[olug] help with iptables firewall

Chris St. Pierre stpierre at NebrWesleyan.edu
Wed Jul 25 19:54:12 UTC 2007


On Wed, 25 Jul 2007, Dave Hull wrote:

> I don't know for sure and don't have time to test, but I think
> IPTables may recognize ICMP packets if they are RELATED to an
> ESTABLISHED connection, thus the need to explicitly allow icmp-type
> any may not be needed. I frequently see Nessus scan results that
> complain about hosts accepting and replying to certain ICMP requests
> so I think allowing any is a bad idea.
>
> There's a great tutorial on IPTables at
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html which
> also seems to indicate that ICMP fragmentation needed or source quench
> messages will be allowed through if they are RELATED to an ESTABLISHED
> connection.
>
> Then again, I could be wrong. It happens frequently. If I had time,
> I'd set this up on my bench and try it out.
>
> You may want to consult the firewall checklist at sans.org:
>
> http://www.sans.org/score/checklists/FirewallChecklist.pdf?portal=6fc3aaf0f10153f4f5e563c02a4865b9
> http://tinyurl.com/2l6aa9
>
> The recommended best practice is to block ICMP echo requests and
> replies and to block outgoing time exceeded and host unreachable
> messages. Doing this may prevent attackers from firewalking your
> firewall.

Thanks for the info!  All of my stuff is behind an institutional
firewall, so I only need to worry about internal attackers -- in a
non-firewalled DMZ, you'd certainly want to be more cautious and it
sounds like you're right about ICMP traffic.

Really, the only ICMP traffic you want to be absolutely certain to
allow to and from the outside world is pMTU communications; there
might be a way to just allow that (although allowing ICMP for RELATED,
ESTABLISHED might accomplish that more
easily/effectively/efficiently).

> I would favor allowing in as little as possible and adjust accordingly
> if you have problems.

This is the only part I disagree with; I would favor allowing more
than absolutely necessary to ensure that the service functions, and
then, when time permits further testing, disallow other stuff
bit-by-bit.  If you're lucky, time will permit _before_ you go into
production. :)

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University
----------------------------
LOPSA Sysadmin Days: Professional Training for Professional SysAdmins
August 6-7, Cherry Hill, NJ
http://lopsa.org/SysadminDays




More information about the OLUG mailing list