If you purchased a VPS on the Internet, you will soon realize that hackers may seek loopholes on your servers. Especially, if it becomes known.
To secure it, so let's close all the doors that you do not use on your server.
To do this, we'll use "iptables" which is a command line interface to configure the firewall "Netfilter".
To begin, list the rules of your firewall by typing the following command :
Bash
iptables -L
You will notice that by default, all traffic is allowed. What is the worst configuration because in this configuration, the firewall is completely useless.
Bash
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
As you can see, there are three categories of traffic :
To configure a firewall, "Netfilter" in our case, there are 2 ways :
In our case, we will choose the second option is the best and easiest to implement.
So why create a configuration script rather than directly type the "iptables" command ?
The reason is simple, when you type iptables commands, they have immediate effect and would therefore blocked when we begin by banning all traffic.
The second reason is simply that the firewall is reset when you restart your Ubuntu machine. Voluntary or not, restart so expose your server to all the hackers found on the net.
Now that this issue is resolved, begin our script.
To begin, you must indicated the language used in your script by adding this line :
Bash
#!/bin/sh
Then, to avoid future "warning" in the logs, you must add the small header as follows :
Bash
### BEGIN INIT INFO # Provides: My Firewall # Required-Start: $local_fs $remote_fs $network $syslog # Required-Stop: $local_fs $remote_fs $network $syslog # Default-Start: # Default-Stop: # X-Interactive: false # Short-Description: My Firewall ### END INIT INFO echo "Configuring the firewall ..."
Now that the required information is provided, begin our script strictly speaking.
To avoid the preceding rules interfered with ours, we reset our firewall.
Bash
# Reset iptables -t filter -F iptables -t filter -X echo "Firewall reset"
Then, as we chose the second policy for managing a firewall, we'll start blocking incoming and redirected all traffic.
Bash
# Incoming and redirected traffic is blocked iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP echo "Incoming and redirected traffic blocked"
For simplicity, we recommend that you allow all outgoing traffic. Since it is our server. Outbound traffic can only theoretically being dangerous.
Unless anyone can use your server as he wants.
Bash
# Outgoing traffic is allowed iptables -t filter -P OUTPUT ACCEPT echo "Outgoing traffic allowed"
Also for simplicity, we will allow the connections. Given that these connections are in state "established" is that they have been authorized by the regulations of traffic entering the firewall.
Otherwise, the connection will be "NEW" type and will be blocked by the firewall.
Bash
# We don't break the established connections iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT echo "Established connections allowed"
We will allow all incoming and outgoing traffic on the loopback network interface
These are the requests made to the server itself. Given that requests information itself, there is no risk to allow this traffic.
Bash
# Authorizes the incoming and outgoing traffic on the loopback network interface (IP : 127.0.0.1) iptables -t filter -A INPUT -i lo -j ACCEPT iptables -t filter -A OUTPUT -o lo -j ACCEPT echo "Loopback traffic allowed"
We will also allow the ping to and from the server.
Info : The ping command is used to test the connection between two network devices and it's therefore interesting to pass up. This helps diagnose network problems you may encounter.
Bash
# ICMP (ping) iptables -t filter -A INPUT -p icmp -j ACCEPT iptables -t filter -A OUTPUT -p icmp -j ACCEPT echo "Ping allowed"
The rest of the rules regarding the various protocols that exist on your server.
Some small information about the commands that follow :
Example :
A visitor sends an HTTP request to the web server on port 80.
This request comes from the IP address of the client from xxx.xxx.xxx.xxx port x (randomly allocated by the client operating system) and arrives on port 80 on the server (because the protocol used is HTTP).
When the server sends him the answer (the contents of the requested in this case page), it uses port 80 (which is the source port for outgoing traffic) and sends the response to the client IP address xxx.xxx.xxx.xxx on the port that the client had when sending the request.
Note : Since it is the TCP protocol is a connected mode, the server knows the IP address and port of the client. He knows so answer it this way.
Bash
# SSH incoming / outgoing iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --sport 22 -j ACCEPT echo "SSH allowed" # DNS incoming / outgoing # DNS queries to the server (TCP and UDP) iptables -t filter -A OUTPUT -p tcp --sport 53 -j ACCEPT iptables -t filter -A OUTPUT -p udp --sport 53 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT # DNS requests sent by clients and therefore received by the server (TCP and UDP) iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT echo "DNS allowed" # NTP outgoing (time server) iptables -t filter -A OUTPUT -p udp --sport 123 -j ACCEPT echo "NTP allowed" # HTTP + HTTPS incoming / outgoing (Web Server : HTTP (80) and HTTPS secured by SSL (443 or 8443) iptables -t filter -A OUTPUT -p tcp --sport 80 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --sport 443 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT # Mail SMTP : 25 (Protocol for sending e-mails) iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --sport 25 -j ACCEPT # Mail POP3 : 110 (Protocol to access to e-mails) iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --sport 110 -j ACCEPT # Mail POP3S : 995 (Protocol to access to e-mails) # POP3S is a secure POP3 over SSL iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --sport 995 -j ACCEPT # Mail IMAP : 143 (Protocol to read emails by a system of remote folders) iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --sport 143 -j ACCEPT echo "Emails protocols allowed"
And finally, the FTP protocol is quite complicated if you do not know how it works.
Note that we have activated the passive port range (50000-50100) in the configuration of the FTP server to find out what range of ports to allow.
In fact, using FTP, you don't just use port 21 as one might think.
Because if you install an FTP server on your computer and look at your network connections (using TCP View, for example), you will notice that file transfers are not made by the port 21 but by one of passive ports configured on the server.
Port 21 are used primarily to connect (or authentication) as well as sending commands.
Here is the diagram of a file transfer via FTP :
We must therefore allow the following ports :
Bash
# FTP outgoing iptables -t filter -A OUTPUT -p tcp --sport 21 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --sport 20 -j ACCEPT # FTP incoming iptables -t filter -A INPUT -p tcp --dport 20 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT echo "FTP allowed" # FTP Passive iptables -t filter -A OUTPUT -p tcp --sport 50000:50100 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 50000:50100 -j ACCEPT echo "Passive FTP server ports allowed"
Then enter this line at the end of file
Bash
echo "Firewall configuration completed"
And save the file with the name "firewall" and enable the execution of the script like this :
Bash
chmod +x firewall
If you're wondering why we added lines "echo" for each block of rules is simply to more easily debug the script, the day an error occurs (if such is the case).
When the script runs (and thus start the machine when it will be added), this series of messages will appear.
To run this script, simply type the following command :
Bash
./firewall
Before this script programmed to boot your machine, make sure that everything works properly.
Test your SSH connection, your file transfer by FTP, your messaging protocols (SMTP, POP3, IMAP, ...), ...
If you no longer have access to your server, ask to restart your dedicated server or VPS from your account with your provider.
If everything still works then you can put it to boot your machine.
To do this, first copy the "firewall" file in the "/etc/init.d" folder (where there are other services such as apache, postfix, ...)
Bash
cp firewall /etc/init.d
Then add the script to start the machine, use the command "update-rc.d" :
Bash
update-rc.d firewall defaults
Linux 1/15/2014
Linux 1/11/2014
Linux 1/11/2014
Linux 1/11/2014
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment