In: Computer Science
Compare -j DROP vs -j REJECT. Which option would you use to create a firewall rule that blocks incoming packets and why?
Introduction
Drop vs Reject Response Table:
The table below shows how a server protected by a firewall will react to different requests depending on the policy being applied to the destination port.
The first column indicates the packet type sent by the client. In the second column, we’ve included the nmap commands that can be used to test each scenario. The third column indicates the port policy being applied to the port. The fourth column is the response the server will send back and the fifth column is what the client can infer about the port based on the response it has received.
ICMP Policies:
Similar to the question about whether to drop or reject denied traffic, there are differing opinions on whether to accept ICMP packets destined for your server.
ICMP is a protocol used for many things. It is often sent back, as we saw above, to give status information about requests using other protocols. Perhaps its most recognized function to send and respond to network pings to verify connectability to remote hosts. There are many other uses for ICMP however that are not as well known, but still useful.
ICMP packets are organized by “type” and then further by “code”. A type specifies the general meaning of the message. For instance, Type 3 means that the destination was unreachable. A code is often used to give further information about a type. For example, ICMP Type 3 Code 3 means that the destination port was unavailable, while ICMP Type 3 Code 0 means that the destination network could not be reached.
Iptables:
Setting up a good firewall is an essential step to take in securing any modern operating system. Most Linux distributions ship with a few different firewall tools that we can use to configure our firewalls. In this guide, we’ll be covering the iptables firewall.
Iptables is a standard firewall included in most Linux distributions by default (a modern variant called nftables will begin to replace it). It is actually a front end to the kernel-level netfilter hooks that can manipulate the Linux network stack. It works by matching each packet that crosses the networking interface against a set of rules to decide what to do.
In this guide we will discuss how iptables works. In the next article in the series, we’ll show you how to configure a basic set of rules to protect your Ubuntu 14.04 server.
Iptables Works
Before we get started discussing the actual commands needed to control iptables and build a firewall policy, let’s go over some terminology and discuss how iptables works.
The iptables firewall operates by comparing network traffic against a set of rules. The rules define the characteristics that a packet must have to match the rule, and the action that should be taken for matching packets.
There are many options to establish which packets match a specific rule. You can match the packet protocol type, the source or destination address or port, the interface that is being used, its relation to previous packets, etc.
When the defined pattern matches, the action that takes place is called a target. A target can be a final policy decision for the packet, such as accept, or drop. It can also be move the packet to a different chain for processing, or simply log the encounter. There are many options.
These rules are organized into groups called chains. A chain is a set of rules that a packet is checked against sequentially. When the packet matches one of the rules, it executes the associated action and is not checked against the remaining rules in the chain.
A user can create chains as needed. There are three chains defined by default. They are:
INPUT: This chain handles all packets that are addressed to your server.
OUTPUT: This chain contains rules for traffic created by your server.
FORWARD: This chain is used to deal with traffic destined for other servers that are not created on your server. This chain is basically a way to configure your server to route requests to other machines.
Each chain can contain zero or more rules, and has a default policy. The policy determines what happens when a packet drops through all of the rules in the chain and does not match any rule. You can either drop the packet or accept the packet if no rules match.
Through a module that can be loaded via rules, iptables can also track connections. This means you can create rules that define what happens to a packet based on its relationship to previous packets. We call this capability “state tracking”, “connection tracking”, or configuring the “state machine”.
For this guide, we are mainly going to be covering the configuration of the INPUT chain, since it contains the set of rules that will help us deny unwanted traffic directed at our server.
Specifications:
VPC firewall rules have the following characteristics:
Each firewall rule applies to incoming (ingress) or outgoing (egress) connection, not both. For more information, see direction of connection.
Firewall rules only support IPv4 connections. When specifying a source for an ingress rule or a destination for an egress rule by address, you can only use an IPv4 address or IPv4 block in CIDR notation.
Each firewall rule's action is either allow or deny. The rule applies to connections as long as it is enforced. For example, you can disable a rule for troubleshooting purposes.
When you create a firewall rule, you must select a VPC network. While the rule is enforced at the instance level, its configuration is associated with a VPC network. This means that you cannot share firewall rules among VPC networks, including networks connected by VPC Network Peering or by using Cloud VPN tunnels.