One of the priorities after installing the system is to correctly configure iptables to filter traffic. The default policy allows everything that is not prohibited. This is not the most successful method in terms of security, because in this mode the server is exposed to intruders.
You can, for example, scan the ports open on the server. Based on this, it is possible to determine the services used, their version, the name and version of the operating system. Next - the selection of vulnerabilities to them. Or some icmp - messages can give extra information.
In general, the description of why you need to configure the firewall, worthy of a separate article, which are countless. And if you are reading this article, you definitely know why you need it. ;)
Like all articles on the site, this instruction is written on the basis of personal experience, a la “I do this,” someone else is different.
The content of the article:
Installing the necessary components
And so, the system already has the main one from the list of necessary tools - iptables. But this is not enough. You will also need the tarpit and iptables-persistent filter to load the rules at system startup.
# aptitude install iptables-persistent xtables-addons-dkms
During the persistent installation, two questions will be asked about saving the current rules. You can answer "Yes" and then in the folder / etc / iptables / rules / you will create the necessary files with the rules that we edit.
Editing rules for ip version 4
Open the /etc/iptables/rules.v4 file in your favorite editor. You will see lines setting the default policy for chains. In all values, it will be accept. For the FORWARD chain, set the DROP policy. We are not a router or a computer that redirects traffic somewhere else. :) We do not change the rest.
* filter : INPUT ACCEPT [0: 0] : FORWARD DROP [0: 0] : OUTPUT ACCEPT [0: 0] COMMIT
All other rules will be added before the COMMIT line. And first of all we add the rule allowing local traffic.
-A INPUT -i lo -j ACCEPT
Further, the rule allows all already established active connections for both tcp and udp protocols. This is necessary for the correct operation of the network, since without it, responses to outgoing connections will be rejected.
-A INPUT -m state --state RELATED, ESTABLISHED -p all -j ACCEPT
Now you need to add a rule allowing the installation of new incoming connections to certain services. I have a web server and mail, as well as ssh.
Important note! Always add an allow rule for ssh, so you do not lose access to the server after the rules are applied.
You can add other ports here, separated by a comma. The multiport extension allows you to specify several ports in order not to produce almost identical rules for each separately. ;)
-A INPUT -m state --state NEW -p tcp -m multiport --dport 22,25,80,443 -j ACCEPT
If you have only one service on the server for which you need to open one port, the rule will be as follows:
-A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
You may also need to open some udp ports. The only difference from the above rules is that instead of -p tcp you should specify -p udp .
And when you add the following rule, the tarpit filter comes in handy, which we installed with the xtables-addon-dkms package. In short, it creates a trap for incoming connections, not sending anything back, but holding the connection, which is wasting the resources of the connecting client, but not the server. Learn more about tarpit on the OpenNET website. For now, add a rule for all other incoming connections.
-A INPUT -p tcp -m tcp -j TARPIT
It is important to keep in mind that the trap works only with tcp. Similarly, you can implement a ban on ip at the iptables level, instead of the standard drop. Unfortunately, it is not suitable for udp. Therefore, we prohibit all other incoming udp - packages for which you have not created an exception before.
-A INPUT -p udp -j DROP
And we take for icmp. Here, as the icmp type, you can specify either a code or an equivalent name. I have a code. :)
We allow incoming echo replies in case we ping some other host from the server.
-A INPUT -p icmp --icmp-type 0 -j ACCEPT
Then incoming icmp - messages about unavailability of the addressee.
-A INPUT -p icmp --icmp-type 3 -j ACCEPT
And incoming pings if someone pings our server.
-A INPUT -p icmp --icmp-type 8 -j ACCEPT
As well as a message about the expiration of the package.
-A INPUT -p icmp --icmp-type 11 -j ACCEPT
This is the necessary minimum of messages for the correct operation of the network. You may need other codes . How to solve them, you already know. :)
Now we are going to create rules for outgoing icmp messages. These rules look similar, but the chain is already OUTPUT. Therefore, it makes no sense to describe them.
-A OUTPUT -p icmp --icmp-type 0 -j ACCEPT -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
Except for the twelfth. It allows the sending of an invalid parameter message (error in the IP header or the required option is missing).
All other outgoing ICMPs are prohibited so that the server does not blur the extra.
-A OUTPUT -p icmp -j DROP
That's all. Save the /etc/iptables/rules.v4 file, activate the rules with the command:
cat /etc/iptables/rules.v4 | iptables-restore -c