Easy Setup Of Iptables On Your New Linux Server

This is going to be the first of a series of articles about Linux server security and best practices. Every good systems administrator wants their servers to be secure, and I’m sure that you are no exception. I assume that you already know about having a good root password, and your servers always have latest security updates installed. Let’s begin with a Linux firewall called ‘iptables’. In CentOS you can see the current iptables config in a readable format running this command:

[root@ServerSuit ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination

So, let me explain the basics of what we're looking at here. Every network packet went through one of iptables ‘chains’, where it will be checked against every rule from the top, down. All packets sent from other devices and addressed to our server will go straight to chain “INPUT”. Every packet created on our server and sent outside will go through chain “OUTPUT” rules, and if server receives a packet addressed to different IP address than its own, that packet will go to chain “FORWARD”. In most cases, forward iptables rules will be applied if our server is acting as a router. So, the default ipconfig will do the following: 1. Allow all packets for previously established connections, as permitted by other rules. 2. Allow all incoming ICMP packets (i.e. ping) 3. Allow all traffic to local loopback interface (127.0.0.1) 4. Allow incoming SSH connections to the server 5. Restrict all other incoming connections 6. Restrict all forward connections 7. Allow all outgoing connections from the server. In other words, you can setup any connection that begins at the server itself, but only be able to ping and connect through SSH externally! This is how these rules look if you had to write out the commands:

[root@ServerSuit ~]# iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited

Anyway, that's the basic theory. Let’s look at a few examples! In most cases, you just want your new installation to work remotely. Right now if you installed Apache you’ll need to allow HTTP and HTTPS ports open for incoming connections, first. Here's how we do it:

[root@ServerSuit ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT [root@ServerSuit ~]# iptables -I INPUT 2 -p tcp --dport 443 -j ACCEPT [root@ServerSuit ~]# iptables-save > /etc/sysconfig/iptables

We inserted 2 rules at the top of INPUT chain to allow incoming connections to TCP ports 80 and 443. Make sure you save that config, or your changes will only work until server reboot. Notice: if you add this rules with –A tag, they’ll be added after the REJECT rule at INPUT chain and won't actually work. That’s why we insert them at the 1 and 2 lines of firewall rules. You can change the ‘-p’ and ‘—dport’ tags for your application. For example, if you install exim and dovecot servers you’ll need to allow incoming connections to TCP 25 and 110 ports. That's one of the more frequently asked questions with iptables for beginning systems administrators. Ok, now let's check this out: you might've looked at /var/log/messages and seen something like this:

Apr 03 18:45:09 ServerSuit sshd[1927]: Failed password for root from 1.1.1.1 port 52279 ssh2 Apr 03 18:45:10 ServerSuit unix_chkpwd[1932]: password check failed for user (root) Apr 03 18:45:11 ServerSuit sshd[1927]: Failed password for root from 1.1.1.1 port 52279 ssh2 Apr 03 18:45:12 ServerSuit unix_chkpwd[1933]: password check failed for user (root) Apr 03 18:45:15 ServerSuit sshd[1927]: Failed password for root from 1.1.1.1 port 52279 ssh2 Apr 03 18:45:16 ServerSuit unix_chkpwd[1934]: password check failed for user (root) Apr 03 18:45:17 ServerSuit sshd[1927]: Failed password for root from 1.1.1.1 port 52279 ssh2 Apr 03 18:45:17 ServerSuit sshd[1928]: Disconnecting: Too many authentication failures for root

Seems like somebody was trying to pick your ‘root’ account password and its IP address is ‘1.1.1.1’. You can restrict this IP address from connecting to your server:

[root@ServerSuit ~]# iptables -nL INPUT --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited [root@ServerSuit ~]# iptables -I INPUT 6 -s 1.1.1.1 -p tcp --dport 22 -j REJECT [root@ServerSuit ~]# iptables -nL INPUT --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 6 REJECT tcp -- 1.1.1.1 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 8 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

You can find this useful but extremely time consuming, but I'm running out of time, so I'll have to come back to this in our next article. What I think this illustrates most clearly, though, is how our web-based Linux server manager ServerSuit will actually create all required iptables rules automatically! Nice right? Try it free for 30 days when you first register! Otherwise, we'll see you in the next one.