Linux, Web Developing

Thanks to:
http://bencane.com/2012/09/17/iptables-linux-firewall-rules-for-a-basic-web-server/
http://www.linux.org/threads/base-iptables-rules-that-will-apply-to-virtually-any-web-server.10/ (used this script with modifications)

NOTES:

Here is a simple script that allows all outbound connections and the inbound connections coming back from those outbound connections (conntrack). Also port 80 and port 22 and port 443 are allowed in. A few more rules as well. Some rules are commented out for your use. Make sure you have an alternate connection because if you block yourself out of ssh, you might be out of luck (restarting the pc/server will clear the rules, unless you have a setting that says on boot read these iptables)

CLEAR ALL:

Clear all rules (this is good to keep handy, maybe save it as a script called iptables-clear-all.sh):

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

MAIN TABLE:

I use that to start off my iptables main script, first i clear previous rules with the above script then I get into the good stuff.

#!/bin/bash

# Leave a log message that it launched
logger "iptables.sh launched"

# CLEAR
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# DEFAULTS:
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# LOOPBACK AND 127.0.0.1
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT

# INPUTS
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
# iptables -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
# iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
# iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT

# OTHER
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

# EXPERIMENTAL
# EXPERIMENTAL
# EXPERIMENTAL

iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

# 4) BLACKLIST IP's (if we need it)
# iptables -A INPUT -s "BLOCK_THIS_IP" -j DROP # Block a specific ip-address
# iptables -A INPUT -s "BLOCK_THIS_IP" -j DROP # Block a specific ip-address
# iptables -A INPUT -s "BLOCK_THIS_IP" -j DROP # Block a specific ip-address
# iptables -A INPUT -s "BLOCK_THIS_IP" -j DROP # Block a specific ip-address

# FTP_BRUTE CHAIN
iptables -A INPUT -p tcp -m multiport --dports 20,21 -m state --state NEW -m recent --set --name FTP_BRUTE
iptables -A INPUT -p tcp -m multiport --dports 20,21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP_BRUTE -j DROP

# SYNFLOOD CHAIN (causes errors plus I dont want it)
# iptables -A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name SYNFLOOD --set
# iptables -A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name SYNFLOOD --update --seconds 1 --hitcount 60 -j DROP

# Logging CHAIN
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 6
iptables -A LOGGING -j DROP

Notes: The synflood was commented out because my iptables didnt like the second command, it said some error came about. Also the DNS rules I crossed out as this is not a dns server, so the only dns traffic ill be doing is connecting to a dns server (and receiving traffic back from one but thats handled by conntrack). So everything below experimental you can choose to leave out if you want, however everything above worked 100% for me. My wordpress is still alive.

HOW TO LOAD IT ON BOOT:

Save the above into a readable and executable script and just have /etc/rc.local load it.

Pretend I saved the script as /etc/iptables.sh

chmod +x /etc/iptables.sh

In my rc.local, I would put (above the exit 0)

logger "BOOT TIME - rc.local about to launch /etc/iptables.sh"
/etc/iptables.sh
exit 0  #<-- note this exit 0 should be there already

 HOW TO MONITOR ITS WORKINGS:

This will show you live counters, whats blocked and accepted:

watch -n0 “iptables -nvL”

OR see the differences with watch (they will be highlighted):
 watch -n0 -d “iptables -nvL”
Might want to slow down the interval:
 watch -n2 -d “iptables -nvL”
More watch script variations to see differences:
Make shift difference script with watch: 

watch -n0 “(iptables -nvL > /tmp/now123); (diff -U0 /tmp/prev123 /tmp/now123 > /tmp/diff); (cat /tmp/diff); (mv -f /tmp/now123 /tmp/prev123);”

Slow it down some:
watch -n2 “(iptables -nvL > /tmp/now123); (diff -U0 /tmp/prev123 /tmp/now123 > /tmp/diff); (cat /tmp/diff); (mv -f /tmp/now123 /tmp/prev123);”

While loop scripts to watch iptables:

While loop watch iptables:
while true; do iptables -nvL; sleep 1; done;
Same script with while loop – difference:
while true; do iptables -nvL > /tmp/now123; diff -U0 /tmp/prev123 /tmp/now123 > /tmp/diff; clear; cat /tmp/diff; mv -f /tmp/now123 /tmp/prev123; sleep 1; done

Leave a Reply

Your email address will not be published. Required fields are marked *