Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Content Gateway: Frequently Asked Questions : How do I configure IPTables to harden the Content Gateway host system?
How do I configure IPTables to harden the Content Gateway host system?
Content Gateway FAQs | Forcepoint Web Security | v8.5.x | 29-Apr-2022
When Content Gateway is deployed on a stand-alone Linux server (not an appliance), it is strongly recommended that an IPTables firewall be configured to provide maximum security and efficiency with Content Gateway.
 
* 
Warning 
Only qualified system administrators should modify the IPTables firewall.
Content Gateway now utilizes iptables, configured during product installation or upgrade, to facilitate interception and redirection of traffic.
*
IPTables rules configured outside of Content Gateway Manager must
*
Be inserted after Forcepoint rules.
*
Never be added to Forcepoint chains.
*
Forcepoint chains and rules should never be edited.
*
If customized chains or rules impact the Forcepoint configuration, navigate to /opt/wcg/bin and execute the following to re-establish the Forcepoint IPTables chains and rules:
netcontrol.sh -r
While hardening the system is allowed, caution should be taken to avoid interfering with general Content Gateway functionality.
Configuration
The following list of rules is organized into groups that address different deployments. Be sure the /etc/sysconfig/iptables file contains all the rules from each section that apply to your network.
If the proxy is configured to use multiple NICs, use the -i option (which means "match only if the incoming packet is on the specified interface") to specify the appropriate NIC for each rule that applies to an interface. Typically, multiple interfaces are divided into these roles:
*
Management interface (MGMT_NIC) – The physical interface used by the system administrator to manage the computer.
*
Internet-facing interface (WAN_NIC) – The physical interface used to request pages from the Internet (usually the most secure interface).
*
Client-facing interface (CLIENT_NIC) – The physical interface used by the clients to request data from the proxy.
*
Cluster interface (CLUSTER_NIC) – The physical interface used by the proxy to communicate with members of the cluster.
 
* 
Note 
If you customized any ports that Forcepoint Web Security uses for communication, replace the default port shown in the following rules with the custom port you implemented.
All deployments
The following rules are optional and can be used to enhance the security of your Content Gateway deployment.
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
In addition to the above rules, it is a best practice to increase the size of nf_conntrack_max to 100000 to improve performance. Set the size after iptables is started.
*
To check the setting, use: /sbin/sysctl -p
*
To set the value, use:
/sbin/sysctl net.nf_conntrack_max=100000
*
If you get the error "net.nf_conntrack_max" is an unknown key, you need to add the ip_conntrack module to the kernel. Use the command:
modprobe ip_conntrack
The nf_conntrack_max value is not be preserved after reboot unless you configure your system to set the value at startup. To do so, add the following line to /etc/sysctl.conf:
net.nf_conntrack_max=100000
The next group of rules are important for general system security and should be entered immediately after the above rules:
iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -i internal -j ACCEPT
iptables -i <MGMT_NIC> -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -i <MGMT_NIC> -I INPUT -p ICMP -j ACCEPT
Policy Server
All ports needed for communication with a Policy Server are handled internally by the software.
Filtering Service
All ports needed for communication with a Filtering Server machine are handled internally by the software.
Forcepoint Web Security
All ports needed for communication with Forcepoint Web Security are handled internally by the software.
Cluster
Include the following rules if you have multiple instances of Content Gateway in a cluster.
iptables -i <CLUSTER_NIC> -I INPUT -p udp --dport 8086 -j ACCEPT
iptables -i <CLUSTER_NIC> -I INPUT -p udp -d <Multicast_IP_Address> -j ACCEPT
All other ports needed for communication between instanced of Content Gateway are handled internally by the software.
Cache hierarchy
Include the following rule if you have multiple instances of Content Gateway in a cache hierarchy.
iptables -i <MGMT_NIC> -I INPUT -p udp --dport 3130 -j ACCEPT
Transparent proxy
All ports needed for transparent proxying are handled internally by the software.
If you proxy DNS, configure port 53 to redirect to port 5353 using Content Gateway Manager.
FTP
All ports needed for FTP proxying are handled internally by the software when FTP is enabled in Content Gateway Manager.
Other features
Communication ports for gathering of statistics over the overseer port, to allow PAC file distribution from the proxy, and for collation of logs for multiple proxies are handled internally by the software.
For information on SIEM integration, see Security Information Event Management (SIEM) Solutions.
Configuring IP6tables
Content Gateway can be configured to support IPv6.
To configure IP6tables firewall, Content Gateway requires that an IPv6 port be open for each protocol that is used for IPv4.
All IPv4 ports that are handed internally by the software are also handled when IPv6 is enabled. Any configurable IPv4 port should be added to IP6tables when IPv6 is enabled in Content Gateway Manager.
For example, include the following rule if you have multiple instances of Content Gateway in a cache hierarchy:
ip6tables -i <MGMT_NIC> -I INPUT -p udp --dport 3130 -j ACCEPT
Also, the following rules are optional and can be used to enhance the security of your Content Gateway deployment when IPv6 is enabled.
ip6tables --policy INPUT DROP
ip6tables --policy OUTPUT ACCEPT
ip6tables --policy FORWARD DROP
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Content Gateway: Frequently Asked Questions : How do I configure IPTables to harden the Content Gateway host system?
Copyright 2022 Forcepoint. All rights reserved.