Host Based Firewall Packet Filter

Most organizations have at least one firewall at their network border; however, they do not secure their systems well enough to withstand a direct attack, allowing attacks that originate from the internal network to exploit vulnerable services that are not open to the Internet or allowing an attacker who has penetrated the border firewall to work his or her way easily through the internal network.

A popular firewall, or packet filter, that comes with most Linux distributions is IPTables. This firewall allows an administrator to filter out all nonproduction protocols and ports, both open and closed, stopping port scanners from enumerating all services running on the server. Some port scanners, such as Nmap, can also perform operating system predictions, possibly allowing an attacker to exploit vulnerabilities in the OS. However, by restricting the protocols and ports that the server responds to, these operating system guesses are much less accurate, reducing attack precision significantly.

IPTables can also be used to restrict access to more sensitive services, such as SSH or web management interfaces, so that only authorized IP addresses can connect to the ports. This isn't foolproof since an attacker may be able to spoof an IP address; however, it definitely makes it less inviting.

As an example, to configure IPTables to allow connectivity only to ports 80/TCP and 443/TCP from the Internet and to restrict access to port 22/TCP for management IP addresses, you can run all of the following commands in order.

First, flush all of the IPTable rules currently in place on the web server:

iptables -F iptables -X

Then set up IPTables so it has a default deny filtering policy:

iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP

Accept incoming HTTP requests from anywhere to the web server (WEB_IP_ADDR) on port 80/TCP:

— iptables -A INPUT -p tcp -s 0/0 —sport 1024:65535 -d WEB_IP_ADDR \

—dport 80 -m state —state NEW,ESTABLISHED -j ACCEPT

Allow outgoing HTTP responses from the web server on port 80/TCP to anywhere:

— iptables -A OUTPUT -p tcp -s WEB_IP_ADDR —sport 80 -d 0/0 \

—dport 1024:65535 -m state —state ESTABLISHED -j ACCEPT

Accept incoming HTTPS requests from anywhere to the web server on port 443/TCP:

— iptables -A INPUT -p tcp -s 0/0 —sport 1024:65535 -d WEB_IP_ADDR \

—dport 443 -m state —state NEW,ESTABLISHED -j ACCEPT

Allow outgoing HTTPS responses from the web server on port 443/TCP to anywhere:

— iptables -A OUTPUT -p tcp -s WEB_IP_ADDR —sport 443 -d 0/0 \

—dport 1024:65535 -m state —state ESTABLISHED -j ACCEPT

Accept incoming SSH connections only from the management IP address (MGT_IP_ ADDR) to the web server on port 22/TCP:

-- iptables -A INPUT -p tcp -s MGT_IP_ADDR --sport 1024:65535 -d WEB_IP_ADDR \ --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

Allow outgoing SSH traffic only from the web server on port 22/TCP to the management IP address:

— iptables -A OUTPUT -p tcp -s WEB_IP_ADDR —sport 22 -d MGT_IP_ADDR \ —dport 1024:65535 -m state —state ESTABLISHED -j ACCEPT

Finally, explicitly state that all other traffic that doesn't match the above criteria gets dropped.

iptables -A INPUT -j DROP iptables -A OUTPUT -j DROP

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment