iptables to allow only ssh and vpn from outside world

atux_null · 07-27-2016, 01:31 AM

hello everyone.i do have my a VPS (debian 7) with a public IP address and I would like to protect it. I would like to have access only to SSH (public/private keys), openVPN, services that are requested from the VPS itself, such as sending emails, DNS, access to Internet. All users that connect to the system through OpenVPN then have full access to it and to the Internet.
My current setup is:

Code:

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
iptables -P INPUT DROP
iptables -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 1194 -j ACCEPT
iptables -P OUTPUT DROP

I would like to blacklist all IPs that attack me or try to scan me. Whoever has 3 failed ssh attempts then get blacklisted for 24 hours. Is it possible to help me please?

andre@home · 07-27-2016, 05:27 PM

For blocking people that attempt it 3x je could use failban
http://www.fail2ban.org/wiki/index.php/Main_Page

Ipset is another option.
https://www.google.nl/search?client=...UTF-8&oe=UTF-8

Ipset seems better than just iptables with a (big) list... that could increase your CPU loading stronlgy.
https://mattwilcox.net/web-developme...t-and-iptables

How to set up a firewall you like: look around there are so many examples with a configuration very likely you would like...

Like this one... which I use and quite easy to change...
https://goodworkaround.com/2011/7/26...your-iptables/

lazydog · 07-30-2016, 11:40 AM

I would suggest the following:

Code:

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -A INPUT -conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 1194 -conntrack --ctstate NEW -j ACCEPT
iptables -P INPUT DROP
iptables -A OUTPUT -conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -P OUTPUT DROP

Please keep in mind that only those two ports will be allowed and nothing more.

I agree that you might want to log this down even further to stop the brute force attacks. Look hard at Fail2ban and IPSET they are both very good programs.

AwesomeMachine · 07-30-2016, 08:27 PM

Your script is accepting everything at first. Much better is to first DROP everything (drop policy), and then accept 22,1194 with conntrack ctstate.

lazydog · 07-31-2016, 10:54 AM

Quote:

Originally Posted by AwesomeMachine

Your script is accepting everything at first. Much better is to first DROP everything (drop policy), and then accept 22,1194 with conntrack ctstate.

Yes and No. While the policy allows everything the last rule in the chain is set to DROP. So the only time the policy comes into play is when packet has reached the end of the chain without an action being taken on it. Since the last rule is DROP the policy never comes into play.

I will agree it is best practice, it doesn't mean it has to be done this way.