How do I configure IPTables to harden the Content Gateway host system?

Topic 60067 | Content Gateway FAQs | Updated: 22-October-2013


Applies To:	Websense Content Gateway 7.7.x, v7.8.x Websense Web Security Gateway Anywhere 7.7.x, v7.8.x

When Content Gateway is deployed on a stand-alone server, it is strongly recommended that an IPTables firewall be configured to provide maximum security and efficiency with Content Gateway.


	Warning Only qualified system administrators should modify the IPTables firewall.

As an aid to understanding the IPTables configuration required for Content Gateway, a sample IPTables configuration script is installed in the Content Gateway bin directory (/opt/WCG/bin, by default). The sample script is named example_iptables.sh.

Review the script carefully.

Do not use the script directly.

Create your own script that meets your specific needs.

To view a text file version of the v7.6.x sample script, click here

To view a text file version of the v7.7.x sample script, click here.

To view a text file version of the v7.8.x sample script, click here.

Configuration

The following list of rules is organized into groups that address different deployments. Be sure the /etc/sysconfig/iptables file contains all the rules that apply to your network from each section.

If the proxy is configured to use multiple NICs, for each rule that applies to an interface specify the appropriate NIC with the "-i" option ("-i" means match only if the incoming packet is on the specified interface). Typically, multiple interfaces are divided into these roles:

Management interface (MGMT_NIC) - The physical interface used by the system administrator to manage the computer.

Internet-facing interface (WAN_NIC) - The physical interface used to request pages from the Internet (usually the most secure interface).

Client-facing interface (CLIENT_NIC) - The physical interface used by the clients to request data from the proxy.

Cluster interface (CLUSTER_NIC) - The physical interface used by the proxy to communicate with members of the cluster.


	Note If you customized any ports that Websense software uses for communication, replace the default port shown in the following rules with the custom port you implemented.

All deployments

These rules are required to enable Content Gateway communications, regardless of the deployment.

The following rules should be first.

iptables --policy INPUT DROP

iptables --policy OUTPUT ACCEPT

iptables --policy FORWARD DROP

iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables --I OUTPUT -o lo -t raw -j NOTRACK

In addition to the above rules, it is a best practice to increase the size of ip_conntrack_max to 100000 to improve performance. Typically, this can be done using the following command: /sbin/sysctl net.ipv4.ip_conntrack_max=100000. Note that this should be done after iptables is invoked. Also, this change in value will not be preserved after reboot unless you configure your system to set this value at startup. To do so, add the following line to /etc/sysctl.conf:

net.ipv4.ip_conntrack_max=100000

The next group of rules are important for general system security and should be entered immediately after the above rules:

iptables -I INPUT -i lo -j ACCEPT

iptables -i <MGMT_NIC> -I INPUT -p tcp --dport 22 -j ACCEPT

iptables -i <MGMT_NIC> -I INPUT -p ICMP -j ACCEPT

Include these rules in v7.7.x deployments to support proxying of HTTPS traffic and access to the SSL Manager:

iptables -i $CLIENT_NIC -I INPUT -p tcp --dport 8070 -j ACCEPT

iptables -i <MGMT_NIC> -I INPUT -p tcp --dport 8071 -j ACCEPT

Include these rules to support proxying of HTTP traffic and access to the Content Gateway manager:

iptables -i <CLIENT_NIC> -I INPUT -p tcp --dport 8080 -j ACCEPT

iptables -i <MGMT_NIC> -I INPUT -p tcp --dport 8081 -j ACCEPT

Local Policy Server