-
Notifications
You must be signed in to change notification settings - Fork 690
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
group and simplify iptables INPUT rules #3072
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,9 +4,12 @@ | |
:OUTPUT DROP [0:0] | ||
:LOGNDROP - [0:0] | ||
|
||
-A INPUT -m state --state ESTABLISHED -j ACCEPT -m comment --comment "Allow traffic back" | ||
|
||
# Prod ssh connections happen through an authenticated tor hidden service | ||
# The ssh connection is proxied on the server by the tor client to | ||
# the ssh dameon listening on the local loopback. | ||
-A INPUT -i lo -p tcp --dport 22 -m state --state NEW -j ACCEPT -m comment --comment "Allow tor connection from local loopback to connect to ssh" | ||
# Limit the number of new tcp connections allowed by the tor user to the ssh dameon | ||
# listening on the local loopback. Drop new connection attempts after the limit | ||
# by the tor user. | ||
|
@@ -21,7 +24,6 @@ | |
# TODO: use ansible facts to populate the in use interface to further restrict | ||
# the rules. | ||
-A OUTPUT -p tcp -m owner --uid-owner debian-tor -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "tor instance that provides ssh access" | ||
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow traffic back for tor" | ||
|
||
# Drop all other outbound traffic by the tor user. | ||
# Load before generic loopback rules | ||
|
@@ -31,62 +33,50 @@ | |
# Only allow inbound rules from loopback with a dport of 80 or 8080 respectively for apache user | ||
# Load before application users drop rules | ||
# Rate limiting does not make sense here because src ip is always loopback address | ||
-A INPUT -i lo -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow tor connection from local loopback to connect to source int" | ||
-A INPUT -i lo -p tcp --dport 80 -m state --state NEW -j ACCEPT -m comment --comment "Allow tor connection from local loopback to connect to source int" | ||
-A OUTPUT -o lo -p tcp --sport 80 -m owner --uid-owner www-data -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Restrict the apache user outbound connections" | ||
-A INPUT -i lo -p tcp --dport 8080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow tor connection from local loopback to connect to journalist int" | ||
-A INPUT -i lo -p tcp --dport 8080 -m state --state NEW -j ACCEPT -m comment --comment "Allow tor connection from local loopback to connect to journalist int" | ||
-A OUTPUT -o lo -p tcp --sport 8080 -m owner --uid-owner www-data -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Restrict the apache user outbound connections" | ||
|
||
# For the redis worker allow the application user allow access for locahost to | ||
# localhost traffic. The redis worker user is the application user. | ||
-A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -p tcp -m owner --uid-owner www-data -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "for redis worker all application user local loopback user" | ||
-A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "for redis worker all application user local loopback user" | ||
-A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -p tcp -m state --state NEW -j ACCEPT -m comment --comment "for redis worker all application user local loopback user" | ||
|
||
# Block all other traffic by application users | ||
# Load before generic loopback rules | ||
-A OUTPUT -m owner --uid-owner www-data -j LOGNDROP -m comment --comment "Drop all other traffic by the securedrop user" | ||
|
||
{% endif %} | ||
|
||
# Block all other outbound access for users in the ssh group | ||
# Load before generic loopback rules | ||
-A OUTPUT -m owner --gid-owner ssh -j LOGNDROP -m comment --comment "Drop all other outbound traffic for ssh user" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why was this line removed? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. there are no users in the ssh group There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ah, yes! |
||
|
||
# DNS rules | ||
-A OUTPUT -d {{ dns_server }} -p tcp --dport 53 -m owner --uid-owner root -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "tcp/udp dns" | ||
-A INPUT -s {{ dns_server }} -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "tcp/udp dns" | ||
-A OUTPUT -d {{ dns_server }} -p udp --dport 53 -m owner --uid-owner root -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "tcp/udp dns" | ||
