Question about iptables 127.0.0.1 & 0.0.0.0/0

Support for security such as Firewalls and securing linux
Post Reply
dLans
Posts: 1
Joined: 2015/03/24 08:50:46

Question about iptables 127.0.0.1 & 0.0.0.0/0

Post by dLans » 2015/03/24 13:13:29

Good afternoon all,

I'm hoping that there is someone here with alot more iptables knowledge than me, but that shouldn't be hard at all =D. We've got several locations in The Netherlands, Germany and Belgium that are currently being monitored with Nagios (picked just a handfull for the examples below). We're implementing very strict security policies for desktops, servers and mobile devices. We want to only allow two ports with outbound traffic and a select few inbound. Question. So now the real question that I wanted to ask you is this: Do I have to configure a source IP for outbound traffic? Default = 0.0.0.0/0, but would it be better to just use 127.0.0.1? Would it be any safer to do so? Do I need to add a destination IP (localhost) to the inbound traffic aswell? Basically I don't know the risks of leaving it at 0.0.0.0/ while the packets are already being filtered. See examples below.

FYI: there are strong vpn tunnels between the locations to allow the kind of traffic described below.
Location A - Datacenter with the servers that we're configuring the firewall for
Location B - Netherlands #2
Location C - Germany
Location D - Belgium

Servers from Location A need to access servers at all other locations over port 5666 and port 12489
Servers from Location A need to access storage on location A at port 3260
People from Location A, filtered by subnet, may access the Linux servers on port 22,80,443
People from Location B, filtered by subnet, may access the Linux servers at Location A on port 80,443
People from Location C and Location D may not access the servers.

Current rule set

Code: Select all

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10251:694238]
:Location A - [0:0]
:Location B - [0:0]
:Location C - [0:0]
:Location D - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j Location A
-A INPUT -j Location B
-A INPUT -j Location C
-A INPUT -j Location D
-A INPUT -i lo -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A Location B -s 127.0.0.1 -d <IPRANGE> -p tcp -m tcp -m multiport --dports 5666,12489 -j ACCEPT
-A Location B -s <IPRANGE_1> -p tcp -m tcp -m multiport --dports 80,443,5666 -j ACCEPT
-A Location B -s 127.0.0.1 -d <IPRANGE> -p tcp -m tcp -m multiport --dports 5666,12489 -j ACCEPT
-A Location B -s <IPRANGE_2> -p tcp -m tcp -m multiport --dports 80,443,5666 -j ACCEPT
-A Location A -s <IPRANGE> -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A Location A -s <IPADDRESS> -p tcp -m tcp --dport 3260 -j ACCEPT
-A Location A -s <IPADDRESS> -p tcp -m tcp --sport 3260 -j ACCEPT

And so on and so on.
Any help is greatly appreciated!

Kind regards,
Dennis Lans
a Windows sytemadmin & a very junior linux person

gulikoza
Posts: 188
Joined: 2007/05/06 20:15:23

Re: Question about iptables 127.0.0.1 & 0.0.0.0/0

Post by gulikoza » 2015/03/25 16:48:59

When configuring source and destination addresses, you can put in interfaces addresses if you'd like. 127.0.0.1 won't do you any good since it's valid only on lo (localhost) interface.

A firewall has to be as restrictive as possible, so it would be a good policy to exactly define source ip (and it's interface) on an outbound rule as well as dest ip on inbound rule. From security standpoint, this might be somewhat more secure as it prevents spoofing ips from the machine, but a more real-world advantage is that clearer rules are more readable and prevent servers from communicating on the wrong interface, etc...

Post Reply