iptables Recommendations from NSA

chap 10 정리

Changes to Default Rules

Default

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]

 

The NSA Recommendation would change this to

:INPUT DROP [0:0]
:FORWARD DROP [0:0]

 

Regulate the Ping Command

From Linux, it's possible to flood another system with the -f (flood) switch. It may transmit thousands of packets per second.

One potentially troublesome rule in the default firewall is

-A INPUT -p icmp -j ACCEPT

However, ICMP message go both ways. If you run the ping command on a remote system, the remote system responds with an ICMP packet. So if you want to limit ICMP messages, the following rules allow "acceptable" response to a ping:

-A INPUT -p icmp --icmp-type echo-reploy -j ACCEPT

-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

Block Suspicious IP Addresses

-A INPUT -i eth0 -s 10.0.0.0/8 -j DROP

-A INPUT -i eth0 -s 172.16.0.0/12 -j DROP

-A INPUT -i eth0 -s 192.168.0.0/16 -j DROP

-A INPUT -i eth0 -s 224.0.0.0/4 -j DROP

-A INPUT -i eth0 -s 240.0.0.0/5 -j DROP

Regulate Access to SSH