iptables on Ubuntu 6.06 Server

PetruM · 07-18-2006, 02:50 AM

Hello.

I am running Ubuntu 6.06 Server on a small webserver. I am trying to secure the box and allow only two IPs to connect via SSH. My iptables rules are as following:

Code:

iptables -F
iptables -F -t nat
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p tcp -s 1.2.3.4 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 1.2.3.5 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -A FORWARD -p tcp --dport 445 -j DROP
iptables -A FORWARD -p tcp --sport 445 -j DROP
iptables -A FORWARD -p udp --dport 445 -j DROP
iptables -A FORWARD -p udp --sport 445 -j DROP
iptables -A FORWARD -p tcp --dport 135:139 -j DROP
iptables -A FORWARD -p tcp --sport 135:139 -j DROP
iptables -A FORWARD -p udp --dport 135:139 -j DROP
iptables -A FORWARD -p udp --sport 135:139 -j DROP

Of course, I have replaced 1.2.3.4 and 1.2.3.5 with the real IP addresses. So my question is: is this enough to prevent everyone else from getting into the server? I made a shell script with these rules and added it in /etc/init.d, is this right to add something at startup?

Any help is greatly appreciated.

seneschal · 07-18-2006, 10:46 AM

As a general rule, it's best to set a firewall to default deny, then add rules allowing traffic through. I would do something more like this:

Code:

iptables -F
iptables -F -t nat
iptables -A INPUT -p tcp --dport 22 -s 1.2.3.4 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 1.2.3.5 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP

The ESTABLISHED,RELATED line is critical. If you leave it out, then traffic related to existing connections will be blocked. Assuming that you don't want to forward any traffic, add this line:

Code:

iptables -P FORWARD DROP

Adding a startup script to Ubuntu is accomplished by adding the script to /etc/init.d/ then running update-rc.d.

PetruM · 07-18-2006, 11:57 AM

Thanks for the help.
What's the syntax for update-rc.d? If I type just 'update-rc.d' it displays help.

seneschal · 07-19-2006, 12:18 AM

Say you have /etc/init.d/firewall - you would run:

Code:

update-rc.d firewall defaults

I recommend checking out man pages and such to make sure that you won't be putting this into any runlevels you might not want. Also, one other things that occurs to me is allowing traffic from loopback. You should probably add this line (or something like it) to your firewall script:

Code:

iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT