From 095c629f5dacec6401cb99bd1bfd6079b28d8c71 Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Mon, 16 Sep 2024 21:11:23 -0500 Subject: [PATCH] Update: Refresh firewall iptables rules and relax some of the defaults. Relax some of the defaults so that there will be less immediate failure. Provide a lot of the previous `DROP` statements for easy re-assignment by just uncommenting. Add some specific wrapping tools around IPv6 related rules. --- .../firewall/data/settings/network/firewall-first | 94 +++++++++++++++++++--- 1 file changed, 81 insertions(+), 13 deletions(-) diff --git a/level_3/firewall/data/settings/network/firewall-first b/level_3/firewall/data/settings/network/firewall-first index 0ae4fa8..9fa25f1 100644 --- a/level_3/firewall/data/settings/network/firewall-first +++ b/level_3/firewall/data/settings/network/firewall-first @@ -56,13 +56,16 @@ INPUT: rule -m state --state NEW -j input-icmp # send all icmpv6 packets to the icmpv6 queue + tool ip6tables protocol icmpv6 rule -m state --state NEW -j input-icmpv6 + tool ip46tables # load custom device-specific rules rule -j input-devices # remaining packets + #rule -j LOG --log-prefix "INPUT:" rule -j DROP @@ -82,6 +85,7 @@ input-invalid: # remaining packets protocol none + #rule -j LOG --log-prefix "INV_IN:" rule -j DROP @@ -110,13 +114,17 @@ input-loop: # this is the localhost address, valid localhost are allowed to return to the previous chain. protocol none rule -s 127.0.0.0/8 -d 127.0.0.0/8 -j RETURN + tool ip6tables + rule -s ::1 -d ::1 -j RETURN + tool iptables # it may be necessay to add a return for individual ips because there are some cases that result in non-localhost addresses going through loopback. #rule -s 192.168.0.1 -d 192.168.0.1 -j RETURN tool ip46tables # remaining packets - rule -j DROP + #rule -j DROP + rule -j RETURN input-blacklist: @@ -158,6 +166,9 @@ input-tcp: rule --tcp-flags SYN,RST SYN,RST -j input-invalid rule --tcp-flags SYN,FIN SYN,FIN -j input-invalid + # XMPP ports. + #rule -m multiport --dports 5222,5223,5269 -j ACCEPT + # Postgresql standard port #rule --dport 5432 -j ACCEPT @@ -168,7 +179,7 @@ input-tcp: #rule --dport 1521 -j ACCEPT # Web standard ports - #rule -m multiport --dports 80,443,8080,8181,8443,8099,9000 -j ACCEPT + #rule -m multiport --dports 80,443,8080,8181,8443,8099,9000,9001,9002 -j ACCEPT # ldap standard ports #rule -m multiport --dports 389,636,1636 -j ACCEPT @@ -179,6 +190,10 @@ input-tcp: # ssh standard port #rule --dport 22 -j ACCEPT + # require 3 knocks before opening the door for SSH. + #rule --dport 22 -m state --state NEW -m recent --set + #rule --dport 22 -m state --state NEW -m recent --update --seconds 15 --hitcount 3 -j ACCEPT + # common chef ssh ports #rule --dport 2200:2210 -j ACCEPT @@ -230,6 +245,9 @@ input-udp: # teeworlds game server and client #rule --dport 8300:8310 -j ACCEPT + # XMPP ports. + #rule -m multiport --dports 5222,5223,5269 -j ACCEPT + # allow high ports #rule -m multiport --dports 49152:65535 -j ACCEPT @@ -267,7 +285,9 @@ input-icmp: tool ip46tables # remaining packets - rule -j DROP + #rule -j LOG --log-prefix "ICMP_IN:" + #rule -j DROP + rule -j ACCEPT input-icmpv6: @@ -275,6 +295,12 @@ input-icmpv6: protocol icmp tool ip6tables + #rule -j LOG --log-prefix "ICMP6_IN:" + #rule -j DROP + rule -j ACCEPT + + tool ip46tables + input-casting: direction input @@ -287,10 +313,17 @@ input-casting: tool iptables rule --sport 67 -d 255.255.255.255 --dport 68 -j RETURN protocol none + + # Move ICMPv6 along. + tool ip6tables + protocol icmpv6 + rule -m state --state NEW -j input-icmpv6 tool ip46tables # drop all remaining broadcasts and multicasts - rule -j DROP + #rule -j LOG --log-prefix "CAST_IN:" + #rule -j DROP + rule -j RETURN OUTPUT: @@ -333,14 +366,18 @@ OUTPUT: rule -m state --state NEW -j output-icmp # send all icmpv6 packets to the icmpv6 queue + tool ip6tables protocol icmpv6 rule -m state --state NEW -j output-icmpv6 + tool ip46tables # load custom device-specific rules rule -j input-devices # remaining packets - rule -j DROP + #rule -j LOG --log-prefix "OUTPUT:" + #rule -j DROP + rule -j ACCEPT output-invalid: @@ -348,6 +385,7 @@ output-invalid: protocol none # remaining packets + #rule -j LOG --log-prefix "INV_OUT:" rule -j DROP @@ -370,8 +408,8 @@ output-loop: rule --dport 631 -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT # allow local dns server - #protocol udp - #rule --sport 53 -s 127.0.1.1 -d 127.0.0.0/8 -j ACCEPT + protocol udp + rule --sport 53 -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT # this is the localhost address, valid localhost are allowed to return to the previous chain. protocol none @@ -382,7 +420,8 @@ output-loop: tool ip46tables # remaining packets - rule -j DROP + #rule -j DROP + rule -j RETURN output-blacklist: @@ -444,8 +483,8 @@ output-tcp: #rule --sport 1521 -j ACCEPT # Web standard ports - rule -m multiport --dports 80,443,8080,8181,8443,8099,9000 -j ACCEPT - #rule -m multiport --sports 80,443,8080,8181,8443,8099,9000 -j ACCEPT + rule -m multiport --dports 80,443,8080,8181,8443,8099,9000,9001,9002 -j ACCEPT + #rule -m multiport --sports 80,443,8080,8181,8443,8099,9000,9001,9002 -j ACCEPT # ldap standard ports rule -m multiport --dports 389,636,1636 -j ACCEPT @@ -455,6 +494,9 @@ output-tcp: rule -m multiport --dports 25,465,993 -j ACCEPT #rule -m multiport --sports 25,465,993 -j ACCEPT + # XMPP ports + rule -m multiport --dports 5222,5223,5269 -j ACCEPT + # ssh standard port rule --dport 22 -j ACCEPT #rule --sport 22 -j ACCEPT @@ -525,8 +567,14 @@ output-udp: rule --dport 123 -j ACCEPT #rule --sport 123 -j ACCEPT + # ntpsec standard port + rule --dport 4460 -j ACCEPT + # teeworlds game server and client - #rule --dport 8300:8310 -j ACCEPT + rule --dport 8300:8310 -j ACCEPT + + # XMPP ports + rule -m multiport --dports 5222,5223,5269 -j ACCEPT # accept all loopback tool iptables @@ -562,7 +610,9 @@ output-icmp: tool ip46tables # remaining packets - rule -j DROP + #rule -j LOG --log-prefix "ICMP_OUT:" + #rule -j DROP + rule -j ACCEPT output-icmpv6: @@ -570,6 +620,12 @@ output-icmpv6: protocol icmp tool ip6tables + #rule -j LOG --log-prefix "ICMP6_OUT:" + #rule -j DROP + rule -j ACCEPT + + tool ip46tables + output-casting: direction output @@ -584,8 +640,16 @@ output-casting: protocol none tool ip46tables + # Move ICMPv6 along. + tool ip6tables + protocol icmpv6 + rule -m state --state NEW -j output-icmpv6 + tool ip46tables + # drop all remaining broadcasts and multicasts - rule -j DROP + #rule -j LOG --log-prefix "CAST:" + #rule -j DROP + rule -j ACCEPT FORWARD: @@ -593,6 +657,10 @@ FORWARD: # load custom device-specific rules rule -j forward-devices + #rule -j LOG --log-prefix "FORWARDs:" + #rule -j DROP + rule -j ACCEPT + forward-devices: -- 1.8.3.1