Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort

Now that you've seen what a firewall chain listing looks like and what formatting options are available, we'll go through brief lists of INPUT, OUT, and FORWARD rules. The sample rules are representative of some of the rules you'll most likely use yourself.

Checking the Input Rules

Your input rules are mostly ACCEPT rules when the default policy is DROP. Everything is denied, by default, and you explicitly define what will be accepted. Remember that packets arriving on the INPUT chain are targeted to the local host. The following example contains a representative sample of input acceptance rules:

> iptables -v -L INPUT Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source \ destination 1 4 390 ACCEPT all -- lo any anywhere \ anywhere 2 59 2599 ACCEPT all -- any any anywhere \ anywhere state RELATED,ESTABLISHED 3 0 0 DROP all -- !lo any choke.dmz.lan \ anywhere 4 0 0 DROP all -- !lo any router.private.lan \ anywhere 5 0 0 DROP all -- eth0 any ! .private.lan \ anywhere 6 0 0 ACCEPT udp -- eth0 any .private.lan \ router.private.lan udp spt:1024:65535 dpt:domain state NEW 7 0 0 REJECT tcp -- eth1 any anywhere \ choke.dmz.lan tcp spts:1024:65535 dpt:auth state NEW 8 0 0 ACCEPT udp -- eth0 any jet.private.lan \ 255.255.255.255 udp spt:ntp dpt:ntp state NEW 9 0 0 ACCEPT tcp -- any any anywhere \ anywhere tcp flags:FIN,ACK/FIN,ACK 10 0 0 LOG all -- any any anywhere \ anywhere LOG level warning

The default policy for incoming packets is DROP. Denied packets are simply dropped without any notification being returned to the source address. There are 10 rules on the chain:

• Line 1 All packets arriving on the loopback interface are accepted.

• Line 2 All incoming packets identified as part of a previously accepted connection or exchange, or a packet related to one, are accepted.

• Line 3 Any packet arriving on any interface except the loopback interface that claims to be from this machine's external DMZ network interface is dropped.

• Line 4 Any packet arriving on any interface except the loopback interface that claims to be from this machine's internal private LAN network interface is dropped.

• Line 5 Any packet arriving on the internal private LAN interface that claims to be from a source address other than an address within the internal private LAN network is dropped.

• Line 6 UDP DNS client requests from hosts in the private LAN are accepted.

• Line 7 All incoming TCP packets destined for the local identd server at AUTH service port 113 are rejected. An ICMP error notification Type 3, Service Unavailable, will be returned to the source address.

• Line 8 Limited broadcasts from the local printer to the UDP ntp time server port 123 are accepted.

• Line 9 FIN/ACK packets from anywhere are accepted.

• Line 10 All other incoming packets are logged before being dropped by the default policy.

Checking the Output Rules

Your output rules are mostly ACCEPT rules when the default policy is DROP. Everything is blocked, by default. You explicitly define what will be accepted. The following example contains a representative sample of output acceptance rules:

