www.howardism.org
Babblings of an aging geek in love with the Absurd, his family, and his own hubris.... oh, and Lisp.

Setting Firewalls with IPTables

According to this tutorial from DigitalOcean (and this perfect tutorial), I need to do the following in order to configure a “default” firewall configuration. In this case, I am only allowing SSH and Web.

Initial Analysis

View the current rules:

sudo iptables --list

Or we can get a more succinct view of our rules:

sudo iptables -S

If executing the above command looks like the following, then we are in trouble, as we have everything wide open:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

Close All the Ports

Flushing the firewall rules, erases them all:

iptables -F

We can’t really count on iptables alone to protect us from a full-scale DDOS or similar, but we can at least put off the usual network scanning bots that will eventually find our VPS and start looking for security holes to exploit. First, we start with blocking null packets.

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

We told the firewall to take all incoming packets with tcp flags NONE and just DROP them. Null packets are, simply said, recon packets. The attack patterns use these to try and see how we configured the VPS and find out weaknesses. The next pattern to reject is a syn-flood attack.

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Syn-flood attack means that the attackers open a new connection, but do not state what they want (ie. SYN, ACK, whatever). They just want to take up our servers’ resources. We won’t accept such packages. Now we move on to one more common pattern: XMAS packets, also a recon packet.

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

We have ruled out at least some of the usual patterns that find vulnerabilities in our VPS.

Open Some Ports

Now we can start adding selected services to our firewall filter. The first such thing is a localhost interface:

iptables -A INPUT -i lo -j ACCEPT

HTTP

We tell iptables to add (-A) a rule to the incoming (INPUT) filter table any trafic that comes to localhost interface (-i lo) and to accept (-j ACCEPT) it. Localhost is often used for, ie. your website or email server communicating with a database locally installed. That way our VPS can use the database, but the database is closed to exploits from the internet.

Now we can allow web server traffic:

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

SSH

We should also allow SSH traffic, so we can connect to the VPS remotely. The simple way to do it would be with this command:

iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Tomcat

We should also allow SSH traffic, so we can connect to the VPS remotely. The simple way to do it would be with this command:

iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT

Other Projects

Other services will need exceptions to the above.

Minecraft

The following should expose the Minecraft port on 25565:

iptables -A INPUT -p tcp -m tcp --dport 25565 -j ACCEPT

Final Results

View the results of executing the previous commands, but only display the network addresses, not the hostnames:

sudo iptables --list -n --line-numbers

If all looks good, then we need to make it permanent. On a CentOS or other RedHat system, we’d write the results out to the start up scripts file:

iptables-save | sudo tee /etc/sysconfig/iptables

However, on Ubuntu, it has a special persistent storage package:

sudo apt-get update
sudo apt-get install iptables-persistent