Find the answer to your Linux question:
Results 1 to 5 of 5
Hi All, My default policy for an iptables config I am working on is as follows: Code: iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP I ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2012
    Posts
    7

    iptables question: default DROP policy and TCP Three Way Handshake


    Hi All,

    My default policy for an iptables config I am working on is as follows:

    Code:
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
    I understand that in most cases, because the OUTPUT chain default policy is DROP, 2 rules are required so traffic can flow both ways (INPUT and OUTPUT) - basically, everything that is requires throughfare must be whitelisted.

    My question is regarding the TCP Three Way Handshake - currently the only rule I have for it is:

    Code:
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    I believe I need an OUTPUT rule to allow the initial SYN packet out and also one to allow the final ACK packet. I was wondering if someone could help me to craft the most restrictive rules possible to allow this.

    Here is what I have so far:

    This is the conventional example I have seen:
    Code:
    iptables -A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    Can I get away with just this? If not, why not?
    Code:
    iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
    Is something like this possible in place of the above?
    (not sure if I have the right flags - advice is welcome)
    Code:
    iptables -A OUTPUT -p tcp -m tcp --tcp-flags SYN SYN -j ACCEPT
    iptables -A OUTPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
    Thanks in advance.

    Regards,

    Johnny

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by johnnygear View Post
    This is the conventional example I have seen:
    Code:
    iptables -A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    The above rule will only allow TCP connections. What happens if you want to start UDP or ICMP? They are not allowed according to your setup. The following rule is a catch all to allow everything out;
    Code:
    iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    Then again you could simply change the policy to ACCEPT
    Code:
    iptables -P OUTPUT ACCEPT
    The difference here is with the rule you add a connection to the tracking DB to allow the INPUT rule to match against. With the Policy set to ALLOW no connections are tracked.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Forgot to add the following link for you to read up on IPTABLES
    Iptables Tutorial 1.2.2

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  4. #4
    Just Joined!
    Join Date
    Apr 2012
    Posts
    7
    Quote Originally Posted by Lazydog View Post
    The above rule will only allow TCP connections. What happens if you want to start UDP or ICMP? They are not allowed according to your setup. The following rule is a catch all to allow everything out;
    Code:
    iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    Then again you could simply change the policy to ACCEPT
    Code:
    iptables -P OUTPUT ACCEPT
    The difference here is with the rule you add a connection to the tracking DB to allow the INPUT rule to match against. With the Policy set to ALLOW no connections are tracked.
    Thanks for the response Lazydog. I also appreciate the link to the tutorial, it will be very useful to me.

    This is only a small portion of my intended iptables config - I have another section devoted to only letting the bare minimum requirements for ICMP through. Those would be type 0, type 3/4, 3/3, 3/1, type 8 with a rate limit, type 11 and type 12. From my understanding, I may need type 4(source quench), but I am going to some testing with that. Also, I have added rules for DNS as well. I think that would be the only common UDP service.

    You have clarified much of what I was uncertain about but I have another more pressing question now.

    My goal with this config is to have the most restrictive base config and work from there. That is why I went with the default DROP policy for OUTPUT. I understand that the TCP three way handshake is a requirement for all TCP protocols but can I only allow that handshake to occur for certain protocols? Say for example, if I wanted to allow only SSH out - would the following rule provide that, or do I need to do something differently?

    Code:
    iptables -A OUTPUT -p tcp --sport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    What I am basically asking here is whether I can use the default DROP policy for the OUTPUT chain, and only 'whitelist' the services I want to allow out?

    Regards,

    Johnny

  5. #5
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by johnnygear View Post
    What I am basically asking here is whether I can use the default DROP policy for the OUTPUT chain, and only 'whitelist' the services I want to allow out?
    Yes. This is SOP for most companies and any admin with their salt. You start off with a completely locked down firewall, then open the ports that are needed this way you do not over look something.

    As for your rules I would start INPUT, OUTPUT and FORWARD with the following rule;
    Code:
    iptables -A <Type Chain> -m state --state ESTABLISHED,RELATED -j ACCEPT
    That way the kernel doesn't have to read all the rules in the chain to match an already allowed connection.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •