LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-11-2014, 09:26 PM   #1
Ghillie-Up
LQ Newbie
 
Registered: Aug 2014
Posts: 2

Rep: Reputation: Disabled
IPtables formatting - Best practice


So I have a set of firewall rules ready for a plesk instance on a CentOS6 box.

Can someone explain to me where the various syntax should be placed within a IPtables config. for example like Cisco are Rules read top to bottom with a deny all usually at the end?

Here is my current list -

Code:
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state INVALID -j DROP


-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A FORWARD -i lo -o lo -j ACCEPT


#Syn for all new TCP connections
-A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP

#Slowloris prevention attempt
iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 100 -j DROP


#SSH (Changed port via sshd_config)
-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT

#Plesk-http
-A INPUT -p tcp -m tcp --dport 8880 -j ACCEPT

#Plesk-Secure
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT

#Web server
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

#Web server secure
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

#Plesk Auto-installer
-A INPUT -p tcp -m tcp --dport 8447 -j ACCEPT

#FTP
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

#FTP (data)
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT

#SMTP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

#SMTP-Secure
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

#POP
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT

#POP-Secure
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT

#IMAP
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT

#IMAP-Secure
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

#DNS
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT

#106 poppassd (Localhost only)
-A INPUT -p tcp -m tcp --dport 106 -j ACCEPT

#MySQL
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT

#Mail message Submission
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT

#PING
-A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
Is there a better way to order such rules? I'm more concerned about the first part before the specific ports really.

Thanks.
 
Old 08-12-2014, 05:07 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,353
Blog Entries: 55

Rep: Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541
Quote:
Originally Posted by Ghillie-Up View Post
So I have a set of firewall rules ready for a plesk instance on a CentOS6 box.
If you can please avoid using web-based management panels. If you do use one then please realize being able to click yes/no buttons does not an admin make. Know the weaknesses of your system, its software and how to avoid or mitigate those.


Quote:
Originally Posted by Ghillie-Up View Post
Can someone explain to me where the various syntax should be placed within a IPtables config. for example like Cisco are Rules read top to bottom with a deny all usually at the end?
It may require a bit of reading but there is no iptables tutorial more comprehensive than https://www.frozentux.net/documents/iptables-tutorial/, period. Indeed iptables rules when loaded are parsed first-to-last. (For example 'iptables -t filter -nL --line-numbers' will show the order.)


Quote:
Originally Posted by Ghillie-Up View Post
Here is my current list
Couple of things in random order:
- If this is a regular web server then you should not forward traffic so a "-P FORWARD DROP" policy should be enough.
- You already use "--state ESTABLISHED" so also use "-m state --state NEW" to denote new connections.
- Avoid exposing certain ports like MySQL until you need to. When you do, try to limit them to IP addresses or subnets.
- Don't expose Plesk to world and limit it to your management IP (range), period. (Even better would be to use SSH with pubkey auth and tunnel for access.)
- Avoid exposing non-SSL ports like FTP, POP3, IMAP, etc, etc.
- I usually have loopback as the first device (and its allowed always) to get it out of the way. That way you know all other rules apply to all other Ethernet devices unless specified different.
- While having "--state INVALID" in the OUTPUT chain is laudable I'd rather you filter out bogon networks and ports you don't want to see traffic to like IRC, Bittorrent, etc, etc.
- Setting "-m connlimit" on TCP/80 is nice but you forgot TCP/443 and any other services users can access. Note the lower in the stack you can limit potential abuse the less chance it has of "hurting" application layer services.
- Note you can specify multiple ports in one line using "-m multiport --dports 20,21,22" etc, etc. (Yes, you also can combine multiple modules like "-m connlimit something -m multiport something".)

If you've read the frozentux tutorial and dig what I've said re-post your modified rule set.
 
Old 08-12-2014, 06:06 PM   #3
Ghillie-Up
LQ Newbie
 
Registered: Aug 2014
Posts: 2

Original Poster
Rep: Reputation: Disabled
Thankyou for the comprehensive reply.

I appreciate the control panel advise, however it's handy to have everything under one (web accessible) roof especially as this is only running about 5 personal domains. I definitely need to read up on IPtables without question so will read through the link you supplied when I can.

Can you please elaborate on the first point you mentioned? I understand and have amended my rules to the rest of your advise but am having problems getting the following -

"- If this is a regular web server then you should not forward traffic so a "-P FORWARD DROP" policy should be enough."

Should I remove the following completely -
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i lo -o lo -j ACCEPT

Can you give me an example with my config what you mean?

Thanks again!
 
Old 08-14-2014, 01:03 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,353
Blog Entries: 55

Rep: Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541
Quote:
Originally Posted by Ghillie-Up View Post
Should I remove the following completely -
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i lo -o lo -j ACCEPT
Yes.


Quote:
Originally Posted by Ghillie-Up View Post
Can you give me an example with my config what you mean?
I could but that wouldn't allow you to learn anything. So let's do this the other way around: you post your revised rule set based on what I suggested and then I'll correct it. Deal?
 
Old 08-14-2014, 01:37 PM   #5
Stvrosky
LQ Newbie
 
Registered: Aug 2014
Location: Chile
Distribution: RHEL 6.5 x86_64
Posts: 15

Rep: Reputation: Disabled
Edit the /etc/sysconfig/iptables and put your rules there according "man iptables", then restart the service iptables with "service iptables restart" or install a wizard with "yum install system-config-firewall-tui" then execute "system-config-firewall-tui" and put your rules.

NOTE:

If you use the "system-config-firewall-tui" the rules in "/etc/sysconfig/iptables" will be rewrite so make a backup first.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
which is the best practice to block nmap scan on my server using iptables (r) puffy jsaravana87 Linux - Security 1 10-08-2012 08:56 AM
using iptables in practice pqzha1 Linux - Security 3 05-16-2008 03:36 PM
IPTables "Best Practice" default rule set robinBones Linux - Networking 2 01-09-2008 08:11 AM
iptables good practice - 2 questions ddaas Linux - Security 1 05-31-2005 07:09 AM
Is this good iptables practice ? michaelsanford Linux - Security 1 05-21-2005 09:32 PM


All times are GMT -5. The time now is 08:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration