On Sunday, 04-08-2024 at 18:48 Christofer C. Bell wrote:
> On Sun, Aug 4, 2024 at 3:12 AM George at Clug <c...@goproject.info> wrote:
>
> >
> >
> > On Sunday, 04-08-2024 at 16:15 john doe wrote:
> > > On 8/4/24 06:48, jeremy ardley wrote:
> > > >
> > > > On 4/08/2024 12:26 pm, George at Clug wrote:
> > > >>
> > > >> If I go to the local coffee shop and connect my laptop to their WiFi,
> > > >> which incoming and now outgoing ports should I have blocked to ensure
> > > >> that no nefarious people are able to communicate with my laptop
> > > >
> > > > The rules for public networks are very simple.
> > > >
> > > > - Allow all outgoing traffic
> > > >
> > >
> > > On a laptop, inbound connections should be restricted unless you want
> > > services to be accessible on your laptop by way of FWing and and
> > > securing the services.
> > >
> > > Outbound connections is up to you.
> >
> > Thanks, John,
> >
> > I do like the idea of blocking all outbound connections, and only opening
> > ports that are required for whatever services I want to use.
> >
> > For servers I often do, but for workstations, sadly I am often lazy and
> > default to allowing all outgoing traffic.
> >
> > When asked to explain why I want to block outgoing connections, I do find
> > it difficult to justify but here are a few thoughts:
> >
> > 1) I like the principle of making this as hard as possible for the 'bad'
> > guys. If they break in, they might as well not have it easy. As analogy, I
> > can have a gate at the front of my house, then I have a dead locked door
> > (not just a lock from the outside). then if I had valuables, they would be
> > in a steel safe, and the safe would be bolted to the concrete floor. All of
> > this will not stop the determined, but why let it be easy.
> >
> > 2) Staying with analogies, I like having double locked doors. If someone
> > breaks in through the window, they have to exit the same way, and not just
> > walk out through the front/back door, making it bit more difficult to carry
> > everything out. In IT terms, is someone has gained access to my server via
> > a service level exploit, they (hopefully) only have that service's level of
> > access. If the local network is blocked, port scanning is going to be more
> > challenging, as would a number of other network based attacks.
> >
> > 3) I believe a number of exploits, once gain a small footprint, then
> > create a listening service to allow remote access to the system. If this
> > cannot be achieved, then again, I have made their lives harder.
> >
> > The main challenge as I see it is to ensure no 'bad' guys gain root
> > access, but as above, until then, make their lives hard as possible to do
> > anything by limiting and locking down anything you can while still allowing
> > the system achieve its intended purpose.
> >
> > Any comments on the above thoughts?
> >
> > George.
> >
>
> Outbound ports are selected randomly. If you block outbound ports, you'll
> block your ability to communicate with anything over the network. If you
> want to "block outbound stuff" block all outbound connections to any
> destination, then allow outbound connections to address ranges you want to
> connect to, from any local port.
I should clarify: I am speaking about incoming and outgoing blocking ports for
NEW connections, not RELATED,ESTABLISHED connections, so randomly selected
outbound ports should only be for RELATED,ESTABLISHED connections.
I have been experimenting this afternoon based on previous efforts.
I think I finally have success (had to fix way too many typos).
Please review, and please comment if it can be improved.
I used Minecraft and DynMap as a test scenario.
I can ping or disable ping, I can run updates. I wonder what I will find
sometime in the future that does not work?
========================================================
# Delete all existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
ip6tables -F
ip6tables -X
ip6tables -t nat -F
ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X
# Allow traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Allow all inbound established connections
iptables -A INPUT -i enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow all outbound established connections
iptables -A OUTPUT -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Enable incoming ssh, for remote access
iptables -A INPUT -i enp1s0 -p tcp -m state --state NEW --dport 22 -j ACCEPT
ip6tables -A INPUT -i enp1s0 -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Enable specific incoming port for Minecraft and DynMap
iptables -A INPUT -i enp1s0 -p tcp -m state --state NEW --dport 25565 -j ACCEPT
iptables -A INPUT -i enp1s0 -p tcp -m state --state NEW --dport 8123 -j ACCEPT
ip6tables -A INPUT -i enp1s0 -p tcp -m state --state NEW --dport 25565 -j ACCEPT
ip6tables -A INPUT -i enp1s0 -p tcp -m state --state NEW --dport 8123 -j ACCEPT
# Enable specific outgoing ports infrastructure support (ssh, dns, apt, ntp)
iptables -A OUTPUT -o enp1s0 -p udp -m state --state NEW --dport 53 -j ACCEPT
iptables -A OUTPUT -o enp1s0 -p tcp -m state --state NEW -m multiport --dports
22,53,80,123,443 -j ACCEPT
ip6tables -A OUTPUT -o enp1s0 -p udp -m state --state NEW --dport 53 -j ACCEPT
ip6tables -A OUTPUT -o enp1s0 -p tcp -m state --state NEW -m multiport --dports
22,53,80,123,443 -j ACCEPT
# Enable specific outgoing port for Minecraft player authentication via Mojang
Authentication API (but previously enabled for apt update).
# iptables -A OUTPUT -o enp1s0 -p tcp -m state --state NEW --dport 443 -j ACCEPT
# ip6tables -A OUTPUT -o enp1s0 -p tcp -m state --state NEW --dport 443 -j
ACCEPT
# If required for testing, allow ping
iptables -A INPUT -i enp1s0 -p icmp -m icmp --icmp-type echo-request -j ACCEPT
ip6tables -A INPUT -i enp1s0 -p ipv6-icmp -m ipv6-icmp --icmpv6-type
echo-request -j ACCEPT
iptables -A OUTPUT -o enp1s0 -p icmp -m icmp --icmp-type echo-request -j ACCEPT
ip6tables -A OUTPUT -o enp1s0 -p ipv6-icmp -m ipv6-icmp --icmpv6-type
echo-request -j ACCEPT
# Set default chain policies after opening ports
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
==================================================================
>
> You'll find this is an exercise in frustration, however, in today's cloud
> powered Internet.
Fortunately I do not use the CLOUD. Frustration is another word for 'fun'.
>
> It's best to follow Jeremy Ardley's advice.
It was likely good advice, but what is that old saying? ... "hold my beer".
>
> --
> Chris
>
> "If you wish to make an apple pie from scratch, you must first invent the
> Universe." -- Carl Sagan
>
