group and simplify iptables INPUT rules

freedomofpress · Feb 27, 2018 · 1ab4200 · 1ab4200
1 parent d49e865
commit 1ab4200
Showing 1 changed file with 7 additions and 22 deletions.
diff --git a/install_files/ansible-base/roles/restrict-direct-access/templates/rules_v4 b/install_files/ansible-base/roles/restrict-direct-access/templates/rules_v4
@@ -4,6 +4,13 @@
 :OUTPUT DROP [0:0]
 :LOGNDROP - [0:0]
 
+# Allow
+-A INPUT         -m state --state ESTABLISHED -j ACCEPT   -m comment --comment "Allow traffic back"
+-A INPUT -p icmp -m state --state RELATED     -j ACCEPT   -m comment --comment "Allow icmp errors"
+# Don't log inbound invalid state packets related to issue #845
+-A INPUT -p tcp  -m state --state INVALID     -j DROP     -m comment --comment "Drop but do not log inbound invalid state packets"
+-A INPUT                                      -j LOGNDROP -m comment --comment "Drop and log all other incoming traffic"
+
 # Prod ssh connections happen through an authenticated tor hidden service
 # The ssh connection is proxied on the server by the tor client to
 # the ssh dameon listening on the local loopback.
@@ -21,7 +28,6 @@
 # TODO: use ansible facts to populate the in use interface to further restrict
 # the rules.
 -A OUTPUT -p tcp -m owner --uid-owner debian-tor -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "tor instance that provides ssh access"
--A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow traffic back for tor"
 
 # Drop all other outbound traffic by the tor user.
 # Load before generic loopback rules
@@ -31,15 +37,12 @@
 # Only allow inbound rules from loopback with a dport of 80 or 8080 respectively for apache user
 # Load before application users drop rules
 # Rate limiting does not make sense here because src ip is always loopback address
--A INPUT -i lo -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow tor connection from local loopback to connect to source int"
 -A OUTPUT -o lo -p tcp --sport 80 -m owner --uid-owner www-data -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Restrict the apache user outbound connections"
--A INPUT -i lo -p tcp --dport 8080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow tor connection from local loopback to connect to journalist int"
 -A OUTPUT -o lo -p tcp --sport 8080 -m owner --uid-owner www-data -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Restrict the apache user outbound connections"
 
 # For the redis worker allow the application user allow access for locahost to
 # localhost traffic. The redis worker user is the application user.
 -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1  -p tcp -m owner --uid-owner www-data -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "for redis worker all application user local loopback user"
--A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1  -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "for redis worker all application user local loopback user"
 
 # Block all other traffic by application users
 # Load before generic loopback rules
@@ -53,40 +56,31 @@
 
 # DNS rules
 -A OUTPUT -d {{ dns_server }} -p tcp --dport 53 -m owner --uid-owner root -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "tcp/udp dns"
--A INPUT -s {{ dns_server }} -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "tcp/udp dns"
 -A OUTPUT -d {{ dns_server }} -p udp --dport 53 -m owner --uid-owner root -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "tcp/udp dns"
--A INPUT -s {{ dns_server }} -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "tcp/udp dns"
 
 # NTP rules
 -A OUTPUT -p udp --sport 123 --dport 123 -m owner --uid-owner root -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "ntp"
--A INPUT -p udp --sport 123 --dport 123 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "ntp"
 
 # apt rules can't be restricted by destination address because iptables will only resolve FQDNs once at startup
 -A OUTPUT -p tcp --match multiport --dports 80,8080,443 -m owner --uid-owner root -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "apt updates"
--A INPUT -p tcp --match multiport --sports 80,8080,443 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "apt updates"
 
 {% if 'securedrop_application_server' in group_names %}
 # OSSEC server-agent rules
 # TODO add owner to OUTPUT rule
 -A OUTPUT -d {{ monitor_hostname }} -p udp --dport 1514 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "OSSEC server agent"
--A INPUT -s {{ monitor_hostname }} -p udp --sport 1514 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "OSSEC server agent"
 
 {% elif 'securedrop_monitor_server' in group_names %}
 # OSSEC server-agent rules
 # TODO add owner to OUTPUT rule
--A INPUT -s {{ app_hostname }} -p udp --dport 1514 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow OSSEC agent to monitor"
 -A OUTPUT -d {{ app_hostname }} -p udp --sport 1514 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow OSSEC agent to monitor"
 
 # OSSEC smtp out rules
 # dns rule for postfix to lookup smtp relay
 -A OUTPUT -d {{ dns_server }} -p tcp --dport 53 -m owner --uid-owner postfix -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "postfix dns rule"
--A INPUT -s {{ dns_server }} -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "tcp/udp dns"
 -A OUTPUT -d {{ dns_server }} -p udp --dport 53 -m owner --uid-owner postfix -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "postfix dns rule"
--A INPUT -s {{ dns_server }} -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "tcp/udp dns"
 
 # postfix rule for outbound smtp
 -A OUTPUT -p tcp --dport {{ smtp_relay_port }} -m owner --uid-owner postfix -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow ossec email alerts out"
--A INPUT -p tcp --sport {{ smtp_relay_port }}  -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow ossec email alerts out"
 {% endif %}
 
 
@@ -97,29 +91,20 @@
       'staging' in group_names %}
 
 {% if 'securedrop_application_server' in group_names %}
--A INPUT -i {{ ansible_default_ipv4.interface }}  -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 -A OUTPUT -o {{ ansible_default_ipv4.interface }}  -p tcp -m owner --uid-owner root --sport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
--A INPUT -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 
 {% elif 'securedrop_monitor_server' in group_names %}
--A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 -A OUTPUT -o {{ ansible_default_ipv4.interface }} -p tcp --sport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
--A INPUT -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 {% endif %}
 
 {% endif %}
 
 # Allow generic loopback connections
--A INPUT -i lo -p all -j ACCEPT -m comment --comment "Allow lo to lo traffic all protocols"
 -A OUTPUT -o lo -p all -j ACCEPT -m comment --comment "Allow lo to lo traffic all protocols"
 
-# Don't log inbound invalid state packets related to issue #845
--A INPUT -p tcp -m state --state INVALID -j DROP -m comment --comment "drop but do not log inbound invalid state packets"
-
 # Catch all drop rule
--A INPUT -j LOGNDROP -m comment --comment "Drop and log all other incoming traffic"
 -A OUTPUT -j DROP -m comment --comment "Drop all other outgoing traffic"
 
 # LOGNDROP everything else