Solved

Linux iptables

Posted on 2013-06-12
4
547 Views
Last Modified: 2013-06-13
Hi,

I am a bit of a newbie to Linux security.

I want to configure my Ubtunu 12.04LTS with IPTABLES so that the only access to the server is on port 80 (http) from anywhere and then allow access on port 22 (SSH) from 192.168.1.0/24. Everything else should be denied.

How do I do this? I am sure it is simple, however I am new to it so please be patient :)

Thanks

Mark
0
Comment
Question by:mark_06
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 150 total points
ID: 39242634
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j LOG
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

iptables-save
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 150 total points
ID: 39242658
Is your computer directly accessing the internet? is there a router/wifi/modem it connects to? You might need to put you access list(s) on that device rather than you're computer.

Internet <--->Cable|Dsl/Modem <---->Linux
If your linux box has one NIC then it likely only has one IP (it can have more btw even on a single nic). You can still setup an acl using iptables that only allows port 80 in from the modem to the linux host, and the linux host only accepts ssh from other host's on your network.
If that's not your setup let me know, I'm assuming it is for now, and that your Modem is by default blocking all inbound traffic from reaching the internal network unless it's been requested first from the internal network (a stateful connection).
Take the GRC Shields up test to see if there are any open ports.
Now if you have a modem that gives out non-rfc 1918 IP's, then you can dual home the computer in a few ways, the easiest is by using 2 nic's. One is for the public ip, and the other for the internal ip (rfc 1918)

The commands to allow port 80 traffic in, and ssh in are:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 1.2.3.4 -p tcp --dport 80 -j ACCEPT    (replace 1.2.3.4 with your pub ip)
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
https://help.ubuntu.com/community/IptablesHowTo
-rich
0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 39242851
You will need to allow access to DNS (port 53). If you have a dynamic IP address, you also need DHCP (port 68 client, 67 server). These rules achieve that
# Allow bootps->bootpc udp
iptables -A INPUT -p udp --source-port 67 --destination-port 68 -j ACCEPT
# Allow DNS replies
iptables -A INPUT -p udp --source-port 53 -j ACCEPT

Open in new window

0
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 200 total points
ID: 39243255
I'm going to pipe in here, even though richrumble & _jesper_ have largely provided you with the basics of what you need.

The problem is that you're a self-described "newbie", and so I feel more should be said.

Firstly, you should note that, by default, Ubuntu comes with Network Manager enabled and auto-started. This is important because, essentially, Network ManagerIPTables do diametrically opposed tasks:
 - Network Manager is designed to make it easy to connect to/from your system
 - IPtables is designed to make it HARD to connect to/from your system!
As a result, if you have a server with a static IP address, I suggest that you manually configure your network interface & disable Network Manager.

So, with Network Manager out of the way, you'll want to configure your IPTables firewall.
 - First of all, realize that you can easily firewall your system to the point of it becoming a high-priced ROCK. This is because a LOT of inter-process communication in Linux is accomplished with network sockets.
 - So your FIRST firewall rule should be to allow all LOCAL network traffic unabated
   iptables -A INPUT -i lo -j ACCEPT
 - Next, you'll need to make sure that outbound connections are not interfered with (so, for example, you can open your own web browser). Unlike what was said in another post, you can't just pick your ports -- the client side port assignment is random! So, instead you simply allow responses back from any already established connection.
   -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 - AFTER that, you can add rules to allow certain connections:
   iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
   iptables -A INPUT -m tcp -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
 - FINALLY, when all is said and done, you have to tell it what to do with unwanted connections... you can choose from:
   iptables -A INPUT  -j REJECT
         -or-
   iptables -A INPUT  -j DROP

The difference is that a REJECT sends a message back saying "not allowed", where a DROP does nothing -- it just throws away the connection attempt.

So, if you suspect your server is likely to be scanned or attacked on specific ports (like 25 for a non-mail server, or 53 for a non-DNS server), you might be a pain in their side (as I do) and create special rules for them:
   iptables -A INPUT -m tcp -p tcp --dport 25 -j DROP  # No mail server here!

One last point about IPTables -- the order of the rules matters... A LOT!
The first match made is the only match taken! Thus, the DENY or DROP rules should come last.

The page richrumble referred you to is a good one -- at least good enough to help you save the rules when you figure out what they should all be!

Good Luck!

Dan
IT4SOHO
0

Featured Post

Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating a Samba server for a small office. Ubuntu Linux and Samba can breathe new life into a retired PC and save an office money on new hardware/software. Our example server will have two hard disks, one exclusively for storing shared data. …
This document is written for Red Hat Enterprise Linux AS release 4 and ORACLE 10g.  Earlier releases can be installed using this document as well however there are some additional steps for packages to be installed see Metalink. Disclaimer: I hav…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question