3

On my machine there are web services which can be accessed from any PC connected to the same network segment (WiFi for example). I want to use IPtables on the machine to prevent any web services from being accessed by hosts on the Internet at large.

  • What rules should I configure IPtables with?

  • How can I protect a port which is always open?

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
sophist
  • 51
  • 1
  • 4

2 Answers2

3
  1. Set the default policy to deny everything. (iptables -P INPUT DENY)
  2. Allow ICMP
  3. Add the minimum rulesets required for the services you need.

If you've got ports that are used only by local machines, set allow rules for that combination of port and IP range only.

iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT

Outbound traffic needs rules as well (permit DNS queries, permit services to respond to connections, etc). Using related / established rules can help with this. Even among otherwise locked-down firewalls, allowing all outbound traffic for simplicity is common.

If you've got the time, an ideal albeit laborious case would be using SELinux to restrict things even further such as by only allowing the DNS resolver libraries to query DNS, etc.

As for "protecting an open port" that comes down to configuring the software listening to it correctly and ensuring any security issues within it are addressed.

Community
  • 1
Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • it is worth mentioning here that iptables is vulnerable to spoofing as well. – Saladin Mar 04 '13 at 19:34
  • @asadz Can you explain how it's vulnerable to spoofing? Especially on TCP, the packets must be able to get back via the router in order to make a connection. If you're allowing the local network anyway, no big deal. – Jeff Ferland Mar 04 '13 at 20:57
  • Spoofing IP address 192.168.1.2 would let me access the homepage? Right considering I'm in the same vlan – Saladin Mar 04 '13 at 21:23
  • @asadz Detecting that is a job for the local router, not for the server. The server has no way to know about spoofing, it's up to the router to block connections IP packets with a source address of 192.168.1.0/24 coming from its external interface. – Gilles 'SO- stop being evil' Mar 04 '13 at 21:30
  • they are just basic packet filtering routers which uses ACL to identify access control. These ACLs are infact vulnerable to spoofing – Saladin Mar 05 '13 at 06:29
  • @asadz If you're crossing a directly-connected router, the router should filter anything from an attached subnet that comes in the wrong interface. Even if the router didn't filter by interface, the lack of back-routing to the spoofed packets source is a strong mitigator for TCP. Unless you're on the same segment (of which all hosts are allowed anyway), I believe you're practically wrong. – Jeff Ferland Mar 05 '13 at 13:23
  • @Jeff wrong interface makes sense if you dont have intervlan routing in your enviroment. – Saladin Mar 05 '13 at 15:03
  • In a large organziation setup it what does your layer 3 router would do with one uplink provided to it in that case if the target is internal and your acl filters all inbound traffic from the server to specfic addresses using spoofing you actively beat the purpose of acls . It is only in case of firewalls it detects spoofing when it detects receives traffic from network other then whats bounded to source interface – Saladin Mar 05 '13 at 15:16
  • There's no need to allow ICMP so widely, moreover, that's a threat. Proper ICMPs would be handled with just `-m state --state RELATED` – poige Mar 05 '13 at 20:47
  • @poige Can you articulate which ICMP message are threatening? – Jeff Ferland Mar 05 '13 at 20:53
  • @JeffFerland, there're lots of papers mentioning different aspects of ICMP malicious use, actually. See http://security.stackexchange.com/questions/4440/security-risk-of-ping – poige Mar 05 '13 at 21:04
1

iptables is suited to this, but there are a couple of approaches I would take first;

  1. Listening interface; Tell your web services to listen only on your local ip. Typically they are set to listen to all interfaces (0.0.0.0, or simply *). Instead you would set this to 192.168.0.88 or similar.
  2. Web Service configuration; You can tell the web service itself to only allow certain source IPs. This is somewhat less secure than the other methods, as the connection is still established, then dropped by the webserver. However it is an easy and quick method and perfectly fine for most scenarios. In apache, this would be with the Allow From directive. Other web daemons have other configuration mechanisms.

Finally, if you want to use iptables you are looking for a pair of rules that look like;

iptables -A INPUT -p tcp --dport 80 --source 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
lynks
  • 10,636
  • 5
  • 29
  • 54