[TUTORIAL] Expert Linux Firewalling

Discussion in 'all things UNIX' started by amarildojr, Jun 8, 2015.

  1. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    503
    Location:
    Member state of European Union
    Frankly for me this is overkill and a little messy.
    Especially, I don't like blocking icmp traffic. It is important way of communicating i.e. that MTU on some part of the source/destination route is smaller than sent packet size.
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,732
    Yes, that's a great set of rules, with good commenting.

    I prefer iptables-persistent, because it's easier to load a test ruleset, and know that the default will be back after reboot.

    Also, it'd be cool to have options for using Tor and VPNs securely. For Tor, only allowing output on eth0 from the tor user. And for VPNs, only allowing output on eth0 to the VPN server(s).
     
  3. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    573
    Location:
    Lugdunum
    I also use iptables-persistent for loading these set of rules.

    rules.
     
  4. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    573
    Location:
    Lugdunum
    Yes sure, but i still prefer blocking icmp traffic, opinion are very confused about that.
    more info here :
    http://shouldiblockicmp.com/
    rules.
     
  5. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    503
    Location:
    Member state of European Union
    So why don't you read it?
     
  6. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    573
    Location:
    Lugdunum
    Of course i already read it:)
    I ve no problème on m'y network for Years.
     
  7. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    503
    Location:
    Member state of European Union
    It's kind of miracle that Internet still works with all those malconfigured devices connected to network.
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,732
    There's no reason why his LAN router or local machines should be acknowledging or responding to ping requests. Nothing should be pinging them. And if something is, he's right to ignore it. If it's needed to fix some problem, he can enable it temporarily.

    Edit: OK, I didn't think about VPN services. It's the norm for VPN clients to periodically ping servers, to keep connections alive while idle. However, with proper firewall rules, ping (and everything else via LAN adapter) can only go to/from VPN servers. Also, custom VPN clients may ping all VPN servers, and sometimes other stuff, as part of connection optimization. But then, I don't use custom VPN clients.
     
    Last edited: Jul 5, 2018
  9. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    573
    Location:
    Lugdunum
    Couldn't agree anymore:thumb:
     
  10. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    503
    Location:
    Member state of European Union
    I agree, but he is not blocking only ping requests... He is blocking all ICMP traffic. Both ingress and egress. Every single ICMP packet is dropped. ICMP is much more than ping...
     
  11. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    573
    Location:
    Lugdunum
    After further investigation, you're almost reason @reasonablePrivacy, Icmp for IPV4 are working different compared to IPV6 (which if i 'm not mistaken are needed for working properly (ipv6)).
    But like @mirimir said you can block all icmp packets if you want.
    So for now i remove icmp blocking and traceroute blocking.

    rules.
     
  12. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    503
    Location:
    Member state of European Union
    I think default deny policy in INPUT table and ACCEPT for every ESTABLISHED,RELATED is just enough, at least for IPv4-only network.
    If you want to disable some icmp related system behavior like answer to ping request you can do this by sysctl:
    Code:
    sysctl net.ipv4.icmp_echo_ignore_all="1"
    sysctl net.ipv4.conf.all.accept_redirects="0"
    There should be a file for sysctl readed during boot, but path is distribution specific, so just search manual/faq/handbook of your distribution where is that file.
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,732
    OK, what I said applies to all ICMP traffic. Why do you want to allow any of that? It's all snooping, in one way or another. And if something that you want breaks, such as the VPN example, you fix it.

    And about IPv6, I don't use it at all. Because I still worry about information leakage.
     
  14. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    503
    Location:
    Member state of European Union
    For example it helps determine MTU. Does it is snooping? I don't think so.
    BTW Determining MTU is harder when somebody tunnels connections by i.e. VPN, SSH or Tor.
    Note that I advocated above accepting only incoming icmp packets in "ESTABLISHED,RELATED" state (at least for IPv4-only network). Not all incoming icmp packets. You are already connected by TCP or exchanging packets by UDP with this IP address that is sending you that icmp packet. If you have all the incoming ports closed, actually you can be sure you initiated that. So why you tries to prevent determining optimal connection parameters?
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,732
    Because that helps adversaries learn more about your connection path.
     
  16. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    503
    Location:
    Member state of European Union
    They must be already in your connection path to intercept icmp packets in "ESTABLISHED,RELATED" state. That means they are already doing MitM-kind of interception. If that is false, firewall will drop packets from them.
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,732
    It's not MitM that concerns me. It's precisely "determining optimal connection parameters". Because that can reveal stuff like the number of VPN layers.
     
  18. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    573
    Location:
    Lugdunum
    So to resume, blocking icmp can prevent some bad stuff like (ping sweep, ping flood,icmp tunneling,forged icmp redirects and other network reconnaissance), but in the mean time PMTUD, TTL, and icmp redirect are not dealing properly.
    And for IPV6, yes @mirimir leaking information are real, but all recent distro (linux, windows.....), check for ipv6(less latency) before ipv4
    Nowadays ipv4 is still the most used, so if you have some options in both router and computer, it's better to disabled ipv6.

    rules
     
  19. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    503
    Location:
    Member state of European Union
    I don't know whether this is technically valid objection, but more importantly...
    come on. This guide is for general audience. Minority of users use VPNs. Minority of VPN users use chained VPNs. You are in a minority of minority. You can't expect every guide on the Internet to fit to your use cases. You have chosen how you interact with Internet and you are on your own.

    Blocking all icmp or accepting all icmp is false dichotomy.
    The best solution for vast majority of IPv4 users is something between: block some icmp while leaving other icmp packets accepted. Keep accepting ESTABLISHED,RELATED icmp packets and harden your OS using aforementioned sysctl parameters.
     
    Last edited: Jul 11, 2018
  20. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    573
    Location:
    Lugdunum
    Yes thanks, already done, IPV6 disabled too via sysctl and network manager.
    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1
    net.ipv6.conf.lo.disable_ipv6 = 1

    sysctl -p for checking.


    rules.
     
    Last edited: Jul 12, 2018
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.