> iptables -L OUTPUT Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source \ destination 1 34 3558 ACCEPT all -- any lo anywhere \ anywhere 2 92 12721 ACCEPT all -- any any anywhere \ anywhere state RELATED,ESTABLISHED 3 1 82 ACCEPT udp -- any eth1 choke.dmz.lan \ nameserver.dmz.lan udp spt:domain dpt:domain state NEW 4 0 0 ACCEPT udp -- any eth1 choke.dmz.lan \ nameserver.dmz.lan udp spts:1024:65535 dpt:domain state NEW 5 0 0 ACCEPT tcp -- any eth1 choke.dmz.lan \ nameserver.dmz.lan tcp spts:1024:65535 dpt:domain state NEW 6 2 120 ACCEPT tcp -- any eth0 router.private.lan \ .private.lan multiport dports ssh,http,https,auth,ftp \ tcp spts:1024:65535 flags:SYN,RST,ACK/SYN state NEW 7 0 0 ACCEPT tcp -- any eth1 choke.dmz.lan \ .dmz.lan tcp spts:1024:65535 dpt:ssh state NEW 8 0 0 ACCEPT tcp -- any eth1 choke.dmz.lan \ anywhere multiport dports http,https,auth,ftp,nicname \ tcp spts:1024:65535 flags:SYN,RST,ACK/SYN state NEW 9 0 0 ACCEPT tcp -- any eth1 choke.dmz.lan \ mail.dmz.lan tcp spts:1024:65535 dpt:smtp state NEW 10 0 0 ACCEPT udp -- any eth1 choke.dmz.lan \ timeserver.edu udp spts:1024:65535 dpt:ntp state NEW 11 0 0 ACCEPT icmp -- any eth1 choke.dmz.lan \ anywhere icmp fragmentation-needed 12 0 0 ACCEPT icmp -- any eth0 router.private.lan \ .private.lan icmp echo-request 13 0 0 ACCEPT icmp -- any eth0 router.private.lan \ .private.lan icmp echo-reply 14 0 0 ACCEPT icmp -- any eth1 choke.dmz.lan \ .dmz.lan icmp echo-request 15 0 0 ACCEPT icmp -- any eth1 choke.dmz.lan \ firewall.dmz.lan icmp echo-reply 16 0 0 ACCEPT tcp -- any eth0 router.private.lan \ jet.private.lan tcp dpt:printer state NEW 17 0 0 ACCEPT tcp -- any any anywhere \ anywhere tcp flags:RST/RST 18 0 0 LOG all -- any any anywhere \ anywhere LOG level warning

The default policy for the OUTPUT chain is DROP. Denied packets are simply dropped without any notification being returned to the local program. There are 18 rules on the chain:

• Line 1 Any packet going out the loopback interface is allowed.

• Line 2 Any packet that is recognized as being part of a previously ESTABLISHED connection or exchange, or a packet that is RELATED to one, is allowed.

• Line 3 Local DNS requests that are forwarded to the local name server in the DMZ, server to server, are allowed.

• Line 4 Local DNS client requests over UDP to the local name server in the DMZ are allowed.

• Line 5 Local DNS client requests over TCP to the local name server in the DMZ are allowed.

• Line 6 The local host, the LAN router, is allowed for established connections to local SSH, HTTP, HTTPS, auth, and FTP servers in the private LAN.

• Line 7 The local host, the choke firewall, is allowed for established connections to local SSH servers in the DMZ.

• Line 8 The local host, the choke firewall, is allowed for established connections to SSH, HTTP, HTTPS, auth, and FTP servers anywhere.

• Line 9 The local host, the choke firewall, is allowed to send mail to the mail gateway in the DMZ.

• Line 10 The local host, the choke firewall, is allowed to send client ntp time requests to a specific remote server.

• Line 11 The local host, the choke firewall, is allowed to send ICMP Type 3 fragmentation-needed messages anywhere as part of MTU size discovery.

• Line 12 The local host, the LAN router, is allowed to send ICMP ping requests to hosts in the private LAN.

• Line 13 The local host, the LAN router, is allowed to send ICMP ping responses to hosts in the private LAN.

• Line 14 The local host, the choke firewall, is allowed to send ICMP ping requests to hosts in the DMZ.

• Line 15 The local host, the choke firewall, is allowed to send ICMP ping responses to the public firewall between the DMZ and the Internet.

• Line 16 The local host, the LAN router, is allowed to access the networked printer in the private LAN.

• Line 17 The local host is allowed to send TCP RST messages anywhere.

• Line 18 All other outgoing packets are logged before being dropped by the default policy.

Checking the Forwarding Rules

The forwarding rules apply to packets passing or being routed through the machine. Forwarded packets are inspected only by the rules defined for the FORWARD chain. These packets are not inspected against rules on the INPUT or OUTPUT chains. If the packet's destination address is something other than the address of the interface on which the packet arrived, the packet is inspected by the FORWARD chain. If the packet matches a FORWARD acceptance rule, the packet is sent out the appropriate interface, after being inspected by any rules defined for the POSTROUTING chains.

