Solved

Linux iptables

Posted on 2013-06-12
4
542 Views
Last Modified: 2013-06-13
Hi,

I am a bit of a newbie to Linux security.

I want to configure my Ubtunu 12.04LTS with IPTABLES so that the only access to the server is on port 80 (http) from anywhere and then allow access on port 22 (SSH) from 192.168.1.0/24. Everything else should be denied.

How do I do this? I am sure it is simple, however I am new to it so please be patient :)

Thanks

Mark
0
Comment
Question by:mark_06
4 Comments
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 150 total points
ID: 39242634
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j LOG
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

iptables-save
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 150 total points
ID: 39242658
Is your computer directly accessing the internet? is there a router/wifi/modem it connects to? You might need to put you access list(s) on that device rather than you're computer.

Internet <--->Cable|Dsl/Modem <---->Linux
If your linux box has one NIC then it likely only has one IP (it can have more btw even on a single nic). You can still setup an acl using iptables that only allows port 80 in from the modem to the linux host, and the linux host only accepts ssh from other host's on your network.
If that's not your setup let me know, I'm assuming it is for now, and that your Modem is by default blocking all inbound traffic from reaching the internal network unless it's been requested first from the internal network (a stateful connection).
Take the GRC Shields up test to see if there are any open ports.
Now if you have a modem that gives out non-rfc 1918 IP's, then you can dual home the computer in a few ways, the easiest is by using 2 nic's. One is for the public ip, and the other for the internal ip (rfc 1918)

The commands to allow port 80 traffic in, and ssh in are:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 1.2.3.4 -p tcp --dport 80 -j ACCEPT    (replace 1.2.3.4 with your pub ip)
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
https://help.ubuntu.com/community/IptablesHowTo
-rich
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 39242851
You will need to allow access to DNS (port 53). If you have a dynamic IP address, you also need DHCP (port 68 client, 67 server). These rules achieve that
# Allow bootps->bootpc udp
iptables -A INPUT -p udp --source-port 67 --destination-port 68 -j ACCEPT
# Allow DNS replies
iptables -A INPUT -p udp --source-port 53 -j ACCEPT

Open in new window

0
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 200 total points
ID: 39243255
I'm going to pipe in here, even though richrumble & _jesper_ have largely provided you with the basics of what you need.

The problem is that you're a self-described "newbie", and so I feel more should be said.

Firstly, you should note that, by default, Ubuntu comes with Network Manager enabled and auto-started. This is important because, essentially, Network ManagerIPTables do diametrically opposed tasks:
 - Network Manager is designed to make it easy to connect to/from your system
 - IPtables is designed to make it HARD to connect to/from your system!
As a result, if you have a server with a static IP address, I suggest that you manually configure your network interface & disable Network Manager.

So, with Network Manager out of the way, you'll want to configure your IPTables firewall.
 - First of all, realize that you can easily firewall your system to the point of it becoming a high-priced ROCK. This is because a LOT of inter-process communication in Linux is accomplished with network sockets.
 - So your FIRST firewall rule should be to allow all LOCAL network traffic unabated
   iptables -A INPUT -i lo -j ACCEPT
 - Next, you'll need to make sure that outbound connections are not interfered with (so, for example, you can open your own web browser). Unlike what was said in another post, you can't just pick your ports -- the client side port assignment is random! So, instead you simply allow responses back from any already established connection.
   -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 - AFTER that, you can add rules to allow certain connections:
   iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
   iptables -A INPUT -m tcp -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
 - FINALLY, when all is said and done, you have to tell it what to do with unwanted connections... you can choose from:
   iptables -A INPUT  -j REJECT
         -or-
   iptables -A INPUT  -j DROP

The difference is that a REJECT sends a message back saying "not allowed", where a DROP does nothing -- it just throws away the connection attempt.

So, if you suspect your server is likely to be scanned or attacked on specific ports (like 25 for a non-mail server, or 53 for a non-DNS server), you might be a pain in their side (as I do) and create special rules for them:
   iptables -A INPUT -m tcp -p tcp --dport 25 -j DROP  # No mail server here!

One last point about IPTables -- the order of the rules matters... A LOT!
The first match made is the only match taken! Thus, the DENY or DROP rules should come last.

The page richrumble referred you to is a good one -- at least good enough to help you save the rules when you figure out what they should all be!

Good Luck!

Dan
IT4SOHO
0

Featured Post

Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Guacamole cut and paste issue 3 115
best simple nfs export and fstab commands for basic sharing? 3 87
Linux operating system 12 85
Unblock a website in Cisco ASA 3 124
Creating a Samba server for a small office. Ubuntu Linux and Samba can breathe new life into a retired PC and save an office money on new hardware/software. Our example server will have two hard disks, one exclusively for storing shared data. …
The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question