Iptables

Use the following to harden any CentOS install by configuring iptables.

http://wiki.centos.org/HowTos/OS_Protection#head-b3126b7267f04dc869a18f3547468727e82308d1


Beefing up IPTables

The default iptables ruleset in CentOS is a little too lenient. The policy defaults are to allow traffic, there are open ports, and no real accountability for the traffic. We can do a better job.

Open up /etc/sysconfig/iptables in a text editor, and lets have a look. In the first 3 lines, there are already two problems. The INPUT and FORWARD tables are set to accept everything. Further down we see that ports, 50, 51, 5353, 631 and 22 are open. Now port 22 I don't have a problem with. The rest of them need to go, unless you want mDNS, cups, and ipsec talking to the outside world. I generally don't like strangers using my printer.

There's also no real logging of any malicious scanning or other unsavory behavior. A stronger ruleset might look like this:

#Drop anything we aren't explicitly allowing. All outbound traffic is okay
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
# Accept Pings
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Log anything on eth0 claiming it's from a local or non-routable network
# If you're using one of these local networks, remove it from the list below
-A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: "
-A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: "
-A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: "
-A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: "
-A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: "
-A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: "
# Accept any established connections
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept ssh traffic. Restrict this to known ips if possible.
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#Log and drop everything else
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP
COMMIT

Now arguably since we're responding to pings, dropping the traffic instead of rejecting it isn't fooling anyone. It's really personal preference. If you would rather reject the traffic, you could change the last line before COMMIT to read this way instead:

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited