How to protect lateral movement using host firewall?
Since nothing is secure in the online world, security is now the top priority for every system or network administrator. The majority of system administrators just set up host firewalls for inbound protection, although outbound traffic is crucial when a system compromise occurs. In a compromised situation, control of the outbound traffic will prevent lateral movement from harming the environment. Now i will show how to configure host firewall in a proper manner.
Scenario:
Pre-Requisite:
- RHEL/CentOS — 7 ~ 9
- firewall-cmd
Step 01: Control inbound traffic
In above Scenario only tcp/443 port will be accessible from any where and tcp/22 port will be accessible from specific host.
# Allow inbound traffic only for listen ports
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' service name='ssh' source address='192.168.11.10/24' ACCEPT limit value='3/m'"
firewall-cmd --permanent --add-port=443/tcpStep 02: Control outbound traffic
# First, allow outbound traffic for all allowed inbound traffic
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -o ens192 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outbound traffic to Active Directroy or IPA Server
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -o ens192 -p tcp -m tcp -d 10.0.10.10 --dport 389 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -o ens192 -p tcp -m tcp -d 10.0.10.10 --dport 636 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -o ens192 -p tcp -m tcp -d 10.0.10.10 --dport 53 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -o ens192 -p udp -d 10.0.10.10 --dport 53 -j ACCEPT
# Allow outbound traffic to NTP Server
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -o ens192 -p udp -d 10.0.10.11 --dport 123 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -o ens192 -p udp -d 10.0.10.11 --dport 123 -j ACCEPT
# Allow outbound traffic to MySQL DB Server
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -o ens192 -p tcp -d 10.0.12.20 --dport 3306 -j ACCEPT
# Allow outbound traffic to DNS Server
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -o ens192 -p tcp -m tcp -d 10.0.14.52 --dport 53 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -o ens192 -p udp -d 10.0.14.52 --dport 53 -j ACCEPT
# Allow all outbound traffic from localhost to localhost
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -o lo -j ACCEPTStep 03: Block all outbound traffic except our permited one
# Block all other outbound traffic
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 2 -o ens192 -j DROP
firewall-cmd --reloadNote: By carrying out the aforementioned steps, this system will now only communicate with a specific host. Hackers won’t be able to send packets to any other servers or C&C servers if your system is compromised.
