Solved

Linux iptables

Posted on 2013-06-12
4
531 Views
Last Modified: 2013-06-13
Hi,

I am a bit of a newbie to Linux security.

I want to configure my Ubtunu 12.04LTS with IPTABLES so that the only access to the server is on port 80 (http) from anywhere and then allow access on port 22 (SSH) from 192.168.1.0/24. Everything else should be denied.

How do I do this? I am sure it is simple, however I am new to it so please be patient :)

Thanks

Mark
0
Comment
Question by:mark_06
4 Comments
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 150 total points
ID: 39242634
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j LOG
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

iptables-save
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 150 total points
ID: 39242658
Is your computer directly accessing the internet? is there a router/wifi/modem it connects to? You might need to put you access list(s) on that device rather than you're computer.

Internet <--->Cable|Dsl/Modem <---->Linux
If your linux box has one NIC then it likely only has one IP (it can have more btw even on a single nic). You can still setup an acl using iptables that only allows port 80 in from the modem to the linux host, and the linux host only accepts ssh from other host's on your network.
If that's not your setup let me know, I'm assuming it is for now, and that your Modem is by default blocking all inbound traffic from reaching the internal network unless it's been requested first from the internal network (a stateful connection).
Take the GRC Shields up test to see if there are any open ports.
Now if you have a modem that gives out non-rfc 1918 IP's, then you can dual home the computer in a few ways, the easiest is by using 2 nic's. One is for the public ip, and the other for the internal ip (rfc 1918)

The commands to allow port 80 traffic in, and ssh in are:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 1.2.3.4 -p tcp --dport 80 -j ACCEPT    (replace 1.2.3.4 with your pub ip)
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
https://help.ubuntu.com/community/IptablesHowTo
-rich
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 39242851
You will need to allow access to DNS (port 53). If you have a dynamic IP address, you also need DHCP (port 68 client, 67 server). These rules achieve that
# Allow bootps->bootpc udp
iptables -A INPUT -p udp --source-port 67 --destination-port 68 -j ACCEPT
# Allow DNS replies
iptables -A INPUT -p udp --source-port 53 -j ACCEPT

Open in new window

0
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 200 total points
ID: 39243255
I'm going to pipe in here, even though richrumble & _jesper_ have largely provided you with the basics of what you need.

The problem is that you're a self-described "newbie", and so I feel more should be said.

Firstly, you should note that, by default, Ubuntu comes with Network Manager enabled and auto-started. This is important because, essentially, Network Manager & IPTables do diametrically opposed tasks:
 - Network Manager is designed to make it easy to connect to/from your system
 - IPtables is designed to make it HARD to connect to/from your system!
As a result, if you have a server with a static IP address, I suggest that you manually configure your network interface & disable Network Manager.

So, with Network Manager out of the way, you'll want to configure your IPTables firewall.
 - First of all, realize that you can easily firewall your system to the point of it becoming a high-priced ROCK. This is because a LOT of inter-process communication in Linux is accomplished with network sockets.
 - So your FIRST firewall rule should be to allow all LOCAL network traffic unabated
   iptables -A INPUT -i lo -j ACCEPT
 - Next, you'll need to make sure that outbound connections are not interfered with (so, for example, you can open your own web browser). Unlike what was said in another post, you can't just pick your ports -- the client side port assignment is random! So, instead you simply allow responses back from any already established connection.
   -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 - AFTER that, you can add rules to allow certain connections:
   iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
   iptables -A INPUT -m tcp -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
 - FINALLY, when all is said and done, you have to tell it what to do with unwanted connections... you can choose from:
   iptables -A INPUT  -j REJECT
         -or-
   iptables -A INPUT  -j DROP

The difference is that a REJECT sends a message back saying "not allowed", where a DROP does nothing -- it just throws away the connection attempt.

So, if you suspect your server is likely to be scanned or attacked on specific ports (like 25 for a non-mail server, or 53 for a non-DNS server), you might be a pain in their side (as I do) and create special rules for them:
   iptables -A INPUT -m tcp -p tcp --dport 25 -j DROP  # No mail server here!

One last point about IPTables -- the order of the rules matters... A LOT!
The first match made is the only match taken! Thus, the DENY or DROP rules should come last.

The page richrumble referred you to is a good one -- at least good enough to help you save the rules when you figure out what they should all be!

Good Luck!

Dan
IT4SOHO
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Creating a Samba server for a small office. Ubuntu Linux and Samba can breathe new life into a retired PC and save an office money on new hardware/software. Our example server will have two hard disks, one exclusively for storing shared data. …
Users are often faced with high disk consumption without really knowing where the largest amount of data resides. Disk Usage Analyzer (aka Baobab) is is a graphical, menu-driven application to analyse disk usage in any Gnome environment and can e…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now