To recap. Until now we create:
- Some rules in our chains INPUT and OUTPUT to allow some traffic to specific ports
- A backup of our rules and configure iptables to load these rules on the boot process
- A group to manage rules
- Some of these rules to log the network activity
With all this basic information, we are able to create a host package filter and troubleshoot related to traffic from and to our host.
Before we continue with more technical knowledge about iptables is important to understand there are administrative actions to take in count when we manage this tool.
Why open a port? The answer to this question could be obvious, but we really need to open that port? Who authorizes open this port? What implication comes with this decision? is there another option we can take?
Let's take this example. This server host a public website, all the Internet can see it, and for the business its important because there is the e-commerce platform, without it, there is not a business.
In this case, our package filter has to keep open port 443 (we are talking about security, for this reason, we avoid use port 80 for an e-commerce platform). It is important for the business and the general board allow to keep open this port.
A web developer works from home, and she needs to update some images stored in the same server (yes, it is a bad practice, but is just an example). She asks the server administration to allow her to connect using SSH from her home to the server. Open port 22 to allow connections from the Internet, couldn't be the best option. There are many possible threats and vulnerabilities that could put in risk the server like brute force attacks, bad service configurations, unparched services, etc. Also, this service is not strategic for the business and is safer to allow connections to this port from the LAN. In this case, the developer could use a VPN to connect to the internal network and use SSH to access the server.
How to manage the rules? We can create and delete rules, but if some one deletes the ssh rules and father that nobody can access the server again? If its new rule is temporal Who is going to delete it? Is there a reminder to delete that rule?
If there are more than 1 administrator, she or he have to create an user account for each user, and the users should use commands like sudo to have root privileges. Whit this action its possible have accountability about the changes in the package filter rules. Of course the users couldn't have to the log files.
A last basic recommendation is create registry of all the actions taken in the rules management , system updates and backup crations. Take note of the date and time when the changes were made and use comments or autodocument the rules. It is importan have a periodic revition of these registries. If for example there is a note about to erase a rule, it's ease identify if that rule was erased or not and take an action.All this rules have to be documented in a policy. The policy have to have a role and responsibility section, and have to be accepted for the managers and the sysadmins.
Do yo thing there is a basic recommendation to include? Leave it in the comments.