Linux Firewall Best Practices
Full-Access Members Only
Sorry, this lesson is only available to Server Academy Full-Access members. Become a Full-Access member now and get instant access to this and many more premium courses. Click the button below and get instant access now.
Instructions
Q&A (0)
Notes (0)
Resources (0)
Saving Progress...
Resources
There are no resources for this lesson.
Notes can be saved and accessed anywhere in the course. They also double as bookmarks so you can quickly review important lesson material.
In this lesson, you'll learn about best practices for configuring Linux firewalls, with a special focus on the principle of "default deny" or "drop" policy. This approach is a cornerstone of robust network security, ensuring that only explicitly permitted traffic is allowed through your firewall.
Understanding Default Drop Policy
A default drop (or deny) policy in firewall configurations means that by default, all incoming and outgoing traffic is blocked unless a specific rule allows it. This is in contrast to a default accept policy, where all traffic is allowed unless explicitly blocked.
Benefits of Default Drop Policy
- Enhanced Security: Reduces the risk of unauthorized access and potential attacks.
- Minimized Attack Surface: Limits exposure by allowing only necessary traffic.
- Controlled Access: Forces administrators to explicitly define which traffic is allowed, leading to more deliberate and secure configurations.
Configuring Firewall with a Cautious Approach
If you break your connection due to a firewall rule, remember that rebooting the host will revert your firewall changes unless you save them as mentioned in previous lessons
Step 1: Allow Necessary Traffic First
Before implementing the default drop policy, set up rules to allow essential traffic. This prevents accidental lockouts, especially for remote connections like SSH.
Allow Loopback Traffic: The loopback interface is crucial for the system’s internal communication.bash
sudo iptables -A INPUT -i lo -j ACCEPTMaintain Established Connections: Allow traffic for already established connections, which is important for ongoing sessions and related traffic.
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTAllow SSH Traffic: To ensure remote management is maintained, specifically allow SSH (usually on port 22).
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPTStep 2: Implement Default Drop Policy for INPUT and FORWARD
Now that essential services are allowed, set the default policy to DROP for INPUT and FORWARD chains.
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROPAfter making all of these changes, when I run sudo iptables -L --line-number I get the following output:
paulh@ubuntu-server:~$ sudo iptables -L --line-number
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
2 ACCEPT all -- anywhere anywhere
3 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destinationThis will be covered in more detail in the future lessons, but you should also log all traffic:
sudo iptables -A INPUT -m limit --limit 10/min -j LOG --log-prefix "iptables INPUT dropped: "
sudo iptables -A FORWARD -m limit --limit 10/min -j LOG --log-prefix "iptables FORWARD
dropped: "
sudo iptables -A OUTPUT -m limit --limit 10/min -j LOG --log-prefix "iptables OUTPUT: "Step 4: Save the Configuration
Remember to save your iptables configuration to ensure it persists after a reboot. To save the rules, we need to update the file we saved at /etc/iptables/rules.v4 in previous lectures.
I am going to do that by running these commands:
# Create the rules file
sudo iptables-save > rules.v4
# Move the file to the iptables directory
sudo mv rules.v4 /etc/iptables/rules.v4Now when I reboot, my new more secure iptables rules are still in place. Perfect!
Best Practices and Tips
- Test After Each Change: After applying each rule, test to ensure you still have necessary access, especially when configuring remotely.
- Regular Audits: Periodically review your firewall rules to ensure they still align with your network needs and security policies.
- Backup Configurations: Regularly backup your firewall configuration to quickly recover from any misconfigurations.
- Stay Informed: Keep abreast of new security advisories that might affect your firewall policies.
Server Academy Members Only
Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.
