0

Short version: I have a CentOS 6.5 with two NICs, one connected to the internet and one connected to the internal network. The services that shouldn't be accessible to the internet don't listen on that interface. Do I still need iptables?

Longer version:

I have a machine running CentOS 6.5. eth0 is connected to our internal network (actually a DMZ that is protected, but it is RFC1918 space). eth1 is connected to our external network (directly accessable from the internet).

For the purpose of discussion, let's pretend eth0 is 10.1.1.1 and eth1 is 198.252.206.140.

The machine is running 2 services: ssh and http.

We only want HTTP to be accessible from the internet, so we have iptables with rules that block traffic on eth1 if it isn't port 80. We also permit ICMP.

However we just reconfigured SSH to only listen on 10.1.1.1 and 127.0.0.1. SSH'ing to 198.252.206.140 gets a "connection refused".

What do we lose if we turn off iptables?

I assert we lose nothing by turning off iptables. In fact, we gain a small performance win.

Yes, there are non-technical issues, for example if someone accidentally enables a new service and it is listening on all interfaces, we're vulnerable.

However this question is specifically about how the Linux kernel processes packets once they are received.

TomOnTime
  • 7,567
  • 6
  • 28
  • 51
  • 1
    I don't think it's a valid assumption that a service will never get enabled, or enabled on an unexpected interface. Most people do make mistakes on occasion. – Michael Hampton Mar 20 '14 at 15:41
  • 1
    I grant that it is a big assumption. I'm all in favor of "belt && suspenders" security. However I want to know if this is that, or if there is something actually being protected. – TomOnTime Mar 20 '14 at 15:48
  • Do you mean: "Can someone exploit a kernel bug if the firewall is off?" – Michael Hampton Mar 20 '14 at 15:55
  • Hrm, the linked duplicate is not Linux specific, but this question is specific to iptables. One rule in a typical iptables firewall will block INVALID packets, which may include lots of weird things that could potentially be destined for the port with a listening service. Sure this will often also be blocked on the perimeter firewall, but if you don't have one, you might get invalid packets getting to your service. – Zoredache Mar 20 '14 at 16:54

0 Answers0