Friday, October 26, 2012

iptables on lubuntu 12.10

I recently had the requirement to really lock down a Lubuntu 12.10 VM (actually running a reverse proxy and a small httpd daemon) and one of the tools I used to do this with iptables. Instead of posting my entire table/chain structure (which is obviously no one else's business except my own! ;-)), I thought I'd give an example of what I did and why.

From a security perspective, the problem with a lot of modern Linux distributions is that the default table/chain setup is to essentially allow all traffic on all ports. The default filter table has both INPUT, FORWARD and OUTPUT chains and each of these has the policy set to ACCEPT. From an end users point of view (especially on user-friendly distros such as Ubuntu) this makes quite a bit of sense, you don't really want non-techie users of apps like Skype to have to modify iptables chains, they simply will move on to other distros. However, from a system admin point of view, it's absolutely required that servers are locked down so that users can only access what you intend them to access, at least at the TCP level anyway.

So, let's assume we have a http server running solely on port 80. The absolute minimum is to configure iptables to prevent access to all other ports except for port 80.

So, firstly, let's change the policy of all chains to be DROP rather than ACCEPT, which means that all traffic will be blocked unless explicitly allowed :
# flush all rules first
$ sudo iptables -F

# Now, change INPUT, FORWARD and OUTPUT chains to be a default of DROP
$ sudo iptables -P INPUT DROP
$ sudo iptables -P FORWARD DROP
$ sudo iptables -P OUTPUT DROP

# Now, allow all port 80 traffic on both INPUT and OUTPUT
$ sudo iptables -A INPUT -p tcp --sport 80 -j ACCEPT
$ sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
Note, that this will block EVERYTHING except port 80 traffic. iptables can be used to setup really complex (or simple) rule chains which allow you to lockdown any machine. For example, the machine I'm typing on now has a similar rule chain as the above, but allowing port 80 (HTTP), port 443 (HTTPS), port 53 (DNS) and port 6697 (for SSL/TLS IRC connections).

The only downside with this is that rule chains can become complex unless you ensure that they are as simple as you can make them. Once you get used to doing iptables chains you find they are easy to setup and you can be sure that you've added yet another powerful security barrier to your system.

No comments: