I have a working Iptables Firewall, which I setup a couple of months ago.
Now that I am happy everything is working, I would like to restrict open ports to prevent abuse of open ports such as DNS Server Port 53. In effect, I have two questions. One relating to firewall output DNS Resolution and second relating to Internal Lan Forward DNS Resolution.
My current rules are as follows:
Code:
# NAT Rules (Prerouting, Postrouting and Output Chains)
# Allows Internal Lan Traffic to be Routed to Internet
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to "Internet IP Address"
# TCP and UDP Port 53 Dns Lan Resolution
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
# TCP and UDP Port 53 Firewall DNS query
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
My System consists of 3 Servers. Firewall and behind that Windows Host Server and Mail Server on Internal Lan. The firewall consists of eth0 (Internet IP Address) and eth1 (Lan Internal IP Address). Policy rules are to drop all connections by default and to allow all Established, Related traffic through.
To start with the firewall, I presume that the best practice would be to simply restrict where dst port 53 traffic goes - i.e just to the DNS Server.
So something like this would restrict new dst 53 traffic to only IP address 1.2.3.4 and Outgoing only. Incoming would be blocked, unless is return traffic. I presume defining which interface (-o eth0) to use as out would be pointless from a security point of view as destination IP address would clearly be external.
Code:
# TCP and UDP Port 53 Firewall DNS query
iptables -A OUTPUT -d 1.2.3.4 -p udp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -d 1.2.3.4 -p tcp --dport 53 -m state --state NEW -j ACCEPT
I could do the same for Internal Lan traffic to only use IP Address 1.2.3.4 as the DNS Server.
Code:
# TCP and UDP Port 53 Dns Lan Resolution
iptables -A FORWARD -d 1.2.3.4 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -d 1.2.3.4 -p tcp --dport 53 -j ACCEPT
Where I am not sure is the best practice for hardening FORWARD as opposed to INPUT/OUTPUT rules. With the actual Firewall, I am blocking input by default (unless Established), only allowing new outgoing connections, by using New, Established and Related. With the above Forward rule, I am in theory allowing port 53 traffic to be forwarded from Lan or Internet!
However, I have no prerouting rule to "forward" traffic from Internet to Lan. I only have a postrouting rule to "forward" traffic from Lan to Internet. So I presume (and would like clarification on) that as Input traffic is blocked on Firewall and postrouting only forwards traffic from Internal Lan to Internet IP Address, it would be impossible for any dst 53 Syn traffic from the Internet to be forwarded through to the Internal LAN. Or should I be specifying that I want Forward NEW, dst 53 traffic to go into eth1 and out eth0 only to prevent New traffic from Internet being forwarded. Is New, Established, Related necessary for Forwarding rules or is the postrouting rule in effect doing the same thing - only allowing forward traffic out of the lan to Internet but not the reverse?
I considered using source IP Addresses but it seems redundant because of the postrouting rule and it would be much easier to simply forward NEW -i eth1 -o eth0.
1. Can I further secure port 53 traffic from firewall or is adding dst IP address all I need?
2. Do I need New, Established, Related and -i eth1, -0 eth0 for Forwarding rules or is postrouting already blocking New forwarded traffic from Internet?
