PDA

View Full Version : [ubuntu] Any security issues with my firewall?



mick_dundee
February 5th, 2010, 06:11 PM
Sorry if this is the wrong forum, I wasn't sure if this should be networking or security!

I set up ubnutu 9.04 server (32bit) to use as a router/firewall. I have a windows desktop machine, a few laptops and iphones behind it. The main things I want are internet access from all devices, external ssh access into the router and to be able to RDP into the desktop machine. The configuration I have seems to be doing the trick but I wanted to know if anyone could see any flaws/offer any advice on making it more secure.

Internal network is 192.168.1.0/24 (on eth0). eth5 is external connection.

# Generated by iptables-save v1.4.1.1 on Fri Feb 5 17:06:11 2010
*nat
PREROUTING ACCEPT [41533:5418249]
POSTROUTING ACCEPT [5:365]
OUTPUT ACCEPT [3145:231407]
-A POSTROUTING -o eth5 -j MASQUERADE
COMMIT
# Completed on Fri Feb 5 17:06:11 2010
# Generated by iptables-save v1.4.1.1 on Fri Feb 5 17:06:11 2010
*filter
INPUT DROP [16828:3677099]
FORWARD DROP [493:52671]
OUTPUT DROP [274:65199]
-A INPUT -i eth5 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -i eth5 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -d ! 192.168.1.0/24 -o eth5 -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -o eth0 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -s 192.168.1.0/24 -j ACCEPT
-A OUTPUT -o eth5 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o eth5 -m state --state NEW,RELATED -j ACCEPT
COMMIT
# Completed on Fri Feb 5 17:06:11 2010

I know the rule for RDP isn't there - I add/remove that via ssh so that the port is only open when I need to use my desktop machine - which I can fire up with wol.

The rules for that are:

-A FORWARD -p tcp --dport 3389 -o eth0 -j ACCEPT
-A PREROUTING -p tcp -i eth5 --dport 3389 -j DNAT --to 192.168.1.x:3389

Thanks guys and gals :)

BkkBonanza
February 5th, 2010, 06:36 PM
You may want to add filtering for martians and bogon packets. My APF firewall has that stuff and it seems to add rules for the following, though I'm not sure this is complete,

http://en.wikipedia.org/wiki/Bogon_filtering
http://en.wikipedia.org/wiki/Martian_packet


DROP all -- 0.0.0.0/8 anywhere
DROP all -- 5.0.0.0/8 anywhere
DROP all -- 14.0.0.0/8 anywhere
DROP all -- 23.0.0.0/8 anywhere
DROP all -- 31.0.0.0/8 anywhere
DROP all -- 36.0.0.0/8 anywhere
DROP all -- 37.0.0.0/8 anywhere
DROP all -- 39.0.0.0/8 anywhere
DROP all -- 42.0.0.0/8 anywhere
DROP all -- 49.0.0.0/8 anywhere
DROP all -- 50.0.0.0/8 anywhere
DROP all -- 100.0.0.0/8 anywhere
DROP all -- 101.0.0.0/8 anywhere
DROP all -- 102.0.0.0/8 anywhere
DROP all -- 103.0.0.0/8 anywhere
DROP all -- 104.0.0.0/8 anywhere
DROP all -- 105.0.0.0/8 anywhere
DROP all -- 106.0.0.0/8 anywhere
DROP all -- 107.0.0.0/8 anywhere
DROP all -- 127.0.0.0/8 anywhere
DROP all -- 169.254.0.0/16 anywhere
DROP all -- 176.0.0.0/8 anywhere
DROP all -- 177.0.0.0/8 anywhere
DROP all -- 179.0.0.0/8 anywhere
DROP all -- 181.0.0.0/8 anywhere
DROP all -- 185.0.0.0/8 anywhere
DROP all -- 192.0.2.0/24 anywhere
DROP all -- 198.18.0.0/15 anywhere
DROP all -- 198.51.100.0/24 anywhere
DROP all -- 203.0.113.0/24 anywhere
DROP all -- 223.0.0.0/8 anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/3 anywhere


It also adds sanity checks for flags that shouldn't be possible.

Chain FRAG_UDP (2 references)
target prot opt source destination
DROP udp -f anywhere anywhere

Chain IN_SANITY (1 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN

I use this on my web server so it also has a bunch of P2P filters present.
There's probably more too.

VcDeveloper
October 6th, 2010, 04:15 AM
You may want to add filtering for martians and bogon packets. My APF firewall has that stuff and it seems to add rules for the following, though I'm not sure this is complete,

http://en.wikipedia.org/wiki/Bogon_filtering


Do I keep Bogon blocked? Because it's just filling up my IPBlock log or it there a way to drop the packet maybe using GuardDog or GuardGuide?

Agent ME
October 6th, 2010, 06:41 AM
http://en.wikipedia.org/wiki/Bogon_filtering
...
DROP all -- 49.0.0.0/8 anywhere


Just a tip, the wikipedia article mentions that 49.0.0.0/8 is longer a bogon address range as of just a few months ago :P Seems like it could be a pain to keep that up-to-date.

BkkBonanza
October 6th, 2010, 08:11 AM
These iptables rules above just DROP the packets. This causes a timeout delay to the "attacker", which is generally good since it slows them down. If you have these rules in your firewall (iptables) then there isn't a need to have them also in an IP block tool and especially if they get logged it's probably not worth it.

VcDeveloper
October 6th, 2010, 04:47 PM
These iptables rules above just DROP the packets. This causes a timeout delay to the "attacker", which is generally good since it slows them down. If you have these rules in your firewall (iptables) then there isn't a need to have them also in an IP block tool and especially if they get logged it's probably not worth it.

I'm getting outbound Bogon blocks, is this normal for servers or do I have a problem?

Time - 192.168.1.74:5353 - 224.0.0.251:5353 - Blocked - Hits - Out

The list I have currently is:
Level1
ads-trackers-and-bad-pr0m
spyware
bogon
china

.....any suggesting on others I should have?

VcDeveloper
October 7th, 2010, 04:26 PM
Any Suggesting?