arrow_upward

Pages (2):
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Basic secure Firewall setup with iptables
#1
Basic secure Firewall setup with iptables


Hi!

This brief tutorial will teach you how to peform a basic secure Firewall setup on any Linux based server (any type of server: dedicated server, VPS, etc...) with the iptables Firewall software.

At the end of this guide you will be able to establish basic guidelines in terms of Firewall security and you will be able to control access in and out of your server. This will help to minimize attack vectors and reduce the risk level of getting your server hacked.

I will be covering the IPv4 setup only! IPv6 is a little different and the same rules for IPv4 will absolutely not work with IPv6. In fact the IPv4 iptables rule set for IPv6 will break IPv6 inside your server entirely. This is kind of a personal experience from the past  Eh .


Step One

Flush (delete) all current iptables rules with the two commands below:
iptables -F
iptables -X



Step Two

Setup the main iptables policies to block everything incoming/forwarded by default and allow outgoing traffic to the Internet by default with the commands below:
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

Incoming traffic is blocked by default unless allowed through additional rules.
Forward traffic is blocked by default unless allowed through additional rules.
Outgoing traffic is allowed by default unless blocked through additional rules.



Step Three

Allow incoming responses to outgoing Internet traffic on already established connections with the command below:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

This is very important. It will allow to receive replies for connections that you initiated. For example you initiate a download via wget. If you don't set this rule up you won't be able to download anything because your server blocks the download of the file. Or initiating a PING will lead to not receiving replies from the host you pinged.

Don't miss this rule or any kind of communication with the Internet will totally break.



Step Four

Allow local traffic on the loopback network with the command below:
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT

With this rule you enable local traffic within the server (remember the default incoming policy is set to block unless allowed through additional rules). This rule is also important to have a working internal network on the VPS. It allows access to locally hosted services like MySQL on 127.0.0.1/localhost and etc.

Don't miss this rule either as it also is very important.



Step Five

Allow incoming traffic to services hosted on your server like SSH, webserver and etc (following command is an example for a server with SSH and a webserver only):
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT


Other services can be allowed through this same rules. Just adjust the port and protocol if needed.

Another example for FTP (TCP Port 21):
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT

A example for DNS (UDP Port 53):
iptables -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT


You can also allow incoming traffic for certain IP addresses only with the command below (remember to adjust the IP, protocol and port for the corresponding service):
iptables -A INPUT -s 187.123.100.231 -p tcp --dport 3128 -m state --state NEW -j ACCEPT

This will allow connections to port 3128 TCP (SQUID PROXY) only for the IP address 187.123.100.231. Such restrictive rules are great to secure SSH for your own IP address (if you have a static IP address). So no on else other than you can connect to the service/server on that port.


You can also allow IP address ranges:
iptables -A INPUT -s 123.231.67.0/24 -p tcp --dport 22 -m state --state NEW -j ACCEPT

This rule would allow connections to SSH from the IP address range 123.231.67.1 to 123.231.67.254. This can be useful if you want to allow a specific IP ranges to access your server (if you have a dynamic IP address that is always in the same range). It is important to use the right netmask when working with subnets and ranges!



As iptables rules are not persistent across reboots you can simply paste all the rules into a shell script and let this script run at boot to apply the rules when you start or reboot the server.

Simply open a new empty file called "firewall.sh" with nano or another text editor. Paste all the commands into that file and save it. Apply the right permissions so it can be executed with chmod +x firewall.sh. Use crontab or /etc/rc.local to add the script to startup. If you don't know how to do it exactly feel free to ask and I will explain it in an additional post.

Alternatively you can install the package iptables-persistent. This will allow you to change iptables rules and they will survive across reboots. Always remember to save rules when changing them! Same applies for the method with the shell script. When you change rules or add new rules make sure you add them to the firewall.sh file and save it.


That's about it. You have setup the basic policies to block everything other than outgoing traffic. Then you have created rules to allow specific services to be accessed. You created rules to allow local traffic inside the server and also created a rule to allow automatic unblocking of replies to connections you have initiated.

You can use the same rules to extend your setup for future services and projects. Feel free to ask any questions.
[Image: zHHqO5Q.png]
#2
thank you HR for this nice basic tutorial.

do you know of any clear and concise guide that will explain all the iptables rules that one commonly sees in an android mobile phone ? it is like a lot of tables and rules. i know and make use of some basic rules and commands. but i would like an in depth knowledge.

or may be a tutorial on how to exhaustively analyze the iptables rules in a system step by step ...

thanks again for taking time to post it for us.
Sincere Thanks to VirMach for my VPS9. Also many thanks to Shadow Hosting and cubedata for the experiences I had with their VPSs.
#3
Aaahh, thank you HR!
I actually hate iptables and love UFW instead.

Iptables for newbies like me is pretty hard, and it really have long command. While UFW in the other hand, its command are short and readable.