For the purposes of illustration, the firewall rule pair shown next forwards all TCP connections from the internal network. UDP traffic is not routed. Related ICMP traffic is routed:

iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $LAN_INTERFACE -o $EXTERNAL_INTERFACE -p tcp \ -s $INTERNAL_LAN_ADDRESSES -m state --state NEW -j ACCEPT

This section is based on a representative sample of forwarding rules. The INPUT and OUTPUT rules are mostly ACCEPT rules when the default policy is DROP. Everything is denied, by default, and you explicitly define what will be accepted:

> iptables -v -L FORWARD Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source \ destination 1 67 6050 ACCEPT all -- any any anywhere \ anywhere state RELATED,ESTABLISHED 2 0 0 ACCEPT tcp -- eth1 eth0 selected.remote.host \ host1.private.lan tcp spts:1024:65535 dpt:ssh \ flags:SYN,RST,ACK/SYN state NEW 3 0 0 ACCEPT tcp -- eth0 eth1 .private.lan \ mailserver.dmz.lan multiport dports smtp,pop3 tcp spts:1024:65535 \ flags:SYN,RST,ACK/SYN state NEW 4 1 60 ACCEPT tcp -- eth0 eth1 .private.lan \ web-proxy.dmz.lan multiport dports http,https tcp spts:1024:65535 \ flags:SYN,RST,ACK/SYN state NEW 5 1 60 ACCEPT tcp -- eth0 eth1 .private.lan \ anywhere tcp spts:1024:65535 dpts:ssh \ flags:SYN,RST,ACK/SYN state NEW 6 0 0 ACCEPT tcp -- eth0 eth1 .private.lan \ news-server.net tcp spts:1024:65535 dpt:nntp \ flags:SYN,RST,ACK/SYN state NEW 7 0 0 REJECT tcp -- eth1 any anywhere \ .private.lan tcp spts:1024:65535 dpt:auth \ reject-with icmp-port-unreachable 8 0 0 ACCEPT icmp -- any any anywhere \ anywhere icmp fragmentation-needed 9 2 168 ACCEPT icmp -- eth0 eth1 .private.lan \ anywhere icmp echo-request 10 0 0 ACCEPT tcp -- any any anywhere \ anywhere tcp flags:FIN,ACK/FIN,ACK 11 0 0 ACCEPT tcp -- any any anywhere \ anywhere tcp flags:RST/RST 12 0 0 LOG all -- any any anywhere \ anywhere LOG level warning

The default policy for the FORWARD chain is DROP. Denied packets are simply dropped without any notification being returned to either the local or the remote program. There are 12 rules on the chain:

• Line 1 Any packet recognized as being part of a previously ESTABLISHED connection or exchange, or a packet that is RELATED to one, is allowed in either direction.

• Line 2 Incoming SSH connections from a particular remote host to host1 in the private LAN are allowed.

• Line 3 Outgoing client connections to the mail gateway and pop server in the DMZ are allowed.

• Line 4 Outgoing client connections, both HTTP and HTTPS, are allowed to the web proxy in the DMZ.

• Line 5 Outgoing client connections to remote SSH servers anywhere are allowed.

• Line 6 Outgoing client connections to a specific remote news server are allowed.

• Line 7 Incoming auth requests to local identd servers are rejected.

• Line 8 ICMP Type 3 fragmentation-needed messages are allowed in both directions as part of MTU size discovery.

• Line 9 Outgoing ping ICMP echo-requests are allowed to anywhere.

• Line 10 FIN/ACK packets are accepted in either direction.

• Line 11 TCP RST packets are accepted in either direction.

• Line 12 All other packets in either direction are logged before being dropped by the default policy.

In this case, the -v option is generally helpful to see the incoming and outgoing network interface names. eth0 is the internal interface to the .private.lan network. etH1 is the external interface to the .dmz.lan and the Internet beyond. Remember that FORWARD rules are necessary with or without NAT. Also remember that any NAT rules are defined in the nat table. These rules are defined in the default filter table.