-A INPUT -s {{ dns_server }} -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "tcp/udp dns" | ||
|
||
# NTP rules | ||
-A OUTPUT -p udp --sport 123 --dport 123 -m owner --uid-owner root -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "ntp" | ||
-A INPUT -p udp --sport 123 --dport 123 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "ntp" | ||
|
||
# apt rules can't be restricted by destination address because iptables will only resolve FQDNs once at startup | ||
-A OUTPUT -p tcp --match multiport --dports 80,8080,443 -m owner --uid-owner root -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "apt updates" | ||
-A INPUT -p tcp --match multiport --sports 80,8080,443 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "apt updates" | ||
|
||
{% if 'securedrop_application_server' in group_names %} | ||
# OSSEC server-agent rules | ||
# TODO add owner to OUTPUT rule | ||
-A OUTPUT -d {{ monitor_hostname }} -p udp --dport 1514 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "OSSEC server agent" | ||
-A INPUT -s {{ monitor_hostname }} -p udp --sport 1514 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "OSSEC server agent" | ||
|
||
{% elif 'securedrop_monitor_server' in group_names %} | ||
# OSSEC server-agent rules | ||
# TODO add owner to OUTPUT rule | ||
-A INPUT -s {{ app_hostname }} -p udp --dport 1514 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow OSSEC agent to monitor" | ||
-A INPUT -s {{ app_hostname }} -p udp --dport 1514 -m state --state NEW -j ACCEPT -m comment --comment "Allow OSSEC agent to monitor" | ||
-A OUTPUT -d {{ app_hostname }} -p udp --sport 1514 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow OSSEC agent to monitor" | ||
|
||
# OSSEC smtp out rules | ||
# dns rule for postfix to lookup smtp relay | ||
-A OUTPUT -d {{ dns_server }} -p tcp --dport 53 -m owner --uid-owner postfix -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "postfix dns rule" | ||
-A INPUT -s {{ dns_server }} -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "tcp/udp dns" | ||
-A OUTPUT -d {{ dns_server }} -p udp --dport 53 -m owner --uid-owner postfix -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "postfix dns rule" | ||
-A INPUT -s {{ dns_server }} -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "tcp/udp dns" | ||
|
||
# postfix rule for outbound smtp | ||
-A OUTPUT -p tcp --dport {{ smtp_relay_port }} -m owner --uid-owner postfix -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow ossec email alerts out" | ||
-A INPUT -p tcp --sport {{ smtp_relay_port }} -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow ossec email alerts out" | ||
{% endif %} | ||
|
||
|
||
|
@@ -97,22 +87,19 @@ | |
'staging' in group_names %} | ||
|
||
{% if 'securedrop_application_server' in group_names %} | ||
-A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | ||
-A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp --dport 22 -m state --state NEW -j ACCEPT | ||
-A OUTPUT -o {{ ansible_default_ipv4.interface }} -p tcp -m owner --uid-owner root --sport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | ||
-A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | ||
-A INPUT -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | ||
|
||
{% elif 'securedrop_monitor_server' in group_names %} | ||
-A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | ||
-A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp --dport 22 -m state --state NEW -j ACCEPT | ||
-A OUTPUT -o {{ ansible_default_ipv4.interface }} -p tcp --sport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | ||
-A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | ||
-A INPUT -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | ||
{% endif %} | ||
|
||
{% endif %} | ||
|
||
# Allow generic loopback connections | ||
-A INPUT -i lo -p all -j ACCEPT -m comment --comment "Allow lo to lo traffic all protocols" | ||
-A OUTPUT -o lo -p all -j ACCEPT -m comment --comment "Allow lo to lo traffic all protocols" | ||
|
||
# Don't log inbound invalid state packets related to issue #845 | ||
|
This file was deleted.
This file was deleted.
This file was deleted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please clarify your reasoning behind this rule? It is my understanding that for ssh over tor should be handled here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this rule is for the INPUT chain
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense as the rule on L115 was removed :)