I created three chains, LOG_DROP, LOG_ACCEPT, and LOG_REJECT, to log packets when needed. I did not use LOG_DROP, nor LOG_REJECT (maybe in the future?), and instead am just using REJECT with --reject-with tcp-reset for TCP packets and icmp-port-unreachable for UDP packets to help mask the fact that I'm using a firewall. If the packets are simply dropped, it'd be pretty easy for an intruder to realize that I'm running a firewall because his packets would not result in the standard --tcp-reset or icmp-port-unreachable to indicate a nonexistent service. In the future, I may consider logging some of the rejected packets.
Right now the only services I am logging when accepted are SSH & SFTP (both use port 22), as logging every http request is impractical.
Unlogged accepts include http (port 80) and SAMBA (netbios-ssn, microsoft-ds, UDP 137 & 138). One key problem I had was allowing SAMBA to continue to work with the firewall enabled. With iptables running, I could only access my SAMBA shares by using the machine's IP, and not its hostname. While this problem was frustrating, it forced me to better manage my system by ensuring that samba was configured correctly (/etc/samba/smb.conf), my hostnames were set properly (it was not- only localhost was set in /etc/hosts), as well as resolv.conf (/etc/resolv.conf). This forum post eventually led me to realize that I needed to accept traffic on ports 137 & 138 on top of netbios-ssn (UDP 139), and microsoft-ds (TCP 445).
Further securing SAMBA, I specified the allowed source IPs on my network, both within smb.conf and iptables. If there's anything I've learned, its that redundancy in terms of security is never a bad idea.
Below is a (modified) iptables firewall script:
#!/bin/bash
# Stateful firewall for hostname
########################
# Ethernet Information #
########################
# Device: lo
# IP: 127.0.0.1
# Hostname: localhost
# Device: eth0
# IP: 192.168.2.3
# Hostname: hostname
# Flush all tables
iptables -F
# Remove all non-default cahins
iptables -X
#+-------------------------------+
#| Setup Firewall Process chains |
#+-------------------------------+
# Create a LOG_DROP chain for dropped incoming requests to be logged
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-level info --log-prefix "Firewall-LOG_DROP: "
iptables -A LOG_DROP -j DROP
# Create a LOG_REJECT chain for rejected incoming requests to be logged
iptables -N LOG_REJECT
iptables -A LOG_REJECT -j LOG --log-level info --log-prefix "Firewall-LOG_REJECT: "
iptables -A LOG_REJECT -j REJECT
# Create a LOG_ACCEPT chain for accepted incoming requests to be logged
iptables -N LOG_ACCEPT
iptables -A LOG_ACCEPT -j LOG --log-level info --log-prefix "Firewall-LOG_ACCEPT: "
iptables -A LOG_ACCEPT -j ACCEPT
# Accept all connections from localhost
iptables -A INPUT -i lo -j ACCEPT
# Accept reply packets
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept PING requests
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
#+-----------------------------------+
#| Accepted services that ARE Logged |
#+-----------------------------------+
#SSH & SFTP (TCP)
iptables -A INPUT -p tcp --dport ssh -j LOG_ACCEPT
#+---------------------------------------+
#| Accepted services that are NOT Logged |
#+---------------------------------------+
# HTTP (TCP)
iptables -A INPUT -p tcp --dport http -j ACCEPT
# HTTPS (TCP)
#iptables -A INPUT -p tcp --dport https -j ACCEPT
# TOMCAT (TCP)
#iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
# If we're only using TOMCAT (no apache), we can forward traffic to 8080
#iptables -t nat -A OUTPUT -d localhost -p tcp --dport 80 -j REDIRECT --to-ports 8080
#iptables -t nat -A OUTPUT -d hostname -p tcp --dport 80 -j REDIRECT --to-ports 8080
#iptables -t nat -A PREROUTING -d hostname -p tcp --dport 80 -j REDIRECT --to-ports 8080
# RAILS (TCP)
#iptables -A INPUT -p tcp --dport 3000
# netbios-ssn (UDP)
#iptables -A INPUT -p udp --dport netbios-ssn -j ACCEPT
iptables -A INPUT -p udp --source 192.168.2.0/24 --dport netbios-ssn -j ACCEPT
# netbios-ssn (TCP)
#iptables -A INPUT -p tcp --dport netbios-ssn -j ACCEPT
iptables -A INPUT -p tcp --source 192.168.2.0/24 --dport netbios-ssn -j ACCEPT
# microsoft-ds (TCP)
#iptables -A INPUT -p tcp --dport microsoft-ds -j ACCEPT
iptables -A INPUT -p tcp --source 192.168.2.0/24 --dport microsoft-ds -j ACCEPT
# microsoft-ds (UDP)
#iptables -A INPUT -p udp --dport microsoft-ds -j ACCEPT
iptables -A INPUT -p udp --source 192.168.2.0/24 --dport microsoft-ds -j ACCEPT
# nmbd (UDP) required for SAMBA to send requests via broadcasting
iptables -A INPUT -p udp --source 192.168.2.0/24 --dport 137:138 -j ACCEPT
#iptables -A OUTPUT -p udp --dport 137:138 -j ACCEPT
# LOG & Drop malicious IPs
#iptables -A INPUT --source xxx.xxx.xxx.xxx -j LOG_DROP
# Reject remaining packets, do so with tcp-reset and icmp-port-unreachable
# so hackers don't know we're running a firewall
iptables -A INPUT -p tcp -i eth0 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i eth0 -j REJECT --reject-with icmp-port-unreachable
NAT translation and masquerading may be a project for a different day, but at least now I'm familiar with what they are and how they work.
Furthermore, I think this project will serve as a good segway into my next one, which is better learning SAMBA and how to configure it.
No comments:
Post a Comment