[gentoo-user] IPTables - Going Stateless

[gentoo-user] IPTables - Going Stateless

[Nick Khamis]

Hello Everyone,

We recently moved our stateful firewall inside, and would like to
strip down the firewall at our router connected to the outside world.
The problem I am experiencing is getting things to work properly
without connection tracking. I hope I am not in breach of mailing list
rules however, a stripped down configuration is as follows:

#!/bin/bash
IPTABLES='/sbin/iptables'

#Set interface values
INTIF1='eth0'

#flush rules and delete chains
$IPTABLES -F
$IPTABLES -X

#echo -e "       - Accepting input lo traffic"
$IPTABLES -A INPUT -i lo -j ACCEPT

#echo -e "       - Accepting output lo traffic"
$IPTABLES -A OUTPUT -o lo -j ACCEPT

#echo -e "       - Defined Chains"
$IPTABLES -N TCP
$IPTABLES -N UDP

#echo -e "       - Accepting SSH Traffic"
$IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5
--dport 22 -j ACCEPT
$IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP

#echo -e "       - Accepting input TCP and UDP traffic to open ports"
$IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP
$IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP

#echo -e "       - Accepting output TCP and UDP traffic to open ports"
$IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP
$IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP

#echo -e "       - Dropping input TCP and UDP traffic to closed ports"
# $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
# $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with
icmp-port-unreachable

#echo -e "       - Dropping output TCP and UDP traffic to closed ports"
# $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
# $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with
icmp-port-unreachable

#echo -e "       - Dropping input traffic to remaining protocols sent
to closed ports"
# $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

#echo -e "       - Dropping output traffic to remaining protocols sent
to closed ports"
# $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable


Everything works fine with the REJECT rules commented out, but when
included SSH access is blocked out. Not sure why, isn't the sequence
correct (i.e., the ACCPET entries before the DROP and REJECT)?

Also, any pointers or heads up when going stateless would be greatly
appreciated.

Kind Regards,

Nick

Re: [gentoo-user] IPTables - Going Stateless

[Alan McKinnon]

On 21/05/2013 17:07, Nick Khamis wrote:
> Hello Everyone,
> 
> We recently moved our stateful firewall inside, and would like to
> strip down the firewall at our router connected to the outside world.
> The problem I am experiencing is getting things to work properly
> without connection tracking. 

Now why, oh why, do you want to do that? A world of pain awaits you.

Stateless firewalls are a colossal mindfuck that will drive you crazy.
So unless you have a very very good reason for doing this I recommedn
you seriously revisit your choice. iptables really does not consume that
much resources (and if you truly are low on resources then you need to
get a bigger router, because after all it is a router and I assume in
production)


I hope I am not in breach of mailing list
> rules however, a stripped down configuration is as follows:
> 
> #!/bin/bash
> IPTABLES='/sbin/iptables'
> 
> #Set interface values
> INTIF1='eth0'
> 
> #flush rules and delete chains
> $IPTABLES -F
> $IPTABLES -X
> 
> #echo -e "       - Accepting input lo traffic"
> $IPTABLES -A INPUT -i lo -j ACCEPT
> 
> #echo -e "       - Accepting output lo traffic"
> $IPTABLES -A OUTPUT -o lo -j ACCEPT
> 
> #echo -e "       - Defined Chains"
> $IPTABLES -N TCP
> $IPTABLES -N UDP
> 
> #echo -e "       - Accepting SSH Traffic"
> $IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5
> --dport 22 -j ACCEPT
> $IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP
> 
> #echo -e "       - Accepting input TCP and UDP traffic to open ports"
> $IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP
> $IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP
> 
> #echo -e "       - Accepting output TCP and UDP traffic to open ports"
> $IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP
> $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP
> 
> #echo -e "       - Dropping input TCP and UDP traffic to closed ports"
> # $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
> # $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with
> icmp-port-unreachable
> 
> #echo -e "       - Dropping output TCP and UDP traffic to closed ports"
> # $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
> # $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with
> icmp-port-unreachable
> 
> #echo -e "       - Dropping input traffic to remaining protocols sent
> to closed ports"
> # $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable
> 
> #echo -e "       - Dropping output traffic to remaining protocols sent
> to closed ports"
> # $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable
> 
> 
> Everything works fine with the REJECT rules commented out, but when
> included SSH access is blocked out. Not sure why, isn't the sequence
> correct (i.e., the ACCPET entries before the DROP and REJECT)?
> 
> Also, any pointers or heads up when going stateless would be greatly
> appreciated.
> 
> Kind Regards,
> 
> Nick
> 


