Does iptables Policy "DROP" provide an absolute back-stop?

Discussion in 'other firewalls' started by boombaby, Sep 11, 2018.

  1. boombaby

    boombaby Registered Member

    Joined:
    Apr 16, 2016
    Posts:
    11

    Hello, Any...


    Recently I posted a question in the Security section of a different forum, a Linux forum. The question was about using an "iptables-based" firewall under Linux. You can read the question and my follow-up here...

    https://www.linuxquestions.org/ques...cy-settings-the-perfect-back-stop-4175638113/

    ...in Posts #1 and #3.


    At this time I have not had any further response. (That is not meant in ANY negative way about the Forum, because - as you know - the right person has to read a question and then respond, and then the OP has to understand. Right? So, "NOT meant to be negative".)

    Nevertheless, I thought perhaps this "Security-dedicated" Forum (ie WILDERS) would be another good approach - albeit broadscale, and not necessarily concerned solely with Linux.

    So can you read the posts and give a response here (or there, if you are a Member).

    (If the Forum Moderator here believes some kind of explanatory post herein would be better then let me know, and I will do that.)


    Regards,
    boombaby
    _
     
  2. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    508
    There are also chains that you have to set up rules for.
    Allow what you need and then drop all the others.You could make rules for dropping non destinated packets explicitly.
    You can also use Tarpit instead of drop.
    If you take the time an read the internet resources you will find ways to get what you need.
    Basically you have Input , Forward and Output chains that depending on the OS implementation may apply rules in specific ways.
    Then it depends if u use the nix OS as a router/gateway, server or as a simple client.
    If no Drop all exists at the end of the table you may be open to the outside world on some ports.
    Depending on the OS vulnerabilities those open ports may take inbound connections for granted so be aware.
     
  3. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,839
    Location:
    Serbia
    I have never used iptables so I'll just say how a packet filter in general should behave, hopefully it'll be of some help. Pasting from the other forum - -

    With a DROP policy at the end of the ruleset, any uninitiated connection should be dropped (as in no replied to with a RST flag), including the inbound SSH. If you initiate a SSH connection with an outbound request, then by the 3-way handshake the inbound packets are allowed. To simplify, you do not need an explicit rule to block (or allow, unless you're runnin a SSH server) inbound SSH.
    That would depend on what's unwanted to you. The DROP ALL policy is enough to stop uninitiated inbound connections.

    A drop all rule should be at the end of every ruleset ever made.
    Unfortunately no. These attacks use legitimate packets (the ones allowed in most rulesets), that's what makes them so bad. You would need a specific rule for each.
    Assuming iptables are statefull, this is how they should behave. OTH if not, that's a different story.
     
  4. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,839
    Location:
    Serbia
    Really? That's interesting, and fun to play with though I wonder how the implementation of a virtual LAN would be practical (or useful for that matter) in a home environment.
     
  5. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    508
    Mikrotik allows tarpit in a cheap home device :)
     
  6. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,839
    Location:
    Serbia
    Yes, I did play with this at home (long ago), for the sake of it.
    But it is really an... overkill at least.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.