Wednesday, December 22, 2004

Basic IPTables/Netfilter Configuration on Fedora Core 3

Having recently installed Fedora Core 3 on one of my machines, I have had an opportunity to view the firewall settings when using the GUI provided to set the security on Red Hat. When installing the operating system, I chose to enable the firewall and allow SSH connections from the internet. With these settings in mind, the following output results from 'iptables -L -v':

[root@primary ~]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
377K 461M RH-Firewall-1-INPUT all -- any any anywhere anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- any any anywhere anywhere

Chain OUTPUT (policy ACCEPT 298K packets, 50M bytes)
pkts bytes target prot opt in out source destination

Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
37548 26M ACCEPT all -- lo any anywhere anywhere
4 280 ACCEPT icmp -- any any anywhere anywhere icmp any
0 0 ACCEPT ipv6-crypt-- any any anywhere anywhere
0 0 ACCEPT ipv6-auth-- any any anywhere anywhere
75 5864 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ipp
310K 434M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
974 58420 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
28095 1845K REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited


To interpret what RedHat has done here, they have allowed SSH access into my machine, but they have also allowed other items to get in. I meant to only allow SSH access into my machine, but it seems RedHat has other ideas.

Several issues come to mind when viewing this configuration. If I were a cyber-criminal, I would now know what the signature for a Red Hat system was so that I could exploit it based on the ports that are open by default. I could do a mass portscan with nmap, hping2, or another port scanner, and identify systems to match with known vulnerabilities. This is why it is very important to know your system, or pay someone to know your system, and to use third-party tools to verify the security of your system.

The important thing to do at this point is to close down the holes in the firewall that do not belong there. I have adopted a method that I have taken from an IPTables/Netfilter tutorial which creates a block table to reference in INPUT and FORWARD, while then going back to add additional tables for other services that you want available. I will demonstrate how to do this here:

Create the block table:
iptables -N block

Then, add rules to the block table to allow loopback traffic and related or established traffic in:
iptables -A block -i ! eth+ -m state --state NEW -j ACCEPT
iptables -A block -m state --state RELATED,ESTABLISHED -j ACCEPT

Next, add a rule to drop all other traffic:
iptables -A block -j DROP

Finally, reference the block table from the INPUT and FORWARD tables with the following commands:
iptables -I INPUT 1 -j block
iptables -I FORWARD 1 -j block

View the results with 'iptables -L -v -n':

[root@primary ~]# iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
59 3817 block all -- * * 0.0.0.0/0 0.0.0.0/0
413K 463M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 block all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 301K packets, 50M bytes)
pkts bytes target prot opt in out source destination

Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
37548 26M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
12 672 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
75 5864 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
311K 434M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
988 59180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
63650 3290K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain block (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- !eth+ * 0.0.0.0/0 0.0.0.0/0 state NEW
52 3120 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
7 697 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

You will note that the block table is referenced above the RedHat default tables which will make all traffic go through the block table and not reach the RedHat table. The firewall is now at a good starting point, and will block all traffic not requested from the inside first. Now the RedHat firewall table can be de-referenced and deleted, as shown:

iptables -D INPUT 2
iptables -D FORWARD 2
iptables -F RH-Firewall-1-INPUT
iptables -X RH-Firewall-1-INPUT

Now, with another 'iptables -L -v -n', you will see that the configuration is ready to be saved and tweaked for specific uses. Save the configuration with '/etc/init.d/iptables save active'.

The next step for this specific setup is to allow SSH access into the machine. This is done using the same concept as before, by creating a table for this service and adding it to the INPUT and FORWARD tables when it is ready. The commands used are as follows:

iptables -N ssh_table
iptables -A ssh_table -p tcp --dport 22 -j ACCEPT

Now we reference this table from the INPUT and FORWARD tables as follows:

iptables -I INPUT 1 -j ssh_table
iptables -I FORWARD 1 -j ssh_table

Finally, save the changes:
/etc/init.d/iptables save active

Take another look at your configuration and make sure it looks right. This small tutorial does not even touch on the many, many capabilities of IPTables/Netfilter, but it does provide a starting point to secure your system from many overt and brute-force attacks.

No comments: