Secure Tips and Tricks for "iptables" Rules

This topic was published by and viewed 1839 times since "". The last page revision was "".

Viewing 1 post (of 1 total)
  • Author
    Posts
  • DevynCJohnson
    DevynCJohnson
    Keymaster
    • Topics - 444
    • @devyncjohnson

    "iptables" is an interface tool used to manage the Linux firewall rules (such as packet-filtering) implemented by the netfilter framework. "iptables" usually have multiple tables, and tables may contain multiple chains. Chains typically contain multiple rules that determine how to manage packets. To summarize the structure of iptables, there are Tables > Chains > Rules.

    This article provides various tips and tricks for "iptables" rules that can be added to a desktop system to make a stronger firewall. The commands must be executed with Root privileges.

    NOTE: Install "iptables-persistent" to make newly added rules permanent (not be lost during reboot).

    Actions

    • ACCEPT - Allow the packet to be delivered to specified destination
    • DROP - Drop the packet without informing the packet's status to the source/destination
    • QUEUE - Queue the packets to user-space. In other words, forward all the packets to some other utility that will manage packet filtering
    • REJECT - Reject the packets and send information to the source/destination about the rejection
    • RETURN - Stop executing the next set of rules of the current chain for this packet, then return to the calling chain

    Secure Rules

    # Drop Various Attacks
    iptables -A INPUT -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
    iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
    iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
    iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    
    # Prevent source address 127.0.0.1 from sending data through various interfaces
    iptables -A INPUT -p all -s localhost -i wlan0 -j DROP
    iptables -A INPUT -p all -s localhost -i eth0 -j DROP
    
    # Drop Fragments
    iptables -A INPUT -f -j DROP
    
    # Drop ICMP (Ping) Packets
    iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
    
    # Do not respond to pings
    iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP
    
    # Drop Invalid Packets
    iptables -A INPUT -m state --state INVALID -j DROP
    iptables -A FORWARD -m state --state INVALID -j DROP
    iptables -A OUTPUT -m state --state INVALID -j DROP
    
    # Drop LAND (Local Area Network Denial) Packets
    # In this attack, a packet is spoofed to make the source address appear as the IP-address of the target.  In other words, the source and destination IP-addresses are the same.
    iptables -A INPUT -s 127.0.0.0/8 -j DROP
    
    # Drop Null Packets
    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    
    # Drop excessive RST Packets to avoid Smurf-Attacks
    iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
    
    ## Drop Smurf-Attacks
    # Smurf-Attacks send a large number of ICMP "echo broadcast" packets with a spoofed source IP-address being the target's IP-address. The machines on the network recieve this broadcast message and reply to the target with "echo reply" packets. One way to block this attack is to block all the ICMP packets. However, if that cannot be done, then a limit may be applied to the ICMP packets allowed.
    iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
    iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
    iptables -A INPUT -p icmp -m limit --limit 2/second --limit-burst 2 -j ACCEPT
    iptables -A INPUT -p icmp -j DROP
    
    # Drop Spank DoS Attacks
    # Computers answer TCP packets that are coming from a multicast-address. This can be used for the Spank DoS Attack or stealth-scans.
    iptables -A INPUT -s 224.0.0.0/4 -j DROP
    iptables -A INPUT -d 224.0.0.0/4 -j DROP
    iptables -A INPUT -s 240.0.0.0/5 -j DROP
    iptables -A INPUT -d 240.0.0.0/5 -j DROP
    iptables -A INPUT -s 0.0.0.0/8 -j DROP
    iptables -A INPUT -d 0.0.0.0/8 -j DROP
    iptables -A INPUT -d 239.255.255.0/24 -j DROP
    iptables -A INPUT -d 255.255.255.255 -j DROP
    
    # Drop SYN Flood Packets
    # This is a type of DOS (Denial Of Service) attack.
    iptables -A INPUT -p tcp -m state --state NEW -m limit --limit 2/second --limit-burst 2 -j ACCEPT
    iptables -A INPUT -p tcp -m state --state NEW -j DROP
    
    # Drop XMAS Packets
    # A Christmas-Tree Packet is a packet that has all flags of any protocol set. The FIN, URG, and PSH bits in the TCP header are set. This packet is called an "Xmas Tree" packet because all the fields of header are "lightened up".
    iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    
    # Prevent Port-scans
    
    # Use only one of the two given port-scan lock-out systems
    # Lock-out systems that attempted a port-scan (lock lasts a day)
    iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
    iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
    iptables -A INPUT -m recent --name portscan --remove
    iptables -A FORWARD -m recent --name portscan --remove
    # Lock-out systems that attempted a port-scan (lock lasts a week)
    iptables -A INPUT -m recent --name portscan --rcheck --seconds 604800 -j DROP
    iptables -A FORWARD -m recent --name portscan --rcheck --seconds 604800 -j DROP
    iptables -A INPUT -m recent --name portscan --remove
    iptables -A FORWARD -m recent --name portscan --remove
    
    # Log Port-Scan Attempts
    iptables -A INPUT -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
    iptables -A INPUT -m recent --name portscan --set -j DROP
    iptables -A FORWARD -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
    iptables -A FORWARD -m recent --name portscan --set -j DROP
    
    # Block Packets used by Port-Scans
    iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
    iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
    iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP
    iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
    iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
    iptables -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
    iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

    Miscellaneous Commands

    Here are some miscellaneous "iptables" commands.

    # Save Rules to a File
    iptables-save > ~/firewall.txt
    
    # Restore/Load Rules from File
    iptables-restore < $HOME/firewall.txt
    
    # Reload/Restart UFW
    ufw reload
    
    # List Rules
    iptables -L
    iptables -L -n
    iptables -L -n -v
    iptables -L -n -v --line-numbers
    
    # List Rules by Table
    iptables -L -t filter
    iptables -L -t mangle
    iptables -L -t nat
    iptables -L -t raw
    
    # List ICMP Types
    iptables -p icmp -h

    Further Reading

Viewing 1 post (of 1 total)