In this lesson, you’ll learn about best practices for configuring Linux firewalls, with a special focus on the principle of “default deny” or “drop” policy. This approach is a cornerstone of robust network security, ensuring that only explicitly permitted traffic is allowed through your firewall.
Understanding Default Drop Policy
A default drop (or deny) policy in firewall configurations means that by default, all incoming and outgoing traffic is blocked unless a specific rule allows it. This is in contrast to a default accept policy, where all traffic is allowed unless explicitly blocked.
Benefits of Default Drop Policy
- Enhanced Security: Reduces the risk of unauthorized access and potential attacks.
- Minimized Attack Surface: Limits exposure by allowing only necessary traffic.
- Controlled Access: Forces administrators to explicitly define which traffic is allowed, leading to more deliberate and secure configurations.
Configuring Firewall with a Cautious Approach
If you break your connection due to a firewall rule, remember that rebooting the host will revert your firewall changes unless you save them as mentioned in previous lessons
Step 1: Allow Necessary Traffic First
Before implementing the default drop policy, set up rules to allow essential traffic. This prevents accidental lockouts, especially for remote connections like SSH.
Allow Loopback Traffic: The loopback interface is crucial for the system’s internal communication.bash sudo iptables -A INPUT -i lo -j ACCEPT
Maintain Established Connections: Allow traffic for already established connections, which is important for ongoing sessions and related traffic.
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Allow SSH Traffic: To ensure remote management is maintained, specifically allow SSH (usually on port 22).
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Step 2: Implement Default Drop Policy for INPUT and FORWARD
Now that essential services are allowed, set the default policy to DROP for INPUT and FORWARD chains. sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
After making all of these changes, when I run sudo iptables -L --line-number I get the following output:
sonnyb@ubuntu-server:~$ sudo iptables -L --line-number
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
2 ACCEPT all -- anywhere anywhere
3 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
This will be covered in more detail in the future lessons, but you should also log all traffic:
sudo iptables -A INPUT -m limit --limit 10/min -j LOG --log-prefix “iptables INPUT dropped: “
sudo iptables -A FORWARD -m limit --limit 10/min -j LOG --log-prefix “iptables FORWARDdropped: “
sudo iptables -A OUTPUT -m limit --limit 10/min -j LOG --log-prefix “iptables OUTPUT: “
Step 4: Save the Configuration
Remember to save your iptables configuration to ensure it persists after a reboot. To save the rules, we need to update the file we saved at /etc/iptables/rules.v4 in previous lectures.
I am going to do that by running these commands:
# Create the rules filesudo iptables-save > rules.v4
# Move the file to the iptables directorysudo mv rules.v4 /etc/iptables/rules.v4
Now when I reboot, my new more secure iptables rules are still in place. Perfect!
Best Practices and Tips
- Test After Each Change: After applying each rule, test to ensure you still have necessary access, especially when configuring remotely.
- Regular Audits: Periodically review your firewall rules to ensure they still align with your network needs and security policies.
- Backup Configurations: Regularly backup your firewall configuration to quickly recover from any misconfigurations.
- Stay Informed: Keep abreast of new security advisories that might affect your firewall policies.