +input-tcp: + direction input + protocol tcp + + # Prevent an XMAS attack + rule --tcp-flags ALL ALL -j DROP + + # Prevent NULL attack + rule --tcp-flags ALL NONE -j DROP + + +output-udp: + direction output + protocol udp + + +input-udp: + direction input + protocol udp + + # Allow dhcp client renewals (from server to client). If these are blocked, you will not be able to renew easily. + tool iptables + rule -s 0.0.0.0 --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT + tool ip46tables + + +output-icmp: + direction output + protocol icmp + + +input-icmp: + direction input + protocol icmp + + +output-unkown: + direction output + protocol none + + # drop unknown packets. + #rule -j DROP + + +input-unkown: + direction input + protocol none + + # drop unknown packets. + #rule -j DROP + + +input-casting: + # pre-process broadcasts and multicasts. + direction input + protocol none + tool ip46tables + + # do not auto-drop dhcp messages sent from a dhcp server to a local dhcp client. + # dhcp offer/acknowledge (the source address must be the routers address, so do not allow 0.0.0.0/0) + protocol udp + tool iptables + rule --sport 67 -d 255.255.255.255 --dport 68 -j RETURN + protocol none + tool ip46tables + + # drop all remaining broadcasts and multicasts + rule -j DROP + + +output-casting: + # pre-process broadcasts and multicasts. + direction output + protocol none + tool ip46tables + + # do not auto-drop dhcp client messages sent to a dhcp server. + # dhcp discover/request (for the request, the dhcp server ip address is known but for some reason the dhcp standard states tat the src is 0.0.0.0. + protocol udp + tool iptables + rule --sport 68 -d 255.255.255.255 --dport 67 -j RETURN + protocol none + tool ip46tables + + # drop all remaining broadcasts and multicasts + rule -j DROP + + +input-loopback: + direction input + protocol none + + # send all valid loopback connections back to the main tree so that the remainder firewall rules apply. + tool iptables + rule -s 127.0.0.0/8 -d 127.0.0.0/8 -j RETURN + tool ip6tables + rule -s ::1/128 -d ::1/128 -j RETURN + + # this is a link-local address. + rule -s fe80::/10 -d fe80::/10 -j RETURN + tool ip46tables + + + # all packets to a known ethernet devices ip address are (incorrectly) sent to loopback by applications like apache. + # these specific rules may need to be allowed despite the ip address being incorrect. + # specifically, only 127.0.0.0/8 ip address should ever been sent to the loopback. + # this is an example rule using an example ip address. + #tool iptables + #rule -s 192.168.0.1 -d 192.168.0.1 -j RETURN + #tool ip46tables + + # the remaining loopback packets are therefore invalid, log them and then drop them. (these options might be handy: --log-uid --log-tcp-options --log-ip-options) + rule -j LOG --log-prefix "INVALID:INPUT:LOOP " + rule -j DROP + + +output-loopback: + direction output + protocol none + + # send all valid loopback connections back to the main tree so that the remainder firewall rules apply. + tool iptables + rule -s 127.0.0.0/8 -d 127.0.0.0/8 -j RETURN + tool ip6tables + rule -s ::1/128 -d ::1/128 -j RETURN + + # this is a link-local address. + rule -s fe80::/10 -d fe80::/10 -j RETURN + tool ip46tables + + + # all packets to a known ethernet devices ip address are (incorrectly) sent to loopback by applications like apache. + # these specific rules may need to be allowed despite the ip address being incorrect. + # specifically, only 127.0.0.0/8 ip address should ever been sent to the loopback. + # this is an example rule using an example ip address. + #tool iptables + #rule -s 192.168.0.1 -d 192.168.0.1 -j RETURN + #tool ip46tables + + # the remaining loopback packets are therefore invalid, log them and then drop them. (these options might be handy: --log-uid --log-tcp-options --log-ip-options) + rule -j LOG --log-prefix "INVALID:OUTPUT:LOOP " + rule -j DROP + + +input-invalid: + direction input + protocol tcp + + # silently drop invalid RST tcp packets instead of sending a RST back. + rule --tcp-flags RST RST -j DROP + + # Reject all remaining invalid tcp packets. + rule -j REJECT --reject-with tcp-reset + + # Drop all remaining protocols with invalid data. + protocol none + rule -j DROP + + +output-invalid: + direction output + protocol tcp + + # Allow sending TCP RST even when there is no valid local connection. + rule --tcp-flags RST RST -j ACCEPT + + # Reject all remaining invalid tcp packets. + rule -j REJECT --reject-with tcp-reset + + # Drop all remaining protocols with invalid data. + protocol none + rule -j DROP + + +input-tcp-security: + direction input + protocol tcp + + # Resist TCP sequence number spoof attacks (see: http://www.linuxtopia.org/Linux_Firewall_iptables/x6231.html). + rule --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j input-invalid + + # TCP streams must always start with SYN, all others are invalid and may be an attack (see: http://www.linuxtopia.org/Linux_Firewall_iptables/x6193.html). + rule ! --syn -m conntrack --ctstate NEW -j input-invalid + + # Prevent an XMAS-type attacks (drop packets). + rule --tcp-flags ALL FIN,URG,PSH -j DROP + rule --tcp-flags ALL ALL -j DROP + rule --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + + # Prevent NULL attack (drop packets). + rule --tcp-flags ALL NONE -j DROP + + # Prevent Sync Reset Attacks (drop packets). + rule --tcp-flags SYN,RST SYN,RST -j DROP + rule --tcp-flags SYN,FIN SYN,FIN -j DROP + + +output-tcp-security: + direction output + protocol tcp + + # Resist TCP sequence number spoof attacks (see: http://www.linuxtopia.org/Linux_Firewall_iptables/x6231.html). + rule --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j output-invalid + + # TCP streams must always start with SYN, all others are invalid and may be an attack (see: http://www.linuxtopia.org/Linux_Firewall_iptables/x6193.html). + rule ! --syn -m conntrack --ctstate NEW -j output-invalid + + # Prevent an XMAS-type attacks (drop packets). + rule --tcp-flags ALL FIN,URG,PSH -j DROP + rule --tcp-flags ALL ALL -j DROP + rule --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + + # Prevent NULL attack (drop packets). + rule --tcp-flags ALL NONE -j DROP + + # Prevent Sync Reset Attacks (drop packets). + rule --tcp-flags SYN,RST SYN,RST -j DROP + rule --tcp-flags SYN,FIN SYN,FIN -j DROP