In this lesson, you'll learn about best practices for configuring Linux firewalls, with a special focus on the principle of "default deny" or "drop" policy. This approach is a cornerstone of robust network security, ensuring that only explicitly permitted traffic is allowed through your firewall.

Understanding Default Drop Policy

A default drop (or deny) policy in firewall configurations means that by default, all incoming and outgoing traffic is blocked unless a specific rule allows it. This is in contrast to a default accept policy, where all traffic is allowed unless explicitly blocked.

Benefits of Default Drop Policy

1. Enhanced Security: Reduces the risk of unauthorized access and potential attacks.
2. Minimized Attack Surface: Limits exposure by allowing only necessary traffic.
3. Controlled Access: Forces administrators to explicitly define which traffic is allowed, leading to more deliberate and secure configurations.

Configuring Firewall with a Cautious Approach

Step 1: Allow Necessary Traffic First

Before implementing the default drop policy, set up rules to allow essential traffic. This prevents accidental lockouts, especially for remote connections like SSH.

Allow Loopback Traffic: The loopback interface is crucial for the system’s internal communication.bash

sudo iptables -A INPUT -i lo -j ACCEPT

Maintain Established Connections: Allow traffic for already established connections, which is important for ongoing sessions and related traffic.

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Allow SSH Traffic: To ensure remote management is maintained, specifically allow SSH (usually on port 22).

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Step 2: Implement Default Drop Policy for INPUT and FORWARD

Now that essential services are allowed, set the default policy to DROP for INPUT and FORWARD chains.

sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP

After making all of these changes, when I run sudo iptables -L --line-number I get the following output:

paulh@ubuntu-server:~$ sudo iptables -L --line-number
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
2    ACCEPT     all  --  anywhere             anywhere
3    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

This will be covered in more detail in the future lessons, but you should also log all traffic:

sudo iptables -A INPUT -m limit --limit 10/min -j LOG --log-prefix "iptables INPUT dropped: "
sudo iptables -A FORWARD -m limit --limit 10/min -j LOG --log-prefix "iptables FORWARD
dropped: "
sudo iptables -A OUTPUT -m limit --limit 10/min -j LOG --log-prefix "iptables OUTPUT: "

Step 4: Save the Configuration

Remember to save your iptables configuration to ensure it persists after a reboot. To save the rules, we need to update the file we saved at /etc/iptables/rules.v4 in previous lectures.

I am going to do that by running these commands:

# Create the rules file
sudo iptables-save > rules.v4

# Move the file to the iptables directory
sudo mv rules.v4 /etc/iptables/rules.v4

Now when I reboot, my new more secure iptables rules are still in place. Perfect!

Best Practices and Tips

1. Test After Each Change: After applying each rule, test to ensure you still have necessary access, especially when configuring remotely.
2. Regular Audits: Periodically review your firewall rules to ensure they still align with your network needs and security policies.
3. Backup Configurations: Regularly backup your firewall configuration to quickly recover from any misconfigurations.
4. Stay Informed: Keep abreast of new security advisories that might affect your firewall policies.

Server Academy Members Only

Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.

Sign In Get Instant Access