3

I am newbie to linux firewalls and trying to setup my systems firewall for a public facing computer. Here are my requirements:

  1. Ports 80 and 22 should be open for HTTP requests and SSH logins
  2. Since my app server is going to run under a non-root user on port 8080. I want to redirect all the packets to port 8080. In certain cases my application itself makes a request to the server from within the server.

Question: Are there any holes in my firewall? Ways I can make this more secure.

Here is my firewall setting:

*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow Secure SSH transfer
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
# Allow all HTTP requests
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
*nat
:OUTPUT ACCEPT [0:0]
-A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Routes all HTTP requests from port 80 to port 8080.
# Allows you to run JETTY as a non-root user.
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
COMMIT
# Completed
user766453
  • 161
  • 1
  • 1
  • 2

2 Answers2

4

You have the following line in your configuration:

-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT

However, there are two types of ICMP request that can be considered a small security concern (from enter link description here):

Type  Name                   Reference          
...
13  Timestamp        [RFC792]
...
17  Address Mask Request     [RFC950]

Type 13 is a request for the exact time according to the destination computer. The exact time can be used to exploit some very weak encryption algorithms in some network protocols, allowing an attacker to gain access to privileged information. Type 17 is a request for the netmask of the interface on which the request was received. A valid response can assist an attacker in learning about the topology of your network. In place of the above rule, I recommend the following three rules:

-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 13 -j REJECT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 17 -j REJECT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT

These rules will prevent the two forbidden ICMP types and allow all others.

jamesbtate
  • 567
  • 2
  • 6
  • 14
0

I am fairly new to the linux routing as well, the only other thing I've seen recommended is change the target policy of INPUT to drop/reject as well (iptables -P INPUT DROP). For some reason this is recommended even when your last rule is to DROP or REJECT like yours.

Nicholi
  • 283
  • 1
  • 10