Secure your dedicated server with Iptables

September 22, 2011 / Dedicated Servers

In this article, we’ll see how to secure your dedicated server by configuring three essential programs:

* Iptables: Firewall is the Linux systems, it is difficult to handle the first time but you can make very fine adjustments. In this tutorial I propose a set of standard rules for a web server.
* Fail2ban: it is a system that automatically ban all users who try to connect several times without success on our server. It helps prevent brute force attacks.
* Rkhunter: it is a software that warns of sensitive files that are changed. In other words, a good detector Backdoor and Rootkit.

And as a bonus, I would give you a tips to be prevented by email when someone’s logs into SSH on your server. At the end of the article you will have a secure Web server already, but not enough for my taste, hence the second article will gives you little more tips about how secure php scripts with Apache 2 modules.

I think this mini tutorial on iptables, with the arguments most commonly used and these basic principles will not hurt. I’ll do that in a list to make this easier, the goal is not to be exhaustive.

If you do a iptables-L, you will see the rules that define your firewall. Looking at the results more closely, we see three types of chains:

* INPUT: corresponds to the rules of the incoming traffic from the server
* OUTPUT: corresponds to the rules for outgoing traffic the server
* FORWARD: the rules to make redirects

We also note that we have the firewall’s policy on “acceptable” for all channels and it is not very good at security. Our approach will be of any block (DROP) and then slowly release the ports for the services we use.

Here is a list of arguments that are used frequently:

*-T: specify on which table you are working, it’s default filter that contains the input, output and forward
*-A: adds a rule at the end of string
*-P: specifies the protocol of the rule (usually TCP, UDP or ICMP for ping)
*-Dport: specifies the destination port
*-D: specifies the policy to apply (or accept drop most of the time)
* F-: clear all rules (F = Flush)
*-X: erase chain

Configuration rules

To set up a firewall on Linux, most of the time you create a bash file with all the iptables commands that you want to. In my case, I put iptables to 0, then I block everything, then I slowly unlocked the services I use. Therefore, the order is important! Here is the file used for the video, remember to change the port number for ssh or otherwise you will be blocked (a hardware reboot will do you unlock).

#!/bin/sh
### BEGIN INIT INFO
# Provides: Firewall maison
# Required-Start: $local_fs $remote_fs $network $syslog
# Required-Stop: $local_fs $remote_fs $network $syslog
# Default-Start:
# Default-Stop:
# X-Interactive: false
# Short-Description: Firewall maison
### END INIT INFO

# Mise à 0
iptables -t filter -F
iptables -t filter -X
echo “Mise à 0”

# On bloque tout
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
echo “Interdiction”

# Ne pas casser les connexions établies
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

# Autorise le loopback (127.0.0.1)
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
echo “Loopback”

# ICMP (le ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
echo “Ping ok”

# SSH IN/OUT
iptables -t filter -A INPUT -p tcp –dport 1337 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 1337 -j ACCEPT
echo “SSH ok”

# DNS In/Out
iptables -t filter -A OUTPUT -p tcp –dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp –dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp –dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp –dport 53 -j ACCEPT
echo “dns ok”

# NTP Out
iptables -t filter -A OUTPUT -p udp –dport 123 -j ACCEPT
echo “ntp ok”

# HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp –dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 443 -j ACCEPT

# HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp –dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp –dport 8443 -j ACCEPT
echo “http ok”

# FTP Out
iptables -t filter -A OUTPUT -p tcp –dport 21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 20 -j ACCEPT

# FTP In
# imodprobe ip_conntrack_ftp # ligne facultative avec les serveurs OVH
iptables -t filter -A INPUT -p tcp –dport 20 -j ACCEPT
iptables -t filter -A INPUT -p tcp –dport 21 -j ACCEPT
iptables -t filter -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
echo “ftp ok”

# Mail SMTP:25
iptables -t filter -A INPUT -p tcp –dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 25 -j ACCEPT

# Mail POP3:110
iptables -t filter -A INPUT -p tcp –dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 110 -j ACCEPT

# Mail IMAP:143
iptables -t filter -A INPUT -p tcp –dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 143 -j ACCEPT

# Mail POP3S:995
iptables -t filter -A INPUT -p tcp –dport 995 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 995 -j ACCEPT
echo “mail ok”

# Monit
iptables -t filter -A INPUT -p tcp –dport 4598 -j ACCEPT

# Webmin
iptables -t filter -A INPUT -p tcp –dport 10000 -j ACCEPT
echo “monitoring ok”

The upper part is optional but it avoids warnings in log files. At the level of difficulty, once you understand a line to the rest comes by itself. Remember to give execute permissions to this file (chmod + x firewall) and place it in / etc / init.d / and activate it to start the server with update-rc.d firewall defaults (but make sure that the file is working properly before!)

I take this opportunity to pass to give you my script to the proper iptables back to 0 in case of trouble:

#!/bin/sh
echo “Flushing iptables rules…”
sleep 1
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

That’s all on the side of the Firewall. If one day you install additional services and that it does not work, remember to look to the Firewall, you tend to forget when the configuration is finished.

Leave a Reply

Your email address will not be published. Required fields are marked *