ubuntu1604:3:6

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		 Previous revision
ubuntu1604:3:6 [2017/05/02 13:55] – utworzono Piotr Kłoczewskiubuntu1604:3:6 [2017/05/06 15:43] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== 3.6 Firewall Configuration ====== ====== 3.6 Firewall Configuration ======
 +==== List of content ====
 +{{indexmenu>.:6#3 |context}}
 +==== Description ====
 IPtables is an application that allows a system administrator to configure the IPv4 tables, chains and rules provided by the Linux kernel firewall. While several methods of configuration exist this section is intended only to ensure the resulting IPtables rules are in place, not how they are configured. If IPv6 is in use in your environment, similar settings should be applied to the IP6tables as well. \\ \\ IPtables is an application that allows a system administrator to configure the IPv4 tables, chains and rules provided by the Linux kernel firewall. While several methods of configuration exist this section is intended only to ensure the resulting IPtables rules are in place, not how they are configured. If IPv6 is in use in your environment, similar settings should be applied to the IP6tables as well. \\ \\
 **Note:** This section broadly assumes starting with an empty IPtables firewall ruleset (established by flushing the rules with iptables -F). Remediation steps included only affect the live system, you will also need to configure your default firewall configuration to apply on boot. Configuration of a live systems firewall directly over a remote connection will often result in being locked out. It is advised to have a known good firewall configuration set to run on boot and to configure an entire firewall structure in a script that is then run and tested before saving to boot. The following script will implement the firewall rules of this section and open port 22(ssh) from anywhere: **Note:** This section broadly assumes starting with an empty IPtables firewall ruleset (established by flushing the rules with iptables -F). Remediation steps included only affect the live system, you will also need to configure your default firewall configuration to apply on boot. Configuration of a live systems firewall directly over a remote connection will often result in being locked out. It is advised to have a known good firewall configuration set to run on boot and to configure an entire firewall structure in a script that is then run and tested before saving to boot. The following script will implement the firewall rules of this section and open port 22(ssh) from anywhere:
 <Code:bash> <Code:bash>
-#!/bin/bash # Flush IPtables rules iptables -F # Ensure default deny firewall policy iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # Ensure loopback traffic is configured iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -s 127.0.0.0/8 -j DROP # Ensure outbound and established connections are configured iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT # Open inbound ssh(tcp port 22) connections iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT+#!/bin/bash  
 + 
 +# Flush IPtables rules  
 +iptables -F  
 + 
 +# Ensure default deny firewall policy  
 +iptables -P INPUT DROP  
 +iptables -P OUTPUT DROP  
 +iptables -P FORWARD DROP  
 + 
 +# Ensure loopback traffic is configured  
 +iptables -A INPUT -i lo -j ACCEPT  
 +iptables -A OUTPUT -o lo -j ACCEPT  
 +iptables -A INPUT -s 127.0.0.0/8 -j DROP  
 + 
 +# Ensure outbound and established connections are configured  
 +iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT  
 +iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT  
 +iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT  
 +iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT  
 +iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT  
 +iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT  
 + 
 +# Open inbound ssh(tcp port 22) connections  
 +iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
 </Code> </Code>
-Ubuntu is distributed with the UFW service which acts as a front end to iptables. The default configuration of UFW implements a configuration very similar to that recommended here. IPTables configuration allows for far more complex implementations than those listed here which may satisfy the intent of these recommendations without strictly matching the examples provided. Note: UFW may interfere with sysctl settings.+Ubuntu is distributed with the UFW service which acts as a front end to iptables. The default configuration of UFW implements a configuration very similar to that recommended here. IPTables configuration allows for far more complex implementations than those listed here which may satisfy the intent of these recommendations without strictly matching the examples provided. \\ 
 +**Note:** UFW may interfere with sysctl settings.
  • ubuntu1604/3/6.1493726109.txt.gz
  • Last modified: 2017/05/02 13:55
  • (external edit)