[Cialug] IPTables Concept

Dave Weis djweis at internetsolver.com
Tue Oct 31 18:27:21 CST 2006 

You are open to traffic from your DNS server and SSH server that you 
don't expect:

> # Access to internal DNS server and allow responses
> /sbin/iptables -A OUTPUT -o $OURIF -p udp -s $OURIP --dport 53 -d 
> $OURDNS1 -j ACCEPT
> /sbin/iptables -A INPUT -i $OURIF -p udp -d $OURIP --sport 53 -s 
> $OURDNS1 -j ACCEPT
> /sbin/iptables -A OUTPUT -o $OURIF -p udp -s $OURIP --dport 53 -d 
> $OURDNS2 -j ACCEPT
> /sbin/iptables -A INPUT -i $OURIF -p udp -d $OURIP --sport 53 -s 
> $OURDNS2 -j ACCEPT

This one would be tricky to take advantage of, but either DNS server can 
send UDP packets with a source port of 53 and it can't be verified to be 
DNS traffic. Especially since it's UDP and can be spoofed. Set up a 
local caching DNS server and change these lines to only allow 53/udp for 
source and destination.

> # Access to internal SMTP server and allow responses
> /sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP --dport 25 -d 
> $OURSMTP -j ACCEPT
> /sbin/iptables -A INPUT -i $OURIF -p tcp -d $OURIP --sport 25 -s 
> $OURSMTP -j ACCEPT

Second line should be unnecessary with the state matching done. As 
written the SMTP server could send you unwanted traffic if it's taken 
over by setting the source port outbound to be 25.

> # Allow ssh out to perform backups to our backup server
> /sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP --dport 22 -d 
> $OURBACK -j ACCEPT
> /sbin/iptables -A INPUT -i $OURIF -p tcp -d $OURIP --sport 22 -s 
> $OURBACK -j ACCEPT

Same as above, state matching should catch the second line.

> # Access to external WWW servers and allow responses for deb packages
> /sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP --dport 80 -d 
> mirrors.kernel.org -j ACCEPT
> /sbin/iptables -A INPUT -i $OURIF -p tcp -d $OURIP --sport 80 -s 
> mirrors.kernel.org -j ACCEPT
> /sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP --dport 80 -d 
> security.debian.org -j ACCEPT
> /sbin/iptables -A INPUT -i $OURIF -p tcp -d $OURIP --sport 80 -s 
> security.debian.org -j ACCEPT

Same.

> # Drop all inbound packets that claim to be from us..
> /sbin/iptables -A INPUT -i $OURIF -s $OURIP -j DROP

Look fine.

> # Drop all outbound packets that claim not to be from us.
> /sbin/iptables -A OUTPUT -o $OURIF -s ! $OURIP -j DROP

Should be okay.

dave

More information about the Cialug mailing list