[arch-general] Iptables
Hi, I am writing to a script to generate iptables rules. I did this with the documentation in the Arch Linux wiki and would be happy if a few professionals would take a look over the script. Suggestions for improvement, comments would be very helpful. https://github.com/sisihagen/iptables Thank you & Regards Silvio
Hi Silvio A more detailed description of what you're trying to do would be helpful. E.g. "The firewall needs to filter interface xyz and allow service such and such for these users etc etc" On Tue, 11 Feb 2020 at 07:52, siefke_listen@web.de <siefke_listen@web.de> wrote:
Hi,
I am writing to a script to generate iptables rules. I did this with the documentation in the Arch Linux wiki and would be happy if a few professionals would take a look over the script. Suggestions for improvement, comments would be very helpful.
https://github.com/sisihagen/iptables
Thank you & Regards Silvio
Hi Andy, On Tue, 11 Feb 2020 09:10:03 +0000 Andy Pieters <arch-general@andypieters.me.uk> wrote:
A more detailed description of what you're trying to do would be helpful.
I have different servers, most with Arch but also with Debian. So I try to generate a firewall script for both systems that is customized depending on what the server is run. So the script try to find the ethernet adapter, the IP, the all open ports which are listen on 0.0.0.0 and the SERVER IP and set this in the multiport rules for tcp or udp. If on the server is used wireguard, then also rules should be activated and when running monitoring tools should be also open the ports but only from my home server. This is my goal and the script should be checked from peoples which know iptables more as me. Is this so okay, will it work or give trouble. When understand the wiki right must be the rules be in the right position. So special spoofing and bruteforce rules will be correct? There are improvements to query the Ethernet adapters, the server IP, the open ports. # port scanning $IPT -I TCP -p tcp -m recent --update --rsource --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-reset $IPT -D INPUT -p tcp -j REJECT --reject-with tcp-reset $IPT -A INPUT -p tcp -m recent --set --rsource --name TCP-PORTSCAN -j REJECT --reject-with tcp-reset $IPT -I UDP -p udp -m recent --update --rsource --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable $IPT -D INPUT -p udp -j REJECT --reject-with icmp-port-unreachable $IPT -A INPUT -p udp -m recent --set --rsource --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable $IPT -D INPUT -j REJECT --reject-with icmp-proto-unreachable $IPT -A INPUT -j REJECT --reject-with icmp-proto-unreachable This for example my english not perfect and hope understand the wiki right. But is there a reason why is insert, delete and append active? Is it enough only use $IPT -A and rest not used? Thank you & Nice day Silvio
Hi Silvio One general comment - your script uses the iptables command for each rule - this is extremely inefficient. This is probably not a big deal in your case but I'll mention it anyway. Far better way is to output the firewall in the same format as iptables-save uses, then simply use iptaples-restore to load the firewall rules - this reads the entire set of rules and ask the kernel to install them all in one shot. This is essentially just dropping the '$IPT' part for each rule plus a slightly different way to define chains and set the default policies. One way to see the format is simply to use iptables-save on existing firewall. This is the format used by iptables to save / restore rules. best gene
Hello Silvio, First of all, great idea and nice script! Two small things: - The ssh port is fixed as TCP port 12500. Since 12500 >1024 this is a non-priviledged port which is a security risk. Ports < 1024 can only be opened (here: state LISTEN) by root, others by everyone. If a user manages to crash your sshd then they can start their own service at that port. Even though ssh has protection against MitM by means of key fingerprints the attacker can at least keep you from starting sshd by blocking that port (not ideal on a remote server). - You test a Debian release version to see whether to use /usr/sbin/iptables-nft or /usr/sbin/iptables . More portable and more simple would be to test for -x /usr/sbin/iptables-nft . Best wishes, NTS On Tue, 11 Feb 2020 at 14:26, Genes Lists via arch-general <arch-general@archlinux.org> wrote:
Hi Silvio
One general comment - your script uses the iptables command for each rule - this is extremely inefficient. This is probably not a big deal in your case but I'll mention it anyway.
Far better way is to output the firewall in the same format as iptables-save uses, then simply use iptaples-restore to load the firewall rules - this reads the entire set of rules and ask the kernel to install them all in one shot. This is essentially just dropping the '$IPT' part for each rule plus a slightly different way to define chains and set the default policies.
One way to see the format is simply to use iptables-save on existing firewall. This is the format used by iptables to save / restore rules.
best
gene
Hi, Am 11.02.20 um 16:15 schrieb NTS:
- The ssh port is fixed as TCP port 12500. Since 12500 >1024 this is a non-priviledged port which is a security risk. Ports < 1024 can only be opened (here: state LISTEN) by root, others by everyone.
While technically this is true, I'm not convinced that this matters in practice in most environments.
If a user manages to crash your sshd then they can start their own service at that port.
This requires local users/attackers with shell access. Not necessarily a concern in every environment. Best regards, Karol Babioch
participants (5)
-
Andy Pieters
-
Genes Lists
-
Karol Babioch
-
NTS
-
siefke_listen@web.de