iptables question: default DROP policy and TCP Three Way Handshake

[johnnygear]

Hi All,

My default policy for an iptables config I am working on is as follows:

Code:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

I understand that in most cases, because the OUTPUT chain default policy is DROP, 2 rules are required so traffic can flow both ways (INPUT and OUTPUT) - basically, everything that is requires throughfare must be whitelisted.

My question is regarding the TCP Three Way Handshake - currently the only rule I have for it is:

Code:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

I believe I need an OUTPUT rule to allow the initial SYN packet out and also one to allow the final ACK packet. I was wondering if someone could help me to craft the most restrictive rules possible to allow this.

Here is what I have so far:

This is the conventional example I have seen:

Code:

iptables -A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Can I get away with just this? If not, why not?

Code:

iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT

Is something like this possible in place of the above?
(not sure if I have the right flags - advice is welcome)

Code:

iptables -A OUTPUT -p tcp -m tcp --tcp-flags SYN SYN -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT

Thanks in advance.

Regards,

Johnny

[Lazydog]

This is the conventional example I have seen:

Code:

iptables -A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

The above rule will only allow TCP connections. What happens if you want to start UDP or ICMP? They are not allowed according to your setup. The following rule is a catch all to allow everything out;

Code:

iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Then again you could simply change the policy to ACCEPT

Code:

iptables -P OUTPUT ACCEPT

The difference here is with the rule you add a connection to the tracking DB to allow the INPUT rule to match against. With the Policy set to ALLOW no connections are tracked.

[Lazydog]

Forgot to add the following link for you to read up on IPTABLES
Iptables Tutorial 1.2.2

[johnnygear]

The above rule will only allow TCP connections. What happens if you want to start UDP or ICMP? They are not allowed according to your setup. The following rule is a catch all to allow everything out;

Code:

iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Then again you could simply change the policy to ACCEPT

Code:

iptables -P OUTPUT ACCEPT

The difference here is with the rule you add a connection to the tracking DB to allow the INPUT rule to match against. With the Policy set to ALLOW no connections are tracked.

Thanks for the response Lazydog. I also appreciate the link to the tutorial, it will be very useful to me.

This is only a small portion of my intended iptables config - I have another section devoted to only letting the bare minimum requirements for ICMP through. Those would be type 0, type 3/4, 3/3, 3/1, type 8 with a rate limit, type 11 and type 12. From my understanding, I may need type 4(source quench), but I am going to some testing with that. Also, I have added rules for DNS as well. I think that would be the only common UDP service.

You have clarified much of what I was uncertain about but I have another more pressing question now.

My goal with this config is to have the most restrictive base config and work from there. That is why I went with the default DROP policy for OUTPUT. I understand that the TCP three way handshake is a requirement for all TCP protocols but can I only allow that handshake to occur for certain protocols? Say for example, if I wanted to allow only SSH out - would the following rule provide that, or do I need to do something differently?

Code:

iptables -A OUTPUT -p tcp --sport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

What I am basically asking here is whether I can use the default DROP policy for the OUTPUT chain, and only 'whitelist' the services I want to allow out?

Regards,

Johnny

[Lazydog]

What I am basically asking here is whether I can use the default DROP policy for the OUTPUT chain, and only 'whitelist' the services I want to allow out?

Yes. This is SOP for most companies and any admin with their salt. You start off with a completely locked down firewall, then open the ports that are needed this way you do not over look something.

As for your rules I would start INPUT, OUTPUT and FORWARD with the following rule;

Code:

iptables -A <Type Chain> -m state --state ESTABLISHED,RELATED -j ACCEPT

That way the kernel doesn't have to read all the rules in the chain to match an already allowed connection.