Easy Setup Of Iptables On Your New Linux Server

This is going to be the first of a series of articles about Linux server security and best practices. Every good systems administrator wants their servers to be secure, and I’m sure that you are no exception. I assume that you already know about having a good root password, and your servers always have latest security updates installed. Let’s begin with a Linux firewall called ‘iptables’. In CentOS you can see the current iptables config in a readable format running this command:


[root@ServerSuit ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source      destination
ACCEPT     all  --  anywhere    anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere    anywhere
ACCEPT     all  --  anywhere    anywhere
ACCEPT     tcp  --  anywhere    anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere    anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source      destination
REJECT     all  --  anywhere    anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source      destination

So, let me explain the basics of what we're looking at here. Every network packet went through one of iptables ‘chains’, where it will be checked against every rule from the top, down. All packets sent from other devices and addressed to our server will go straight to chain “INPUT”. Every packet created on our server and sent outside will go through chain “OUTPUT” rules, and if server receives a packet addressed to different IP address than its own, that packet will go to chain “FORWARD”. In most cases, forward iptables rules will be applied if our server is acting as a router. So, the default ipconfig will do the following: 1. Allow all packets for previously established connections, as permitted by other rules. 2. Allow all incoming ICMP packets (i.e. ping) 3. Allow all traffic to local loopback interface (127.0.0.1) 4. Allow incoming SSH connections to the server 5. Restrict all other incoming connections 6. Restrict all forward connections 7. Allow all outgoing connections from the server. In other words, you can setup any connection that begins at the server itself, but only be able to ping and connect through SSH externally! This is how these rules look if you had to write out the commands:


[root@ServerSuit ~]# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Anyway, that's the basic theory. Let’s look at a few examples! In most cases, you just want your new installation to work remotely. Right now if you installed Apache you’ll need to allow HTTP and HTTPS ports open for incoming connections, first. Here's how we do it:


[root@ServerSuit ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
[root@ServerSuit ~]# iptables -I INPUT 2 -p tcp --dport 443 -j ACCEPT
[root@ServerSuit ~]# iptables-save > /etc/sysconfig/iptables

We inserted 2 rules at the top of INPUT chain to allow incoming connections to TCP ports 80 and 443. Make sure you save that config, or your changes will only work until server reboot. Notice: if you add this rules with –A tag, they’ll be added after the REJECT rule at INPUT chain and won't actually work. That’s why we insert them at the 1 and 2 lines of firewall rules. You can change the ‘-p’ and ‘—dport’ tags for your application. For example, if you install exim and dovecot servers you’ll need to allow incoming connections to TCP 25 and 110 ports. That's one of the more frequently asked questions with iptables for beginning systems administrators. Ok, now let's check this out: you might've looked at /var/log/messages and seen something like this:


Apr 03 18:45:09 ServerSuit sshd[1927]: Failed password for root from 1.1.1.1 port 52279 ssh2
Apr 03 18:45:10 ServerSuit unix_chkpwd[1932]: password check failed for user (root)
Apr 03 18:45:11 ServerSuit sshd[1927]: Failed password for root from 1.1.1.1 port 52279 ssh2
Apr 03 18:45:12 ServerSuit unix_chkpwd[1933]: password check failed for user (root)
Apr 03 18:45:15 ServerSuit sshd[1927]: Failed password for root from 1.1.1.1 port 52279 ssh2
Apr 03 18:45:16 ServerSuit unix_chkpwd[1934]: password check failed for user (root)
Apr 03 18:45:17 ServerSuit sshd[1927]: Failed password for root from 1.1.1.1 port 52279 ssh2
Apr 03 18:45:17 ServerSuit sshd[1928]: Disconnecting: Too many authentication failures for root

Seems like somebody was trying to pick your ‘root’ account password and its IP address is ‘1.1.1.1’. You can restrict this IP address from connecting to your server:


[root@ServerSuit ~]# iptables -nL INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source       destination
1    ACCEPT     tcp  --  0.0.0.0/0    0.0.0.0/0           tcp dpt:80
2    ACCEPT     tcp  --  0.0.0.0/0    0.0.0.0/0           tcp dpt:443
3    ACCEPT     all  --  0.0.0.0/0    0.0.0.0/0           state RELATED,ESTABLISHED
4    ACCEPT     icmp --  0.0.0.0/0    0.0.0.0/0
5    ACCEPT     all  --  0.0.0.0/0    0.0.0.0/0
6    ACCEPT     tcp  --  0.0.0.0/0    0.0.0.0/0           state NEW tcp dpt:22
7    REJECT     all  --  0.0.0.0/0    0.0.0.0/0           reject-with icmp-host-prohibited

[root@ServerSuit ~]# iptables -I INPUT 6 -s 1.1.1.1 -p tcp --dport 22 -j REJECT
[root@ServerSuit ~]# iptables -nL INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source       destination
1    ACCEPT     tcp  --  0.0.0.0/0    0.0.0.0/0           tcp dpt:80
2    ACCEPT     tcp  --  0.0.0.0/0    0.0.0.0/0           tcp dpt:443
3    ACCEPT     all  --  0.0.0.0/0    0.0.0.0/0           state RELATED,ESTABLISHED
4    ACCEPT     icmp --  0.0.0.0/0    0.0.0.0/0
5    ACCEPT     all  --  0.0.0.0/0    0.0.0.0/0
6    REJECT     tcp  --  1.1.1.1      0.0.0.0/0           tcp dpt:22 reject-with icmp-port-unreachable
7    ACCEPT     tcp  --  0.0.0.0/0    0.0.0.0/0           state NEW tcp dpt:22
8    REJECT     all  --  0.0.0.0/0    0.0.0.0/0           reject-with icmp-host-prohibited

You can find this useful but extremely time consuming, but I'm running out of time, so I'll have to come back to this in our next article. What I think this illustrates most clearly, though, is how our web-based Linux server manager ServerSuit will actually create all required iptables rules automatically! Nice right? Try it free for 30 days when you first register! Otherwise, we'll see you in the next one.

April 15 2016

Add or review comments

Please leave your comment

Existing comments

Comments 13


best place to buy cialis online reviews
Achat Viagra En Ligne France haurrehigh [url=https://asocialiser.com/]Cialis[/url] Engeda Levitra Durata Di Azione Awagosoods <a href=https://asocialiser.com/#>order cialis</a> noinly cialis sin receta precio
much does viagra cost per pill comprar viagra generico sin receta viagra online paypal viagra deaths buy viagra soft 90 pills
much does viagra cost per pill comprar viagra generico sin receta viagra online paypal viagra deaths buy viagra soft 90 pills
Randallgeome
[url=http://forum.dpsystem.pl/member.php?action=profile&uid=177225]http://forum.dpsystem.pl/member.php?action=profile&uid=177225[/url]
RonaldFouby
Hi, here on the forum guys advised a cool Dating site, be sure to register - you will not REGRET it [url=https://bit.ly/2MpL94b]https://bit.ly/2MpL94b[/url]
Matthewdrype
Las Vegas casino poker chips are the best chips around, but they are not all the same. Rumor says that there is a main weight limit on chips which is not true. When shopping for chips online, you will see them providing chips that weigh as much as 12 grams, at higher prices, but the basic reality is that a the average gram weight of a casino chip is less than 10. Craps is another popular video game in online gambling establishments. While the video game looks quite complicated since of the variety of wagering options, you can utilize a simple technique to help you win. Then you will increase your wins, if you put only bets in which the home edge is low. Your home has a low edge in pass bets, come bets and location bets on 6 or 8. , if you focus on positioning these bets you will see your wins increase.. CASINO ONLINE wagering is really accepted as a method of entertainment to many individuals across the world. For this reason it has automatically gained appeal due to its capability of amusing and entertaining people. It is also accepted as a way of refreshment to numerous busy entrepreneurs. After I saw this set, I just thought he was fantastic and instantly ended up being a fan. I saw him secure several challengers on Day 1 of the WSOP, GAME CASINO however break down on back-to-back-to-back bad beats until he hit tilt. Regardless, for somebody like myself who never actually followed one person, I immediately started following Antonio right after the occasion. If you're sick of attempting the video game from the sidelines and are ready to be a real individual, try going to your nearest Casino and take your possibilities. However if you are a newbie set yourself a spending plan and leave when you lose it, say $100.00 for instance. $100.00 might be worth it to pick up experience, however do not get captured up and spend your kids college tuition money. Or alternatively you can try any CASINO POKER Website online. You simply need to make sure prior to you signup that you are of legal age. Against All Chances - Speaking of chances, be conscious of what the chances are before you put your bets in any game. Take for example the video game of roulette. There are different bets you can make and there are different chances for these bets. Knowing which ones will work best for you will help you take an action more detailed to doing better in the gambling establishment. In live roulette, even cash bets will work more in your favor. Although it's frustrating to some, you got to like my partner for being passionate about something. I would much rather her buy 100 sets of these chips then go out to a retailer and purchase all type of those bowling ball globes for the front lawn. To keep it real though, even if you aren't a fan of Hoyt's, the poker chips are the finest I have actually ever seen. See, I'm only a fan due to the fact that my better half's one. I 'd still buy these even if she wasn't. [url=https://americathepossiblethebook.com/]americathepossiblethebook.com[/url]
StPat
[url=https://mega-remont.pro/ekb-restavratsiya-vann]Restoration of the surface of baths in Cheboksary[/url]
FrankPsype
[url=https://megaremont.pro/yaroslavl-restavratsiya-vann]Yaroslavl restoration of sanitary ware[/url]
JamesDrits
High Rolling Casino Theme Parties Mean High Amounts Of Fun https://app.lookbook.nu/mynguyenbursa303
JamesDrits
How To Win At Roulette https://community.fandom.com/wiki/User:Mynguyenbursa303
JamesDrits
The Way To Play Roulette And Win https://forums.bestbuy.com/t5/user/viewprofilepage/user-id/1122441
JamesDrits
Video Poker - How To Play The Game https://www.ted.com/profiles/26732655/about
Charlestog
Hi, cool video to watch for everyone [url=https://bit.ly/2PoSCl9]https://bit.ly/2PoSCl9[/url]
Rukem
[url=https://drawing-portal.com]Website about drawing[/url]