LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 03-17-2011, 10:58 AM   #1
willowdream
LQ Newbie
 
Registered: Mar 2011
Posts: 3

Rep: Reputation: 0
Post newbie iptables rules (my first draft listed for assistance)


Hello. I am in the process of setting up a couple of virtual servers in a cloud environment. I am currently working on my application server (Server 1) and am stuck on the creation of my ruleset for this server.

I need to allow SSH, FTP, HTTP, HTTPS, and PING on this server. This server will also need to be able to talk with a couple of database servers as well as a memcache server (all internally within my cloud environment)

I have been reading on iptables, since I have never messed with them before, and have come up with the ruleset I will paste below. I have taken other steps to secure my server...changing ssh port, not allowing root to login via ssh without logging in as a user, turning off unnecessary daemons, editing my hosts allow/deny files, just to name a few.

I am a newbie to iptables, so I would love a bit of helpful advice, criticism, and even a good explanation why I should add or remove or edit something. I really want to know the how AND the why!

So, please take a look at the simple rules I have created, and let me know what you think!

Quote:
*filter


# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT


# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


# Allows all outbound traffic
# You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT


# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT


# Allows SSH connections
#
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
#
-A INPUT -p tcp -m state --state NEW --dport 1235 -j ACCEPT


# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Allow ftp
-A INPUT -p tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp --sport 20 -j ACCEPT


# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7


# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT
Thank you!
 
Old 03-17-2011, 12:30 PM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
Welcome to LQ!

It is quite apparent that you have put a lot of time and study into the design of your iptables script. Overall, I think it looks pretty good and my comments are minor.
1) -A OUTPUT -p tcp --sport 20 -j ACCEPT seems superfluous as you already have the OUTPUT set to accept. Iptables works like a waterfall and when a match is made, it stops processing.
2) You may want to consider using DROP instead of REJECT. In order to make an informed decision on this matter, consider searching for 'iptables drop vs reject' in your favorite search engine. There is no hard and fast rules here and advantages and disadvantages either way. Personally, I think DROP is the better approach because it is slightly more stealthy in that it appears there is nothing there. Of course, if a port range scan is performed, you will be discovered.

Speaking of port scanning, your desire to securing SSH is a wise move. Again, it is a matter of personal preference and also of some debate, but I feel that moving the SSH port is futile at best. A quick scan with nmap will show where you have moved it to and at most you won't see traffic from the dumbest of the script kiddies that only search port 22. I would recommend that you consider using key based login and turn off passwords, which will buy you a tremendous amount of security.

Also keep in mind that in Linux, firewalls aren't as critical to your operation as they are in Windows. By default, Linux only opens ports when there are server processes that will make use of them. The firewall is advantageous because it acts as a wrapper around your system, ensuring that only the ports you desire to be open are and that nothing gets opened inadvertently, say for example, by installing an unintended package.

Last edited by Noway2; 03-17-2011 at 12:31 PM.
 
1 members found this post helpful.
Old 03-17-2011, 01:39 PM   #3
willowdream
LQ Newbie
 
Registered: Mar 2011
Posts: 3

Original Poster
Rep: Reputation: 0
Thank you Noway on your input. It has been helpful! I will definitely read up on the drop vs reject. I had considered key based login and will definitely look into that further as well.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] iptables modules are not listed with lsmod mrmnemo Linux - Software 4 01-20-2011 06:53 AM
Restore iptables Rules that have been saved with iptables-save tiuz Linux - Security 4 08-14-2010 06:50 PM
Assistance with iptables Ruler2112 Linux - Security 3 06-08-2009 01:18 PM
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 10:50 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 05:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration