Iptables Basics

Deor

Just wondering what (if any) basic iptables rules you add when setting up a new VPS?

yomero

Not me :P Well, some people does the DROP all policy, and then allow each port one by one. I am too lazy for this xD

Gary

I do that. Drop all, allow ports serving to the public one by one, and whitelist my own IPs for SSH etc.

marrco

http://www.lowendtalk.com/discussion/comment/77516#Comment_77516

when running a MySQL bound to public ip address you can add

-A INPUT -p tcp -s server1address/24 --dport 3306 -j ACCEPT
-A INPUT -p tcp -s server2address --dport 3306 -j ACCEPT

and if you don't default to drop/reject consider adding -A INPUT -p tcp --dport 3306 -j DROP

Phil

@Gary said: I do that. Drop all, allow ports serving to the public one by one, and whitelist my own IPs for SSH etc.

So do I.

@Deor, you may find some interesting sample rules here: http://www.thegeekstuff.com/2011/06/iptables-rules-examples/

William

apt-get remove iptables

onepound

@William said: apt-get remove iptables

Ha, yum install iptables

Any reason why you would be un-installing iptables there William?

William

@onepound said: Any reason why you would be un-installing iptables there William?

I prefer different software, iptables is not reliable at higher PPS.

gbshouse

@William - which one?

sleddog

@gbshouse said: @William - which one?

Yeah, I'm interested to hear about this also.

William

pf, along with kfreebsd kernel.

Maounique

@William said: pf, along with kfreebsd kernel.

Bah, maybe for high bw routers and stuff, it is hardly the case for the regulars here :) Personally I dont block anything, I also allow ssh on 22, just make sure software is reasonably up to date and not very new. Running squeeze means both conditions are met with relative ease. Better to not have your back-end listen to the internet than having to do iptables to limit access, unless you need to. AFAIK, never been rooted on a VPS. M P.S. Also, another golden rule: keep your surface small, meaning run only what you need to, disable any unnecessary compilers after you used them and dont install if you dont use, for example.

Deor

Interesting stuff guys, thanks for the input.

So my question now is what are the risks of not running a firewall on your VPS that has a public ip address directly on the internet?

Other than services that we want to use, and therefore have to be exposed, like http and ssh, what else is exposed and potentially vulnerable?

Think im going to start running some scans against one of my spare VPSs with nessus or something and see what happens.

taipres

@Deor said: Interesting stuff guys, thanks for the input.

So my question now is what are the risks of not running a firewall on your VPS that has a public ip address directly on the internet?

Other than services that we want to use, and therefore have to be exposed, like http and ssh, what else is exposed and potentially vulnerable?

Think im going to start running some scans against one of my spare VPSs with nessus or something and see what happens.

Anything that listens on a port can be a way into your server(or connects out from your server). Other than that nothing :) so my advice is change the default ssh port, install fail2ban, make sure your web server is properly configured/secured, obviously don't run them under root, and make sure everything else is good

gbshouse

Instead of raw iptables you can use ufw. I'm to lazy to write custom scripts so I've excel file with all our servers, their IPs and ports and I'm using it to generate firewalls. Beside that "less is more" - less potential access methods more secure :)

Deor

@gbshouse said: Instead of raw iptables you can use ufw.

I've mainly used Firehol to configure iptables, but was testing UFW the other day too. Both seem to do a good job, but the problem i had was getting things like PPTPd to work as you need to add specific rules and forwards and i just couldnt get either tool to do it.

Anyway, its always good to understand a bit more about whats going on behind the tools i think :)

efball

what else is exposed and potentially vulnerable?

I run pop, but I firewall it and access it thru ssh.

Maounique

@efball said: I run pop, but I firewall it and access it thru ssh.

Could always make it listen to lo only, then. M

sleddog

@Deor said: Other than services that we want to use, and therefore have to be exposed, like http and ssh, what else is exposed and potentially vulnerable?

Think im going to start running some scans against one of my spare VPSs with nessus or something and see what happens.

Listening TCP ports:

netstat -ltn

And UDP ports:

netstat -lun

"0.0.0.0" means listening on all interfaces, including your public one.

For services that only you access, use iptables to restrict access to a specific IP or IPs or network range with iptables.

# Restricted access to port 1234
-A INPUT -p tcp -s 192.168.1.10  --dport 1234 -j ACCEPT
-A INPUT -p tcp -s 172.21.5.0/24 --dport 1234 -j ACCEPT
-A INPUT -p tcp -s 172.22.0.0/16 --dport 1234 -j ACCEPT
-A INPUT -p tcp -s 172.23.0.0/16 --dport 1234 -j ACCEPT
-A INPUT -p tcp --dport 1234 -j DROP

Deor

@sleddog said: Listening TCP ports:

netstat -ltn

And UDP ports:

netstat -lun

Nice, thanks mate :)

Deor

@Maounique said: Could always make it listen to lo only, then.

And i guess you could do that with any service like exim and mysql. Nice tip

efball

Could always make it listen to lo only

Not for services (pop) run from inetd :(