Linux dropped安全策略

Linux Dropped Security Strategy: Core Concepts and Implementation
Dropped security is a fundamental principle in Linux firewall configurations where the default action for unrecognized or unauthorized network traffic is to silently discard it (using the DROP target). This approach minimizes the attack surface by ensuring that only explicitly allowed traffic can reach the system, contrasting with the more permissive ACCEPT default policy. Below is a structured guide to implementing and managing dropped security strategies using iptables and nftables.

1. Why Use DROP as the Default Policy?

The primary advantage of DROP over REJECT is stealth: when a packet is dropped, the sender receives no response (e.g., TCP RST or ICMP unreachable), forcing attackers to wait for a timeout. This makes it harder for them to identify live hosts or scan for open ports. For example, a port scan against a server with DROP will show all ports as “filtered,” while REJECT reveals which ports are closed.

2. Basic Implementation with iptables

Set Default Policies to DROP

The first step is to configure the default policies for the INPUT, FORWARD, and OUTPUT chains. A common secure setup is:

• INPUT: DROP (block all incoming traffic unless explicitly allowed).
• FORWARD: DROP (block all forwarded traffic unless explicitly allowed).
• OUTPUT: ACCEPT (allow all outgoing traffic from the system, assuming it is trusted).

sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

Allow Essential Traffic

Even with a DROP default, you must permit critical traffic to maintain system functionality:

• Local Loopback: Allow traffic on lo (127.0.0.1) for local processes.

  sudo iptables -A INPUT -i lo -j ACCEPT
  

• Established/Related Connections: Allow traffic related to existing connections (e.g., FTP data transfers, TCP acknowledgments).

  sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  

• Specific Services: Open ports for required services (e.g., SSH on 22, HTTP on 80, HTTPS on 443).

  sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT  # SSH
  sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT  # HTTP
  sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT # HTTPS
  

Log Dropped Packets (Optional but Recommended)

Logging helps troubleshoot connectivity issues and monitor potential attacks. Use the LOG target to record dropped packets, with rate limiting to prevent log flooding:

sudo iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
sudo iptables -A INPUT -j DROP

Logs are stored in /var/log/syslog (Debian/Ubuntu) or /var/log/messages (RHEL/CentOS) and can be viewed with:

sudo tail -f /var/log/syslog | grep "IPTables-Dropped"

3. Advanced Dropped Security Techniques

Rate Limiting and Flood Protection

Prevent brute-force attacks (e.g., SSH) or denial-of-service (DoS) by limiting the number of connections from a single IP address. For example, allow a maximum of 10 new SSH connections per minute from any IP:

sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

Port Knocking

Hide open ports from scanners by requiring a specific sequence of connection attempts (e.g., ports 1000, 2000, 3000) before opening a service (e.g., SSH). Tools like knockd automate this process.

Custom Chains

Organize complex rules by creating custom chains (e.g., LOGGING) to handle dropped traffic separately. This improves readability and maintainability:

sudo iptables -N LOGGING
sudo iptables -A INPUT -j LOGGING
sudo iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "Input-Dropped: "
sudo iptables -A LOGGING -j DROP

4. Migrating to nftables (Modern Alternative)

nftables is the successor to iptables, offering a unified syntax and better performance. Here’s how to implement a dropped security strategy with nftables:

• Create a configuration file (e.g., /etc/nftables.conf) with the following content:

  table inet filter {
    chain input {
      type filter hook input priority 0; policy drop;  # Default DROP
      iif "lo" accept;                              # Allow loopback
      ct state established,related accept;          # Allow established/related
      tcp dport {22, 80, 443} accept;               # Allow specific ports
      log prefix "nftables-Dropped: " group 0;      # Log dropped packets
    }
    chain forward { type filter hook forward priority 0; policy drop; }
    chain output { type filter hook output priority 0; policy accept; }
  }
  

• Load the configuration and enable nftables:

  sudo nft -f /etc/nftables.conf  # Load rules
  sudo systemctl enable --now nftables  # Enable on boot
  

5. Best Practices for Dropped Security

• Backup Rules: Save iptables rules to a file (e.g., /etc/iptables/rules.v4) to restore them after a reboot.

  sudo iptables-save > /etc/iptables/rules.v4
  

• Test Rules Incrementally: Add rules one at a time and verify connectivity to avoid locking yourself out.
• Use Version Control: Track changes to firewall configurations (e.g., with Git) for accountability and easy rollback.
• Combine with Other Tools: Enhance security with tools like fail2ban (auto-ban malicious IPs) or ufw (user-friendly firewall frontend).

By implementing these strategies, you can create a robust dropped security policy that protects your Linux system from unauthorized access while minimizing exposure to attacks.