How to configure optimal IPtables security settings
CentOS has an extremely powerful firewall built in, commonly referred to as iptables, but more accurately is iptables/netfilter. Iptables is the userspace module, the bit that you, the user, interact with at the command line to enter firewall rules into predefined tables. Netfilter is a kernel module, built into the kernel, that actually does the filtering. There are many GUI front ends for iptables that allow users to add or define rules based on a point and click user interface, but these often lack the flexibility of using the command line interface and limit the users understanding of what's really happening. We're going to learn the command line interface of iptables.
Iptables places rules into predefined chains (INPUT, OUTPUT and FORWARD) that are checked against any network traffic (IP packets) relevant to those chains and a decision is made about what to do with each packet based upon the outcome of those rules, i.e. accepting or dropping the packet. These actions are referred to as targets, of which the two most common predefined targets are DROP to drop a packet or ACCEPT to accept a packet.
Chains
These are 3 predefined chains in the filter table to which we can add rules for processing IP packets passing through those chains. These chains are:
INPUT - All packets destined for the host computer.
OUTPUT - All packets originating from the host computer.
FORWARD - All packets neither destined for nor originating from the host computer, but passing through (routed by) the host computer. This chain is used if you are using your computer as a router.
For the most part, we are going to be dealing with the INPUT chain to filter packets entering our machine - that is, keeping the bad guys out.
So let us see the initial CLI commands. All of the freshly installed Centos machines have not IPTables rules defined. But just to be sure we will flush all of the settings.
Another rule we can add is to prevent SYN flood attacks, and to block the TCP packets that have the NULL value in the header. These packets are usually destined to DDOS the remote server.
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
In information technology, a Christmas tree packet is a packet with every single option set for whatever protocol is in use. We should also apply a packet filter to deny the XMAS packets.
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
Now we can start adding selected services to our firewall filter. The first such thing is a localhost interface. We tell iptables to add (-A) a rule to the incoming (INPUT) filter table any trafic that comes to localhost interface (-i lo) and to accept (-j ACCEPT) it. Localhost is often used for, ie. your website or email server communicating with a database locally installed.
iptables -A INPUT -i lo -j ACCEPT
Now we should add some basic input chain filter for WEB and SMTP traffic.
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
The next thing is to allow SSH traffic for remote managament of the Centos server.
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
To wrap up the CHAIN settings we should allow ESTABLISHED connections out of the Centos Server.
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
The last setting before saving the iptables rules is to allow all OUTGOING connections and to block every other traffic towards our Centos Server.
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
Finally , when we have done the basic setup we must save all of the settings to a file.
iptables-save /etc/sysconfig/iptables
This is all that is needed for an optimal Firewall settings. More to come.
Feel free to comment.
No comments:
Post a Comment