Harden your Iptables Firewall CentOS/Red Hat

If you are using a host-based firewall under CentOS/RHEL/Fedora, follow the script below to harden it. These are the basics of securing your Linux box from potential intruders. This quick how-to is based on the great article written by Vivek Gite here.

Before you begin, take note:

• I assume that you already know about Netfilter/Iptables and have a good understanding about Linux servers.
• I have used CentOS in testing and configuring this script.
• You must be a root user to modify these settings.
• Please don't configure this remotely as some scripts might disconnect your access to the server.

The script:

1. Access your server and open the iptables configuration file to modify it. I suggest you backup the original configuration first before continuing. I am more accustomed to using the nano command for editing configuration files. But you can use any other editors like vi or pico.
   To copy the config file: cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bkp
   To edit: nano /etc/sysconfig/iptables
2. Edit and replace the script as shown below:
   

   *filter
   :INPUT DROP [0:0]
   :FORWARD DROP [0:0]
   :OUTPUT ACCEPT [0:0]
   :RH-Firewall-1-INPUT - [0:0]
   -A INPUT -j RH-Firewall-1-INPUT
   -A FORWARD -j RH-Firewall-1-INPUT
   -A RH-Firewall-1-INPUT -i lo -j ACCEPT
   -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
   -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
   -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
   -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
   
   # Block Spoofing IP Addresses
   -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF "
   -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
   -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF "
   -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
   -A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF "
   -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
   -A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST "
   -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP
   -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF "
   -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP
   -A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK "
   -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP
   -A INPUT -i eth0 -s 169.254.0.0/16 -j LOG --log-prefix "IP DROP MULTICAST "
   -A INPUT -i eth0 -s 169.254.0.0/16 -j DROP
   -A INPUT -i eth0 -s 0.0.0.0/8 -j LOG --log-prefix "IP DROP "
   -A INPUT -i eth0 -s 0.0.0.0/8 -j DROP
   -A INPUT -i eth0 -s 240.0.0.0/4 -j LOG --log-prefix "IP DROP "
   -A INPUT -i eth0 -s 240.0.0.0/4 -j DROP
   -A INPUT -i eth0 -s 255.255.255.255/32 -j LOG --log-prefix "IP DROP "
   -A INPUT -i eth0 -s 255.255.255.255/32 -j DROP
   -A INPUT -i eth0 -s 168.254.0.0/16 -j LOG --log-prefix "IP DROP "
   -A INPUT -i eth0 -s 168.254.0.0/16 -j DROP
   -A INPUT -i eth0 -s 248.0.0.0/5 -j LOG --log-prefix "IP DROP "
   -A INPUT -i eth0 -s 248.0.0.0/5 -j DROP
   
   # Restrict or limit SSH access (In this case, I'm using the .14 subnet)
   -A RH-Firewall-1-INPUT -s 192.168.14.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
   
   # Allow printing access (CUPS)
   -A RH-Firewall-1-INPUT -s 192.168.14.0/24 -p udp -m udp --dport 631 -j ACCEPT
   -A RH-Firewall-1-INPUT -s 192.168.14.0/24 -p tcp -m tcp --dport 631 -j ACCEPT
   
   # Allow SMTP, POP3, IMAP ports
   -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 993 -j ACCEPT
   -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 995 -j ACCEPT
   -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 587 -j ACCEPT
   -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 465 -j ACCEPT
   -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPT
   -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 110 -j ACCEPT
   
   # Allow HTTP port
   -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT
   -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT
   

   # Allow Webmin HTTP port
   -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 8787 -j ACCEPT
   
   # Syn-Flood Protection
   -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
   -A INPUT -f -j DROP
   -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
   -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
   
   # Blocked Websites (Record IP first by using host -t a hostname.com).

   # In this example, I am blocking facebook
   -A OUTPUT -d 69.171.229.11 -j DROP
   -A OUTPUT -d 69.171.242.11 -j DROP
   -A OUTPUT -d 66.220.158.11 -j DROP
   -A OUTPUT -d 69.171.224.37 -j DROP
   -A OUTPUT -d 66.220.149.11 -j DROP
   
   # Log and drop All traffic
   -A RH-Firewall-1-INPUT -j LOG
   -A RH-Firewall-1-INPUT -j DROP
   

3. Save and restart iptables by sending the command: service iptables restart
4. Test your firewall. To find out if ports are open or not, enter: netstat -tulpn

That basically covers the basics in hardening your Linux box. This configuration is already quite good enough in blocking torrent downloads (that is, if you're using this box as your router).  To dig deeper, I suggest you go for more reading here:

• Linux Firewall using IPtables
• IPtables Configuration Tutorial

Post Title : Harden your Iptables Firewall CentOS/Red Hat

Harden your Iptables Firewall CentOS/Red Hat,

redhat,

Harden your Iptables Firewall CentOS/Red Hat