From 114deecb9be02a80136cf2ec966225b944fbcfd9 Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Tue, 13 Jan 2015 22:21:34 -0600 Subject: [PATCH] Update: improve the contents firewall settings files - Add more information to the example firewall settings. - Improve/fix dhcp client/server rules - Block/Blackhole unicasts, multicasts, and broadcasts. - Add some examples rules on conntrack and some security rules. --- .../firewall/data/settings/example-device-firewall | 67 ++++++++++++++++++++-- level_3/firewall/data/settings/firewall-first | 55 ++++++++++++++++-- level_3/firewall/data/settings/firewall-other | 1 - 3 files changed, 113 insertions(+), 10 deletions(-) diff --git a/level_3/firewall/data/settings/example-device-firewall b/level_3/firewall/data/settings/example-device-firewall index 1e58e13..f58e5eb 100644 --- a/level_3/firewall/data/settings/example-device-firewall +++ b/level_3/firewall/data/settings/example-device-firewall @@ -1,20 +1,63 @@ # fss-0002 -# valid tool: iptables, ip6tables, ip46tables (ip46tables = both ip4 and ip6 tables, which is the default) -# valid direction: input, output, forward, postrouting, postrouting-output, postrouting-input, prerouting, prerouting-output, prerouting-input, none -# valid device: all, this, (any device name goes here without parenthesis) -# valid action: append, insert, policy, none -# valid procotol: none, (any valid iptables protocol type, such as tcp, udp, and icmp) +# valid tool: iptables, ip6tables, ip46tables (ip46tables = both ip4 and ip6 tables, which is the default). +# valid direction: input, output, forward, postrouting, postrouting-output, postrouting-input, prerouting, prerouting-output, prerouting-input, none. +# valid device: all, this, (any device name goes here without parenthesis). +# valid action: append, insert, policy, none. +# valid procotol: none, (any valid iptables protocol type, such as tcp, udp, and icmp). +# some options for -j: ACCEPT, REJECT, DROP, RETURN, LOG, AUDIT, CHECKSUM, CLASSIFY, CLUSTERIP, CONNMARK, CONNSECMARK, CT, DNAT, DNPT, DSCP, ECN, HL, HMARK, IDLETIMER, LED, MARK, MASQUERADE, MIRROR, NETMAP, NFLOG, NFQUEUE, NOTRACK, RATETEST, REDIRECT, SAME, SECMARK, SET, SNAT, SNPT, TCPMSS,TCPOPTSTRIP, TEE, TOS, TPROXY, TRACE, TTL, ULOG. +# some options for -t: nat, mangle, filter, raw, security (filter is the default). +# some options for --state: NEW, ESTABLISHED, RELATED, INVALID, UNTRACKED, SNAT, DNAT. +# some options for --ctstatus: NONE, EXPECTED, SEEN_REPLY, ASSURED, CONFIRMED. main: device this direction input # Define a blacklist and a whitelist, put ip addresses in the file named 'example-device-whitelist' separated by whitespace to whitelist an ip address + # (ip_list might be removed in the future once I figure out how ipset works and confirm if ipset can replace my ip_list.) #ip_list source example-device-whitelist -j ACCEPT #ip_list source example-device-blacklist -j REJECT #ip_list destination example-device-whitelist -j ACCEPT #ip_list destination example-device-blacklist -j REJECT + # Connection marking for vlans or QoS (via: tc). + #direction prerouting + #rule -t mangle -j CONNMARK --restore-mark + #direction input + + # save markings that have been restored (prerouting). + #direction prerouting + #rule -t mangle -m mark --mark 2 -j CONNMARK --save-mark + #rule -t mangle -m mark --mark 3 -j CONNMARK --save-mark + #direction input + + # example rate limit using marking for port 22 + #protocol tcp + #direction output + #rule -t mangle --sport 22 -j MARK --set-mark 2 + #direction input + #rule -t mangle --dport 22 -j MARK --set-mark 2 + + # rate limit when there are 8 or more connections from a single host. + #protocol tcp + #direction output + #rule -t mangle -m connlimit --connlimit-above 7 -j MARK --set-mark 3 + #direction input + #rule -t mangle -m connlimit --connlimit-above 7 -j MARK --set-mark 3 + + # save markings that have been assigned (postrouting). + #protocol none + #direction postrouting + #rule -t mangle -m mark --mark 2 -j CONNMARK --save-mark + #rule -t mangle -m mark --mark 3 -j CONNMARK --save-mark + #direction input + + + # randomly trigger the rule (51% of the time) and then the reset of the time go to the second rule. + # this can be very useful in distributing connections between different devices or