-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] IPTables - Going Stateless

[Jarry]

On 21-May-13 17:07, Nick Khamis wrote:
> We recently moved our stateful firewall inside, and would like to
> strip down the firewall at our router connected to the outside world.
> The problem I am experiencing is getting things to work properly
> without connection tracking. I hope I am not in breach of mailing list
> rules however, a stripped down configuration is as follows:
>
<STRIP OBVIOUS THINGS I.E. IPTABLES, INTERFACES, LOOPBACK>
>
> #echo -e "       - Defined Chains"
> $IPTABLES -N TCP
> $IPTABLES -N UDP
>
> #echo -e "       - Accepting SSH Traffic"
> $IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5
> --dport 22 -j ACCEPT
> $IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP
>
> #echo -e "       - Accepting input TCP and UDP traffic to open ports"
> $IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP
> $IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP
>
> #echo -e "       - Accepting output TCP and UDP traffic to open ports"
> $IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP
> $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP
>
<STRIP THE REST AND CONSIDER ALL REMAINING DROPPED/REJECTED>
>
> Everything works fine with the REJECT rules commented out, but when
> included SSH access is blocked out. Not sure why, isn't the sequence
> correct (i.e., the ACCPET entries before the DROP and REJECT)?
>
> Also, any pointers or heads up when going stateless would be greatly
> appreciated.

I do not understand why you *want* to omit statefullness,
but if you do, you have to take care of corresponding part
of ip-traffic yourself.

First, you'd better learn someting about "3-way handshaking".
That's the way tcp/ip connection is opened. Shortly:

1. client sends to server tcp/ip packet with "syn" flag
2. server responds with "syn/ack" flags
3. client sends "ack"

Now look at your rules: you covered only the first part with:
$IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP

Where is OUTPUT rule for "syn/ack", and INPUT for "ack"?
Nowhere, and because of that you can not open tcp-connection
if drop/reject rules are in effect.

But instead of playing with tcp-flags I strongly recommend
to use statefull firewall, which takes care of this with
one simple rule.

Jarry

-- 
_______________________________________________________________
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

Re: [gentoo-user] IPTables - Going Stateless

[Nick Khamis]

Hello Everyone,

Thank you so much for your responses. I agree Alan, total pain in the
neck!!! But it's a ticket that was passed down to me. We moved the
stateful firewalls inside the network, broken down to each department.

But as a first on site defense on our BGP router running Quagga, we
only require stateless for performance reasons. Jerry, thank you so
much! I might need some additional help with the three way handsahkes.
What I did to stay scalable was:

Define a chain:

-N TCP

Handle two way for a specific service:

-A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5 --dport 22 -j ACCEPT
-A TCP -p tcp -m tcp -s 192.168.2.5 --sport 22 -d 192.168.2.0/24 -j ACCEPT
-A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP

Accepting Input and output requests to services included in the chain:

#echo -e "       - Accepting input TCP traffic to open ports"
-A INPUT -i $INTIF1 -p tcp -j TCP

#echo -e "       - Accepting output TCP traffic to open ports"
-A OUTPUT -o $INTIF1 -p tcp -j TCP

Dropping Everything Else:


#echo -e "       - Dropping input TCP to closed ports"
$IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst

#echo -e "       - Dropping output TCP traffic to closed ports"
$IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst

#echo -e "       - Dropping input traffic to remaining protocols sent
to closed ports"
$IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

#echo -e "       - Dropping output traffic to remaining protocols sent
to closed ports"
$IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

Hope this keeps me scalable enough to keep the world of pain at bay as
much as possible...

N.