firewall - iptables - questions

Sun Jan 7 20:52:51 EET 2007

Ξεκινάω καινούριο thread, γιατί στο MTU topic επεκταθήκαμε σε άσχετα 
θέμα, τα οποία όμως με ενδιαφάρουν.

Αυτές τις μέρες συμμαζεύω λίγο το script του firewall μου. Κύριο σημείο 
μου αναφοράς είναι το tutorial του oskar andreasson, το οποίο βρίσκεται 
στο http://iptables-tutorial.frozentux.net/iptables-tutorial.html

Έχω απορίες σε 2-3 σημεία,

1. Στο παραπάνω tutorial συστήνεται να περνάνε όλα τα εισερχόμενα πακέτα 
  από τον παρακάτω έλεγχο

iptables -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j \
LOG --log-prefix "New not syn:"

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Εξηγώντας το γιατί, ο συγγραφέας του tutorial λέει:

" The bad_tcp_packets chain is devoted to contain rules that inspect 
incoming packets for malformed headers or other problems. As it is, we 
have only chosen to include a packet filter which blocks all incoming 
TCP packets that are considered as NEW but do not have the SYN bit set, 
as well as a rule that blocks SYN/ACK packets that are considered NEW. 
This chain could be used to check for all possible inconsistencies, such 
as above or XMAS port-scans etc. We could also add rules that looks for 
state INVALID.

If you want to fully understand the NEW not SYN, you need to look at the 
State NEW packets but no SYN bit set section in the Common problems and 
questions appendix regarding state NEW and non-SYN packets getting 
through other rules. These packets could be allowed under certain 
circumstances but in 99% of the cases we wouldn't want these packets to 
get through. Hence, we log them to our logs and then we DROP them.

The reason that we REJECT SYN/ACK packets that are considered NEW is 
also very simple. It is described in more depth in the SYN/ACK and NEW 
packets section in the Common problems and questions appendix. 
Basically, we do this out of courtesy to other hosts, since we will 
prevent them from being attacked in a sequence number prediction attack. "

Συμφωνείτε με τα παραπάνω?

2. Σχετικά με τα ICMP πακέτα:

Ο συγγραφέας του παραπάνω tutorial προτείνει:

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

Δηλαδή αφήνει να μπουν μόνο icmp type 8 και 11. Στην αρχή βέβαια του 
script, όλα τα established και related connections περνάνε.

Εξηγεί την επιλογή του ως εξής:

"This is where we decide what ICMP types to allow. If a packet of ICMP 
type comes in on eth0 on the INPUT chain, we then redirect it to the 
icmp_packets chain as explained before. Here we check what kind of ICMP 
types to allow. For now, I only allow incoming ICMP Echo requests, TTL 
equals 0 during transit and TTL equals 0 during reassembly. The reason 
that we do not allow any other ICMP types per default here, is that 
almost all other ICMP types should be covered by the RELATED state rules.

Note	

If an ICMP packet is sent as a reply to an already existing packet or 
packet stream it is considered RELATED to the original stream. For more 
information on the states, read the The state machine chapter.

The reason that I allow these ICMP packets is as follows, Echo Requests 
are used to request an echo reply, which in turn is used to mainly ping 
other hosts to see if they are available on any of the networks. Without 
this rule, other hosts will not be able to ping us to see if we are 
available on any network connection. Do note that some people would tend 
to erase this rule, since they simply do not want to be seen on the 
Internet. Deleting this rule will effectively render any pings to our 
firewall totally useless from the Internet since the firewall will 
simply not respond to them.

Time Exceeded (i.e., TTL equals 0 during transit and TTL equals 0 during 
reassembly), is allowed in the case we want to trace-route some host or 
if a packet gets its Time To Live set to 0, we will get a reply about 
this. For example, when you trace-route someone, you start out with TTL 
= 1, and it gets down to 0 at the first hop on the way out, and a Time 
Exceeded is sent back from the first gateway en route to the host we are 
trying to trace-route, then TTL = 2 and the second gateway sends Time 
Exceeded, and so on until we get an actual reply from the host we 
finally want to get to. This way, we will get a reply from each host on 
our way to the actual host we want to reach, and we can see every host 
in between and find out what host is broken.

For a complete listing of all ICMP types, see the ICMP types appendix . 
For more information on ICMP types and their usage, i suggest reading 
the following documents and reports:

     *

       RFC 792 - Internet Control Message Protocol by J. Postel.

Note	

As a side-note, I might be wrong in blocking some of these ICMP types 
for you, but in my case, everything works perfectly while blocking all 
the ICMP types that I do not allow. "

Ποια είναι η γνώμη σας?

Ευχαριστώ πολύ.