Best IPTABLES Rulesets.

[modem]

I'm working on configuring my server to the best possible and secure configuration using IPtables. Here is a list of blocked/allowed ports that I've configured and I'm just wondering if anyone has thoughts on them. Did I miss something, have I added too much, etc etc.


**********************************************
- Accept If input interface is lo
- Accept If input interface is eth0
- Do nothing If input interface is eth1
- Do nothing If protocol is ICMP and ICMP type is any
- Accept If state of connection is ESTABLISHED,RELATED
- Reject If protocol is TCP and destination port is 0:20
- Accept If protocol is TCP and destination port is 21
- Accept If protocol is TCP and destination port is 22
- Reject If protocol is TCP and destination port is 23:24
- Accept If protocol is TCP and destination port is 25
- Reject If protocol is TCP and destination port is 26:52
- Accept If protocol is TCP and destination port is 53
- Accept If protocol is UDP and destination port is 53
- Reject If protocol is TCP and destination port is 54:79
- Accept If protocol is TCP and destination port is 80
- Reject If protocol is TCP and destination port is 81:109
- Accept If protocol is TCP and destination port is 110
- Reject If protocol is TCP and destination port is 111:142
- Accept If protocol is TCP and destination port is 143
- Reject If protocol is TCP and destination port is 144:442
- Accept If protocol is TCP and destination port is 443
- Do nothing If protocol is TCP and source is localhost and destination port is 783 (SpamAssassin Spam Filtering)
- Accept If protocol is TCP and destination port is 2222
- Accept If protocol is TCP and destination port is 3306
- Accept If protocol is TCP and destination port is 5000
- Accept If protocol is TCP and destination port is 6661:6669
- Do nothing If protocol is TCP and destination port is 7028
- Accept If protocol is TCP and destination port is 8090
- Accept If protocol is TCP and destination port is 10000
- Reject Always

 

[nobaloney]

Any reason why you don't use either KISS or APF (Advanced Policy Firewall)?

Jeff

 

[modem]

Actually I've never used them before... I've always went with IPtables after the default install. Not that I don't like them... I've just never used them before. Advantages/Disadvantages?

 

[nobaloney]

Advantages/Disadvantages?

Advantages as far as I can see. Especially if you use APF, which will add drops in real time when the logs show attacks in progress.

Both use iptables.

Look for more information on them in the post-install thread for DA on Linux.

Jeff

 

[modem]

Do APF and Kiss work in conjunction or, can only one be installed at a time?

 

[nobaloney]

One or the other.

I've never tried both, but since each starts by clearing the rules table, my gut feeling is that if you installed both, only the one run last would be in effect.

Why would you want to run both?

Jeff

 

[markus]

APF is really great! ...iptables easy as pie (it does not support all the power of iptables, though). Check out its dshield.org options and its antidos add-on.

From same authors, it also worths BFD (Brute Force Detection).

http://www.rfxnetworks.com/apf.php
http://www.rfxnetworks.com/bfd.php


Well, it's my opinion.

 

[modem]

I was using APF on a unix box here and noticed it didn't take my IPTables configuration into account and didn't use the ports I already specified to be blocked/opened. How does IPTables overall hold up in comparison to APF? Does APF work on top of IPTables or am I missing something here?

 

[markus]

APF flushes the iptables chains when it is started, then builds its own ruleset.

Look at how APF is started/stopped in the /etc/apf/apf script. Also, look at the script "firewall". You'll see it calls "flush 1" (putting the firewall offline) just after the call to modinit (which loads the required iptables modules).

Almost all subroutines are located in /etc/apf/internals/functions.apf

You can do many things with APF setting the proper rules in its config files.

I believe you could also extend it with your own rulesets (if not directly supported by APF) by creating your own script with iptables commands, included just after the following line in the /etc/apf/apf script:

$FWPATH/firewall

 

[modem]

From a performance standpoint, how does APF stand up against IPTables or other firewalls?

 

[markus]

APF is just a kind of front-end to easilly setup iptables.

It's started/stopped as a service, but there's no deamon.

Doing a "service apf start" it builds iptables rulesets and quits. Doing a "service apf stop" it flushes iptables chains and quits.

So, in terms of performance... it's just iptables.

On the other hand BFD (Brute Force Detection) runs as a cron job (each 10 minutes by default). Reads logs from the last checked point, and if necessary calls APF to create the iptables rules to ban IPs and inserts the deny rules in the proper conf files.

BFD is optimized in the sense that it keeps track of last checked point in the logs (no need to re-read), however it's just a shell script, though.

 

[hehachris]

sorry i dont understand wt is the use of BFD

 

[markus]

sorry i dont understand wt is the use of BFD

http://www.rfxnetworks.com/bfd.php