But, AFAIK, only non-OpenVZ can have UFW? I forgot. But, I'll give it a try again for iptables.
Thanks to Limitless Hosting and Post4VPS for providing me excellent VPS 13!
#4
@rudra

The best way to find out what the Android iptables rules do is to analyze them. To do that you of course have to know what all the iptables chains, commands and options do. This is a learning curve for sure and you have to read the iptables handbook/manual, advanced guides and such I guess. I unfortunately don't have any personal experience or resources for that. Sorry.

I'd probably guess that the Android iptables handles all kind of traffic from WiFi, mobile Internet, tethering hotspot, tethering over USB/BT and such. Especially mobile Internet might need special rules due to the NAT and etc. And when you enable tethering you have to add forward rules to allow things like BT or USB to use the mobile connection and forward it to connected devices.

One thing I thought about is: maybe the Android developer guides and documentation pages have explanations? Another recommendation I would suggest is to ask at X D A Smile . It is quite complex actually if you take afwall which uses the Android interna firewall tools: https://github.com/ukanth/afwall/wiki/IPtables




@tiwil

UFW is a iptables front-end that has been made to make the usage of iptables easier. It takes the easy input and converts it into iptables rules in the background. So you never have to touch more complex iptables configurations as ufw will do it for you.

UFW is not depending on virtualization as it is just a software package. That said though iptables on OpenVZ is limited. So of course not all UFW functions may work due to the limited iptables on OpenVZ VPSs.
[Image: zHHqO5Q.png]
#5
@HR please also guide us how to make a secure iptable backup in case of newbies. because mostly newbies just like me follow command lines from internet tutorials and somewhere stuck and iptable and vps settings are disturbed. so how to make a safe secure backup of files before any change or experiment? also explain any ssh commands which makes settings back to default.
Heart LOVE FOR ALL  HATRED FOR NONE Heart
#6
@sagher

Not really sure what a secure iptables backup is. I suppose you want a fail safe setup? Hard to help with this without exactly knowing which services and on which ports and protocols you are hosting your applications.

"stuck" - Ah. This happens when you apply wrong rules and lock yourself out. With that. Ehm. You need to learn to how to use iptables. Only real solution. A way to avoid getting stuck is applying iptables rules through th VPS emergency console or VNC in the control panel. This way you still have access to iptables and can revert changes that might have locked you out when being logged in via SSH. You can also test rules on a secondary VPS or a local VM on your computer before applying them to your VPS.

To delete all iptables rules you use the first two commands in step one of the guide.
[Image: zHHqO5Q.png]
#7
Ah Thank you for the instructions!
But I already applied it to my Minecraft server
Terminal
Solo Developer
#8
(01-14-2019, 07:06 PM)Hidden Refuge Wrote: @sagher

Not really sure what a secure iptables backup is. I suppose you want a fail safe setup? Hard to help with this without exactly knowing which services and on which ports and protocols you are hosting your applications.

"stuck" - Ah. This happens when you apply wrong rules and lock yourself out. With that. Ehm. You need to learn to how to use iptables. Only real solution. A way to avoid getting stuck is applying iptables rules through th VPS emergency console or VNC in the control panel. This way you still have access to iptables and can revert changes that might have locked you out when being logged in via SSH. You can also test rules on a secondary VPS or a local VM on your computer before applying them to your VPS.

To delete all iptables rules you use the first two commands in step one of the guide.

Yes VNC is the solution if we not get access via ssh port. but it's only available with console facility. and mostly vps's havn't provided CP
Heart LOVE FOR ALL  HATRED FOR NONE Heart
#9
@sagher

With no mean of any kind of emergency access to your VPS you will have a hard time accessing the VPS and reverting any kind of changes. There is absolutely nothing you can do in that case in terms of getting the iptables setting reset. Here contacting staff would be necessary and they would do it for you.

So in order to avoid that you have to learn how to use iptables beyond this basic guide. This is just a basic. Keep that in mind. And testing of rules should be done if possible in another similar environment to see how it plays out. Even a small local VM would be enough to test these basic rules in your local LAN. There you have direct console access and can undo changes or flush the whole iptables configuration to delete everything.
[Image: zHHqO5Q.png]
#10
@"Hidden Refuge",
Oh! So that's why when I install UFW, I also noticed that iptables installed to.
So there it is. UFW will install iptables.

@sagher,
I've been there when I'm on FVPS lol.
I asked for help from HR, he's helping me so nicely. So I think, HR suggestion is right, ask admin for help. They will help you as soon as they can for this problem.
Thanks to Limitless Hosting and Post4VPS for providing me excellent VPS 13!
Pages (2):


Possibly Related Threads…
Thread
Author
Replies
Views
Last Post

person_pin_circle Users browsing this thread: 2 Guest(s)
Sponsors: VirMach - Host4Fun - CubeData - Evolution-Host - HostDare - Hyper Expert - Shadow Hosting - Bladenode - Hostlease - RackNerd - ReadyDedis - Limitless Hosting