[TUTORIAL] Expert Linux Firewalling

Discussion in 'all things UNIX' started by Amanda, Jun 8, 2015.

  1. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,001
    Location:
    Member state of European Union
    Frankly for me this is overkill and a little messy.
    Especially, I don't like blocking icmp traffic. It is important way of communicating i.e. that MTU on some part of the source/destination route is smaller than sent packet size.
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Yes, that's a great set of rules, with good commenting.

    I prefer iptables-persistent, because it's easier to load a test ruleset, and know that the default will be back after reboot.

    Also, it'd be cool to have options for using Tor and VPNs securely. For Tor, only allowing output on eth0 from the tor user. And for VPNs, only allowing output on eth0 to the VPN server(s).
     
  3. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    697
    Location:
    EU
    I also use iptables-persistent for loading these set of rules.

    rules.
     
  4. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    697
    Location:
    EU
    Yes sure, but i still prefer blocking icmp traffic, opinion are very confused about that.
    more info here :
    http://shouldiblockicmp.com/
    rules.
     
  5. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,001
    Location:
    Member state of European Union
    So why don't you read it?
     
  6. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    697
    Location:
    EU
    Of course i already read it:)
    I ve no problème on m'y network for Years.
     
  7. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,001
    Location:
    Member state of European Union
    It's kind of miracle that Internet still works with all those malconfigured devices connected to network.
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    There's no reason why his LAN router or local machines should be acknowledging or responding to ping requests. Nothing should be pinging them. And if something is, he's right to ignore it. If it's needed to fix some problem, he can enable it temporarily.

    Edit: OK, I didn't think about VPN services. It's the norm for VPN clients to periodically ping servers, to keep connections alive while idle. However, with proper firewall rules, ping (and everything else via LAN adapter) can only go to/from VPN servers. Also, custom VPN clients may ping all VPN servers, and sometimes other stuff, as part of connection optimization. But then, I don't use custom VPN clients.
     
    Last edited: Jul 5, 2018
  9. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    697
    Location:
    EU
    Couldn't agree anymore:thumb:
     
  10. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,001
    Location:
    Member state of European Union
    I agree, but he is not blocking only ping requests... He is blocking all ICMP traffic. Both ingress and egress. Every single ICMP packet is dropped. ICMP is much more than ping...
     
  11. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    697
    Location:
    EU
    After further investigation, you're almost reason @reasonablePrivacy, Icmp for IPV4 are working different compared to IPV6 (which if i 'm not mistaken are needed for working properly (ipv6)).
    But like @mirimir said you can block all icmp packets if you want.
    So for now i remove icmp blocking and traceroute blocking.

    rules.
     
  12. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,001
    Location:
    Member state of European Union
    I think default deny policy in INPUT table and ACCEPT for every ESTABLISHED,RELATED is just enough, at least for IPv4-only network.
    If you want to disable some icmp related system behavior like answer to ping request you can do this by sysctl:
    Code:
    sysctl net.ipv4.icmp_echo_ignore_all="1"
    sysctl net.ipv4.conf.all.accept_redirects="0"
    There should be a file for sysctl readed during boot, but path is distribution specific, so just search manual/faq/handbook of your distribution where is that file.
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    OK, what I said applies to all ICMP traffic. Why do you want to allow any of that? It's all snooping, in one way or another. And if something that you want breaks, such as the VPN example, you fix it.

    And about IPv6, I don't use it at all. Because I still worry about information leakage.
     
  14. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,001
    Location:
    Member state of European Union
    For example it helps determine MTU. Does it is snooping? I don't think so.
    BTW Determining MTU is harder when somebody tunnels connections by i.e. VPN, SSH or Tor.
    Note that I advocated above accepting only incoming icmp packets in "ESTABLISHED,RELATED" state (at least for IPv4-only network). Not all incoming icmp packets. You are already connected by TCP or exchanging packets by UDP with this IP address that is sending you that icmp packet. If you have all the incoming ports closed, actually you can be sure you initiated that. So why you tries to prevent determining optimal connection parameters?
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Because that helps adversaries learn more about your connection path.
     
  16. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,001
    Location:
    Member state of European Union
    They must be already in your connection path to intercept icmp packets in "ESTABLISHED,RELATED" state. That means they are already doing MitM-kind of interception. If that is false, firewall will drop packets from them.
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    It's not MitM that concerns me. It's precisely "determining optimal connection parameters". Because that can reveal stuff like the number of VPN layers.
     
  18. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    697
    Location:
    EU
    So to resume, blocking icmp can prevent some bad stuff like (ping sweep, ping flood,icmp tunneling,forged icmp redirects and other network reconnaissance), but in the mean time PMTUD, TTL, and icmp redirect are not dealing properly.
    And for IPV6, yes @mirimir leaking information are real, but all recent distro (linux, windows.....), check for ipv6(less latency) before ipv4
    Nowadays ipv4 is still the most used, so if you have some options in both router and computer, it's better to disabled ipv6.

    rules
     
  19. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,001
    Location:
    Member state of European Union
    I don't know whether this is technically valid objection, but more importantly...
    come on. This guide is for general audience. Minority of users use VPNs. Minority of VPN users use chained VPNs. You are in a minority of minority. You can't expect every guide on the Internet to fit to your use cases. You have chosen how you interact with Internet and you are on your own.

    Blocking all icmp or accepting all icmp is false dichotomy.
    The best solution for vast majority of IPv4 users is something between: block some icmp while leaving other icmp packets accepted. Keep accepting ESTABLISHED,RELATED icmp packets and harden your OS using aforementioned sysctl parameters.
     
    Last edited: Jul 11, 2018
  20. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    697
    Location:
    EU
    Yes thanks, already done, IPV6 disabled too via sysctl and network manager.
    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1
    net.ipv6.conf.lo.disable_ipv6 = 1

    sysctl -p for checking.


    rules.
     
    Last edited: Jul 12, 2018
  21. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Guys these rules are just examples and are personal to what I'd do, and if you know enough about iptables or networking in general you'll obviously decide for yourself if you want to block ICMP or not or to even block anything on the output or not.
    As a general rule of thumb, though, I always block any form of "hey are you there" attempts into whatever firewall's I'm managing as long as they're not commercial.

    Thanks. I forgot to put this on the thread :p I'll ask the admins for persmissions to edit this thread, so I can edit the first post.
     
  22. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    697
    Location:
    EU
    TIPS : this script work prior to apply some iptables rules on almost all distros (i guess), but if you want to flush the rules (using the script) which are already setted, i recommand to delete iptables-persistent (mint, debian......) and re-install after the new set of rules, but for Arch if you don't delete/disable service "sudo systemctl stop iptables.service" and delete /ect/iptables/iptables.rules, at next boot rules are duplicated.

    rules.
     
  23. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Rather than running scripts, I prefer to use iptables-persistent, and directly edit /etc/iptables/rules.v4 and /etc/iptables/rules.v6. That way, it's easy to have multiple sets of rules. To load
    Code:
    # iptables-persistent < /etc/iptables/rules.v4
    # iptables-persistent < /etc/iptables/rules.v6
    So you can have open-rules.v4, test-rules.v4, tor-rules.v4 and so on.

    If something screws up, just reboot, and rules.v4 and rules.v6 are loaded.
     
  24. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,001
    Location:
    Member state of European Union
    Real life example what problems can bring blocking of ICMP (or ICMPv6 provided you have IPv6 connectivity) packets.
    https://www.jethrocarr.com/2013/02/09/ip6tables-ipv6-icmp-vs-icmp/

     
  25. seco

    seco Registered Member

    Joined:
    Aug 28, 2018
    Posts:
    1
    Location:
    Egypt
    Iptables firewall old way of saving rules:
    $ iptables-save > /etc/sysconfig/iptables
    Or in CentOS 7, you can use the following command:
    $ service iptables save
    And to restore the saved rules, you can use the following command:
    $ iptables-restore
    This article shows many things about iptables rules https://likegeeks.com/linux-iptables-firewall-examples/
    For me, I didn't like ufw at all. I like everything without encapsulation :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.