Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Linux iptables

Posted on 2013-06-12
4
Medium Priority
?
556 Views
Last Modified: 2013-06-13
Hi,

I am a bit of a newbie to Linux security.

I want to configure my Ubtunu 12.04LTS with IPTABLES so that the only access to the server is on port 80 (http) from anywhere and then allow access on port 22 (SSH) from 192.168.1.0/24. Everything else should be denied.

How do I do this? I am sure it is simple, however I am new to it so please be patient :)

Thanks

Mark
0
Comment
Question by:mark_06
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 600 total points
ID: 39242634
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j LOG
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

iptables-save
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 600 total points
ID: 39242658
Is your computer directly accessing the internet? is there a router/wifi/modem it connects to? You might need to put you access list(s) on that device rather than you're computer.

Internet <--->Cable|Dsl/Modem <---->Linux
If your linux box has one NIC then it likely only has one IP (it can have more btw even on a single nic). You can still setup an acl using iptables that only allows port 80 in from the modem to the linux host, and the linux host only accepts ssh from other host's on your network.
If that's not your setup let me know, I'm assuming it is for now, and that your Modem is by default blocking all inbound traffic from reaching the internal network unless it's been requested first from the internal network (a stateful connection).
Take the GRC Shields up test to see if there are any open ports.
Now if you have a modem that gives out non-rfc 1918 IP's, then you can dual home the computer in a few ways, the easiest is by using 2 nic's. One is for the public ip, and the other for the internal ip (rfc 1918)

The commands to allow port 80 traffic in, and ssh in are:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 1.2.3.4 -p tcp --dport 80 -j ACCEPT    (replace 1.2.3.4 with your pub ip)
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
https://help.ubuntu.com/community/IptablesHowTo
-rich
0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 39242851
You will need to allow access to DNS (port 53). If you have a dynamic IP address, you also need DHCP (port 68 client, 67 server). These rules achieve that
# Allow bootps->bootpc udp
iptables -A INPUT -p udp --source-port 67 --destination-port 68 -j ACCEPT
# Allow DNS replies
iptables -A INPUT -p udp --source-port 53 -j ACCEPT

Open in new window

0
 
LVL 21

Accepted Solution

by:
Daniel McAllister earned 800 total points
ID: 39243255
I'm going to pipe in here, even though richrumble & _jesper_ have largely provided you with the basics of what you need.

The problem is that you're a self-described "newbie", and so I feel more should be said.

Firstly, you should note that, by default, Ubuntu comes with Network Manager enabled and auto-started. This is important because, essentially, Network ManagerIPTables do diametrically opposed tasks:
 - Network Manager is designed to make it easy to connect to/from your system
 - IPtables is designed to make it HARD to connect to/from your system!
As a result, if you have a server with a static IP address, I suggest that you manually configure your network interface & disable Network Manager.

So, with Network Manager out of the way, you'll want to configure your IPTables firewall.
 - First of all, realize that you can easily firewall your system to the point of it becoming a high-priced ROCK. This is because a LOT of inter-process communication in Linux is accomplished with network sockets.
 - So your FIRST firewall rule should be to allow all LOCAL network traffic unabated
   iptables -A INPUT -i lo -j ACCEPT
 - Next, you'll need to make sure that outbound connections are not interfered with (so, for example, you can open your own web browser). Unlike what was said in another post, you can't just pick your ports -- the client side port assignment is random! So, instead you simply allow responses back from any already established connection.
   -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 - AFTER that, you can add rules to allow certain connections:
   iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
   iptables -A INPUT -m tcp -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
 - FINALLY, when all is said and done, you have to tell it what to do with unwanted connections... you can choose from:
   iptables -A INPUT  -j REJECT
         -or-
   iptables -A INPUT  -j DROP

The difference is that a REJECT sends a message back saying "not allowed", where a DROP does nothing -- it just throws away the connection attempt.

So, if you suspect your server is likely to be scanned or attacked on specific ports (like 25 for a non-mail server, or 53 for a non-DNS server), you might be a pain in their side (as I do) and create special rules for them:
   iptables -A INPUT -m tcp -p tcp --dport 25 -j DROP  # No mail server here!

One last point about IPTables -- the order of the rules matters... A LOT!
The first match made is the only match taken! Thus, the DENY or DROP rules should come last.

The page richrumble referred you to is a good one -- at least good enough to help you save the rules when you figure out what they should all be!

Good Luck!

Dan
IT4SOHO
0

Featured Post

Enroll in September's Course of the Month

This month’s featured course covers 16 hours of training in installation, management, and deployment of VMware vSphere virtualization environments. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After running Ubuntu some time, you will be asked to download updates for fixing bugs and security updates. All the packages you download replace the previous ones, except for the kernel, also called "linux-image". This is due to the fact that w…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question