servers. + #rule -m random --average 51 -j example_rule_1 + #rule -j example_rule_2 + input-tcp: device this @@ -36,6 +79,12 @@ input-tcp: #rule --dport 443 -m state --state NEW -j LOG --log-prefix "TRAFFIC:WEB " #rule --dport 443 -m state --state NEW -j ACCEPT + ## Http / Https / Web throttle connections that occur too often. + #rule --dport 80 --sync -m recent --name http_throttle --set + #rule --dport 80 --sync -m recent --name http_throttle --update --seconds 3 --hitcount 10 -j DROP + #rule --dport 443 --sync -m recent --name http_throttle --set + #rule --dport 443 --sync -m recent --name http_throttle --update --seconds 3 --hitcount 10 -j DROP + ## MySQL #rule --dport 3306 -m state --state NEW -j ACCEPT @@ -73,6 +122,14 @@ input-tcp: ## Git Daemon #rule --dport 9418 -m state --state NEW -j ACCEPT + ## Ldap Server + #rule --dport 389 -j ACCEPT + #rule --dport 636 -j ACCEPT + #rule --dport 1636 -j ACCEPT + + ## Mail Server (25 = SMTP, 465 = SMTPS, 993 = IMAP, 995 = POP) + #rule --dport 25 -j ACCEPT + input-udp: device this diff --git a/level_3/firewall/data/settings/firewall-first b/level_3/firewall/data/settings/firewall-first index f564da2..5db789b 100644 --- a/level_3/firewall/data/settings/firewall-first +++ b/level_3/firewall/data/settings/firewall-first @@ -1,6 +1,5 @@ # fss-0002 - main: # initialize the firewall direction none @@ -18,7 +17,6 @@ main: direction input action append - # Enable ALL local connections (loopback) device lo direction output @@ -45,12 +43,25 @@ main: rule -m state --state INVALID -j DROP - # Allow ALL input&output connections that have already been established by this host + # Drop multicasts and broadcasts, they should not exist for a router and in most cases should be avoided. + direction output + rule -m pkttype --pkt-type broadcast -j output-casting + rule -m pkttype --pkt-type multicast -j output-casting + rule -m pkttype --pkt-type unicast -j output-casting + direction input + rule -m pkttype --pkt-type broadcast -j input-casting + rule -m pkttype --pkt-type multicast -j input-casting + rule -m pkttype --pkt-type unicast -j input-casting + + + # Allow ALL input&output connections that have already been established by this host (using conntrack might be more efficient) direction output rule -m state --state ESTABLISHED,RELATED -j ACCEPT + #rule -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT direction input rule -m state --state ESTABLISHED,RELATED -j ACCEPT + #rule -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # send all tcp packets to the tcp queue @@ -105,7 +116,7 @@ input-udp: direction input protocol udp - # Allow dhcp client renewals. If these are blocked, you will not be able to renew easily + # Allow dhcp client renewals (from server to client). If these are blocked, you will not be able to renew easily tool iptables rule -s 0.0.0.0 --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT tool ip46tables @@ -129,3 +140,39 @@ output-udp: output-icmp: direction output protocol icmp + + +input-casting: + # pre-process broadcasts and multicasts. + direction input + protocol none + tool ip46tables + + # do not auto-drop dhcp messages sent from a dhcp server. + # dhcp offer/acknowledge (the source address must be the routers address, so do not allow 0.0.0.0/0) + protocol udp + tool iptables + rule ! -s 0.0.0.0 --sport 67 -d 255.255.255.255 --dport 68 -j RETURN + protocol none + tool ip46tables + + # drop all remaining broadcasts and multicasts + rule -j DROP + + +output-casting: + # pre-process broadcasts and multicasts. + direction output + protocol none + tool ip46tables + + # do not auto-drop dhcp messages sent to a dhcp server. + # dhcp discover/request (for the request, the dhcp server ip address is known but for some reason the dhcp standard states tat the src is 0.0.0.0. + protocol udp + tool iptables + rule -s 0.0.0.0 --sport 68 -d 255.255.255.255 --dport 67 -j RETURN + protocol none + tool ip46tables + + # drop all remaining broadcasts and multicasts + rule -j DROP diff --git a/level_3/firewall/data/settings/firewall-other b/level_3/firewall/data/settings/firewall-other index 40d9ae6..5009f2a 100644 --- a/level_3/firewall/data/settings/firewall-other +++ b/level_3/firewall/data/settings/firewall-other @@ -1,6 +1,5 @@ # fss-0002 - stop: action policy -- 1.8.3.1