[TriLUG] iptables & FUD

Alan Porter porter at trilug.org
Sun Apr 28 18:07:38 EDT 2013 

>> Don't do that!
>>
>> How long were you on the net without protection? It's possible your
>> machine is now compromised.

This is an over-reaction.

It's important to know what iptables protects you from, and what it does 
not.

If you have only two services listening, then those are the only two 
services that will accept network connections.  Whether you have 
iptables or not, incoming connections to other ports will not be 
answered.  If you are in doubt, do "netstat -plnt" to list the TCP ports 
and "netstat -plnu" to list the UDP ports that you're listening to.

If you have two services running (sshd on 22 and dhcpd on 67), then you 
will NORMALLY have iptables configured to allow traffic in on those two 
ports and to disallow everything else.  In that case, it would not 
matter whether you had iptables on or off... a 0-day vulnerability on 
either of those two services would leave you exposed.  Iptables would 
not help you.  (Keeping your server updated WILL help you there -- so 
don't brag about your 365-day uptime, brag about keeping your system 
updated).

SOMETIMES, a very paranoid admin will set up iptables so that it accepts 
SSH or DHCP traffic from a specific IP address only.  This is rare, but 
this IS a case where iptables rules will protect you. If you like this 
idea, check out a package called "knock", which uses iptables to support 
"port knocking".  It's very cool, and it goes well with your tinfoil hat.

Where iptables REALLY SHINES is by building a belt-and-suspenders 
approach to guard against accidentally leaving a port open that you did 
not mean to.

For example, I have a web server where I want to collect traffic graphs 
using MRTG.  MRTG uses SNMP to get network interface statistics so it 
can count the bytes coming in and out, then it generates nice graphs of 
the data that you can see from the web.  So I want SNMP turned on, but I 
don't want everyone on the internet to go poking around my SNMP 
interface.  I am not an SNMP expert, and so I am not 100% how to 
configure it to answer only to localhost requests.  So I do my best to 
configure SNMP, and then I make sure that my iptables rules disallow any 
SNMP (UDP 161) packets from the outside... only allow connections via 
the loopback interface on 127.0.0.1.  So the belt (SNMP config) and the 
suspenders (iptables) work together to keep me safe.

I have seen similar uses where you might enable VNC on a machine, but 
then disallow the VNC ports through iptables.  Then the only way you can 
connect to the VNC is by tunneling though SSH first ("vncviewer -via 
me at server.com localhost:0").  It's slick.

Let's not spread fear about firewalls.  They do one job, and they do it 
well.  They tell which traffic to allow and which to block.  In MOST 
cases, the rules are as simple as a list of ports to allow. Occasionally 
the rules can be more complex.  But iptables is not a panacea.

And... if you know that you only have a known set of services listening 
on a server, there in nothing wrong with running without iptables at all.

Alan

More information about the TriLUG mailing list