Iptables 101 for dummies. Need advice.

razirazo · January 6, 2017, 9:24am

So I have this rules as template before I add necessary accept rules. Some was taken from default rules in centOS’s iptables service.


razirazo:/ # cat /etc/rc.d/boot.local
#! /bin/sh
 iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
 iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
 iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
 iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -A INPUT -p icmp -j ACCEPT
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
 iptables -A FORWARD -j REJECT

Is this good enough as boilerplate for desktop and personal server?

also what is the difference between

-A INPUT -p tcp --dport 443 -j ACCEPT

and

iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

What makes the latter any ‘better’ than the first? What are the downsides?

hcvv · January 6, 2017, 10:17am

I am not able to understand all the details of the iptable rules you post here. But IMHO you should consider to rethink your questions. You ask if they are “good enough” and later, which one is “better”. But you never explained your exact goal. This is about security, which is always a trade off between security and ease of use. Only you can decide where in your case lies the boundary between the two and thus what is “good enough”.

I e.g. have SuSEfirewall2 switched off and have no IP table rules defined elsewhere (as you seem to do). I trust the firewall functionality of my router to protect all of my LAN. That is “good enough” for me.

smpoole7 · January 6, 2017, 4:12pm

One good way to become familiar with iptables rules is to open a terminal, do an “iptables-save > filename,” then examine the text file “filename.” We use CentOS on one of our Webservers; here’s the rule that opens port 80:

-A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT

If you have Webmin on your Cent box, use the provided firewall GUI to set up a rule. Then use Webmin’s firewall/firewalld configurator to look at your rules. You’ll typically see something like, “NEW, ESTABLISHED” in the rule for each opened port. (Note: I don’t recommend Webmin on a Suse box. Yast is vastly superior.)

iptables is a stateful firewall, which means that it can keep track of connections. So, if the connection request is NEW, iptables permits it, then makes a note of it. The server may pick some random (typically high) port number to return stuff to the client, once the connection is ESTABLISHED. It allows the client connection to pass transparently until broken or closed. iptables can keep up with this.

The man page for iptables is more confusing than a recipe for a 10-course meal. If you Google it, you’ll find some decent tutorials online. But I’ll agree that it’s not easy. (Geeks. What can I say?)

The biggest mistake that beginners make (Stephen blushes and raises his hand) is forgetting that there’s a big difference between “iptables -A” (add) and “iptables -I” (insert). iptables evaluates rules strictly in list order. Simply put, if you have rules that say,

ETHO - allow all
ETHO - drop all

… you’ve got a wide open firewall. The first rule overrides the second. To ensure that a rule goes at the top of the chain, use (I)insert.

If at all possible, use Yast’s firewall configuration tool. It does the heavy lifting for you. If you like, you can then do an iptables-save > textfile, then search for your port number in the text file. SuSE adds a lot of extra rules for rate limiting and logging, but you can still get an idea of what it’s up to that way. Look at the ACCEPT rules for your port numbers.

tsu2 · January 6, 2017, 7:16pm

Before any of the above,

To the @OP,
If you are very new to openSUSE, the very first thing you should do is open YaST (typically from a Desktop menu selection).

openSUSE is unique among all Linux distros in that it has an extensive and extremely capable collection of graphical modules you can use to manage your openSUSE, which includes software installation, updating, configurations and many more. This means that unless you really want to, you often don’t have to edit configuration files directly with uncertain results.

And configuring IP Tables is one of these things that can be configured in YAST, and is called SuseFW2 (but in YAST it’s just called the firewall).
If you installed it during your openSUSE install (by default it’s installed) it’ll be configured with a good starting point… Deny everything coming in on every interface but allow everything you initiate on your machine.

The SuseFW2 tool is also useful for customizing for your use.
If you install a Server application… for example a Web Server then you can use this same tool to open the standard ports for your Web Server service without manually configuring the TP Tables files.

Here is the online community documentation that describes all this
https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.security.firewall.html

HTH,
TSU

razirazo · January 11, 2017, 4:44pm

I dont have exact goal. as I said it is a basic template. So it do simple thing: block every connection, but do it in educated manner in such way that you will still allow loopback, ping etc.
Any goals will be amended from that template.
I don’t like the idea of setting firewall rule on my router, for the same reason I don’t want my ISP enforcing firewall rule on their router.

smpoole7:

One good way to become familiar with iptables rules is to open a terminal, do an “iptables-save > filename,” then examine the text file “filename.” We use CentOS on one of our Webservers; here’s the rule that opens port 80:
-A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
If you have Webmin on your Cent box, use the provided firewall GUI to set up a rule. Then use Webmin’s firewall/firewalld configurator to look at your rules. You’ll typically see something like, “NEW, ESTABLISHED” in the rule for each opened port. (Note: I don’t recommend Webmin on a Suse box. Yast is vastly superior.)

iptables is a stateful firewall, which means that it can keep track of connections. So, if the connection request is NEW, iptables permits it, then makes a note of it. The server may pick some random (typically high) port number to return stuff to the client, once the connection is ESTABLISHED. It allows the client connection to pass transparently until broken or closed. iptables can keep up with this.

