[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 984
  • Last Modified:

IPtables rules needed

Hi Everybody!

Ok, lotsa points cause with everything else I have on my plate I have no time to learn IPtables at all right now and need pretty detailed responses.


Got a server:

incoming:

SSH
FTP
Web server on 80

I would like FTP to be active(? - as in I can do multiple downloads at the same time by connecting on higher ports)

I need to be able to ftp out from the server, and my web scripts need to connect to a pop3 server.

The box does not need to NAT anything or porcess any traffic outside of itself.

I have command line and webmin to implement your solutions.
0
Squeebee
Asked:
Squeebee
  • 3
  • 3
  • 2
2 Solutions
 
jlevieCommented:
Here you go...

#!/bin/sh
#
# This is a simple, reasonably complete local host based firewall suitable for
# protecting a server that might be exposed to malicous activity.
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# service iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When
# /etc/init.d/iptables executes it will see the file and restore the rules.
#
# I find it easier to modify this file and run it (make sure it is executable
# with 'chmod +x iptables-host') to change the rulesets, rather than modifying
# the running rules. That way I have a readable record of the firewall
# configuration.
#
# Author: Jim Levie (jim@entrophy-free.net)
#
# Set an absolute path to IPTABLES.
#
IPT="/sbin/iptables"
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent       - Just dop the packet
# tcpflags     - Log packets with bad flags, most likely an attack
# firewalled   - Log packets that that we refuse, possibly from an attack
#
$IPT -N silent
$IPT -A silent -j DROP

$IPT -N tcpflags
$IPT -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPT -A tcpflags -j DROP

$IPT -N firewalled
$IPT -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPT -A firewalled -j DROP
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewalled
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things will break.
#
$IPT -A INPUT -i lo -j ACCEPT
#
# Now allow Internet hosts access to those services we provide. Note that
# enabling inbound FTP 20 & 21 tcp will also require allowing ports
# 1024:65535/tcp. Which in itself is good enough reason not to allow FTP
# connections and to only allow ssh/scp/sftp.
#
# Allow ssh from anywhere to this server
#
$IPT -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
#
# HTTP access from anywhere
#
$IPT -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
#
# FTP access from anywhere
#
$IPT -A INPUT -p tcp -s 0/0 --dport 20 -j ACCEPT
$IPT -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT
$IPT -A INPUT -p tcp -s 0/0 --dport 1024:65535 -j ACCEPT
#
# If there are trusted nodes you can allow then access to everything with
# something like this. Be sure to set IP to be that of this system if you enable one of these.
#
#IP1=10.0.0.1
#$IPT -A INPUT -s 10.0.0.0/24 -d $IP1 -j ACCEPT
#$IPT -A INPUT -s 10.0.0.2 -d $IP1 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity.
#
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything not already matched gets firewalled and logged.
#
$IPT -A INPUT -j firewalled
0
 
SqueebeeAuthor Commented:
If I understand that last line it will call a firewalled chain, where is the firewalled chain?
0
 
ahoffmannCommented:
jlevie, should you forward policy not be like:
  $IPT -P FORWARD DROP
well, it seems to be your sample script, but you never know ..
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
SqueebeeAuthor Commented:
I have actually managed to build the firewall myself thanks to a fairly easy interface in webmin. I will split points between the two of you for bothering to help, thanks.
0
 
ahoffmannCommented:
whow, didn't expect to be graded here. The answer was by jlevie.
Thanks anyway, and good luck.
0
 
jlevieCommented:
ahoffman,

On a host firewall routing would be not be enabled so I see no no point in messing with the FORWARD chain.
0
 
SqueebeeAuthor Commented:
ahoffman:

Eh, they are only points, might as well spread them around.
0
 
ahoffmannCommented:
only points, nothing more ?!

jlevie, my DROP policy is secure/paranoid security, just in case someone enables routing and does not check the firewall (have seen admins doing this sevaral times):
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now