The man page for iptables is more confusing than a recipe for a 10-course meal. If you Google it, you’ll find some decent tutorials online. But I’ll agree that it’s not easy. (Geeks. What can I say?)

The biggest mistake that beginners make (Stephen blushes and raises his hand) is forgetting that there’s a big difference between “iptables -A” (add) and “iptables -I” (insert). iptables evaluates rules strictly in list order. Simply put, if you have rules that say,

ETHO - allow all
ETHO - drop all

… you’ve got a wide open firewall. The first rule overrides the second. To ensure that a rule goes at the top of the chain, use (I)insert.

If at all possible, use Yast’s firewall configuration tool. It does the heavy lifting for you. If you like, you can then do an iptables-save > textfile, then search for your port number in the text file. SuSE adds a lot of extra rules for rate limiting and logging, but you can still get an idea of what it’s up to that way. Look at the ACCEPT rules for your port numbers.

So is that means there will be performance improvement if I added the connection tracking part?
If I understand it right, “-m state --state RELATED,ESTABLISHED -j ACCEPT” and its accompanying “-m state --state NEW … -j ACCEPT” essentially ‘cache’ the connection so it don’t have to look it up for every subsequent packet or related new connection. is that correct?

tsu2:

Before any of the above,

To the @OP,
If you are very new to openSUSE, the very first thing you should do is open YaST (typically from a Desktop menu selection).

openSUSE is unique among all Linux distros in that it has an extensive and extremely capable collection of graphical modules you can use to manage your openSUSE, which includes software installation, updating, configurations and many more. This means that unless you really want to, you often don’t have to edit configuration files directly with uncertain results.

And configuring IP Tables is one of these things that can be configured in YAST, and is called SuseFW2 (but in YAST it’s just called the firewall).
If you installed it during your openSUSE install (by default it’s installed) it’ll be configured with a good starting point… Deny everything coming in on every interface but allow everything you initiate on your machine.

The SuseFW2 tool is also useful for customizing for your use.
If you install a Server application… for example a Web Server then you can use this same tool to open the standard ports for your Web Server service without manually configuring the TP Tables files.

Here is the online community documentation that describes all this
https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.security.firewall.html

HTH,
TSU

I have been using SUSE for like 10 years. Not a professional admin, but I love to know the exact working of whatever I use.
I love Yast. But Firewall GUI is another story. I find setting up a simple rule on GUI is unnecessarily confusing.

Just want to totally block or open the ports, nothing in between; And additionally some simple forwarding and SNATting in servers.

Im having headache trying to understand the whatever it says in that overworked gui -
what is internal zone? external zone? wut? wait, I wait to register arbitrary port range for basic filtering. where is it? where is it? oh that freaking “advanced button”; I want to masquerade, but hey you cant do that because one of your adapter is not online or for whatever reason not appeared on the list. But… but I know its name and IP, im going to configure it later on. Nah kid Im a mighty gui, I can’t see it so its totally not exist and not going to exist.

…At the end its just easier to just slap my rules in rc and back to work.

tsu2 · January 11, 2017, 6:32pm

razirazo:

<snip>

I have been using SUSE for like 10 years. Not a professional admin, but I love to know the exact working of whatever I use.
I love Yast. But Firewall GUI is another story. I find setting up a simple rule on GUI is unnecessarily confusing.

Just want to totally block or open the ports, nothing in between; And additionally some simple forwarding and SNATting in servers.

Im having headache trying to understand the whatever it says in that overworked gui -
what is internal zone? external zone? wut? wait, I wait to register arbitrary port range for basic filtering. where is it? where is it? oh that freaking “advanced button”; I want to masquerade, but hey you cant do that because one of your adapter is not online or for whatever reason not appeared on the list. But… but I know its name and IP, im going to configure it later on. Nah kid Im a mighty gui, I can’t see it so its totally not exist and not going to exist.

…At the end its just easier to just slap my rules in rc and back to work.

Like many other graphical tools,
The SUSEfirewall2 (typically managed through the YAST firewall module) tries to remove the intricate details from the User and allows the User to focus on concepts. Your current approach to want to configure details without understanding the result of those details is not recommended, it’s like building a house… You might want to rush in and start pounding nails but if you have no blueprints or plans your house is going to look funny and not likely work very well. Regardless whether you use a GUI or not, understanding the basics of a firewall is inescapable and required.

It’s worth learning what the standard firewall zones are, for starters.
That’s fundamental to all firewalls because each zone collectively defines the use and required security levels of every attached network, and introduces the critical concept that each must be isolated from the others. Violate the principles of zones due to lack of understanding or willful action will mean your firewall becomes useless.

SUSEfirewall2 should be a good start for anyone who know very little about firewalls because it doesn’t require the User to know anything complex, only essential basics. The time you put in to understanding only what is in SUSEfirewall2 will be completely applicable to every other version of firewall, including other types of firewalls, more complex configurations and deployments.

You should also understand that “Services” are typically names for common applications that use standard IANA listed ports, so you don’t have to look up or configure ports directly… Just reference the name and the details are implemented for you.

If you want more info on both editing IP Tables directly or using SUSEFW2, you might start with the community docs on the subject…

https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.security.firewall.html

TSU