Difference between revisions of "IP Tables Firewall Example"
imported>Bob (Created page with "From here but then I expanded a bit for my needs (and dropped the block china part):</br> https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-...") |
|||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
− | From here but then I expanded a bit for my needs (and dropped the block china part): | + | From here but then I expanded a bit for my needs (and dropped the block china part): |
− | https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-iptables< | + | *https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-iptables |
+ | |||
+ | I'm still learning how this all goes together however... and one thing. for some reason here, flushing the iptables rules rather than restarting the computer locks you out. It must be something I don't have quite right so watch out for that when configuring and testing. As far as I can tell though, this rule set is a good base and my intention is that it restricts access to just the UAF domain for the radio as well as ssh.<br> | ||
+ | What is set up to do: | ||
+ | * Allow http & https to UAF domain | ||
+ | * Allow ser2net port access to UAF domain | ||
+ | * Allow SSH access from anywhere | ||
+ | ** I go back and forth on this. I think for serial servers that it's probably legit to assume that they will only be accessed from UAF and ssh access could be limited accordingly. | ||
− | |||
Line 30: | Line 36: | ||
-A OUTPUT -j ACCEPT | -A OUTPUT -j ACCEPT | ||
− | # Allow HTTP and HTTPS connections from | + | # Allow HTTP and HTTPS connections from UAF (the normal ports for websites and SSL). |
− | + | -A INPUT -s 137.229.0.0/16 -p tcp -m tcp --dport 80 -j ACCEPT | |
− | + | -A INPUT -s 199.165.0.0/16 -p tcp -m tcp --dport 80 -j ACCEPT | |
+ | -A INPUT -s 137.229.0.0/16 -p tcp -m tcp --dport 443 -j ACCEPT | ||
+ | -A INPUT -s 199.165.0.0/16 -p tcp -m tcp --dport 443 -j ACCEPT | ||
+ | # Allow Ser2net connections from UAF | ||
-A INPUT -s 137.229.0.0/16 -p tcp -m tcp --dport 7808 -j ACCEPT | -A INPUT -s 137.229.0.0/16 -p tcp -m tcp --dport 7808 -j ACCEPT | ||
-A INPUT -s 199.165.0.0/16 -p tcp -m tcp --dport 7808 -j ACCEPT | -A INPUT -s 199.165.0.0/16 -p tcp -m tcp --dport 7808 -j ACCEPT | ||
-A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 7808 -j ACCEPT | -A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 7808 -j ACCEPT | ||
+ | |||
+ | # I think this drops all others to 7808. | ||
-A INPUT -s 0.0.0.0/0 -p tcp --dport 7808 -j DROP | -A INPUT -s 0.0.0.0/0 -p tcp --dport 7808 -j DROP | ||
+ | # Allow Ser2net connections from UAF | ||
-A INPUT -s 137.229.0.0/16 -p tcp -m tcp --dport 7809 -j ACCEPT | -A INPUT -s 137.229.0.0/16 -p tcp -m tcp --dport 7809 -j ACCEPT | ||
+ | -A INPUT -s 199.165.0.0/16 -p tcp -m tcp --dport 7809 -j ACCEPT | ||
-A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 7809 -j ACCEPT | -A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 7809 -j ACCEPT | ||
-A INPUT -s 0.0.0.0/0 -p tcp --dport 7809 -j DROP | -A INPUT -s 0.0.0.0/0 -p tcp --dport 7809 -j DROP | ||
Line 47: | Line 60: | ||
# Allow SSH connections | # Allow SSH connections | ||
− | # | + | # Access controlled through sshd configuration and jail2ban usage |
# The -dport number should be the same port number you set in sshd_config | # The -dport number should be the same port number you set in sshd_config | ||
# | # |
Latest revision as of 11:38, 28 January 2016
From here but then I expanded a bit for my needs (and dropped the block china part):
I'm still learning how this all goes together however... and one thing. for some reason here, flushing the iptables rules rather than restarting the computer locks you out. It must be something I don't have quite right so watch out for that when configuring and testing. As far as I can tell though, this rule set is a good base and my intention is that it restricts access to just the UAF domain for the radio as well as ssh.
What is set up to do:
- Allow http & https to UAF domain
- Allow ser2net port access to UAF domain
- Allow SSH access from anywhere
- I go back and forth on this. I think for serial servers that it's probably legit to assume that they will only be accessed from UAF and ssh access could be limited accordingly.
Dump the following into /etc/iptables.firewall.rules
*filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # from Jim: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 -j REJECT -A INPUT -s 137.229.94.2 -d 244.0.0.1 -j ACCEPT #-A INPUT -s 224.0.0.1 -p udp -m udp -j ACCEPT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from UAF (the normal ports for websites and SSL). -A INPUT -s 137.229.0.0/16 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -s 199.165.0.0/16 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -s 137.229.0.0/16 -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -s 199.165.0.0/16 -p tcp -m tcp --dport 443 -j ACCEPT # Allow Ser2net connections from UAF -A INPUT -s 137.229.0.0/16 -p tcp -m tcp --dport 7808 -j ACCEPT -A INPUT -s 199.165.0.0/16 -p tcp -m tcp --dport 7808 -j ACCEPT -A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 7808 -j ACCEPT # I think this drops all others to 7808. -A INPUT -s 0.0.0.0/0 -p tcp --dport 7808 -j DROP # Allow Ser2net connections from UAF -A INPUT -s 137.229.0.0/16 -p tcp -m tcp --dport 7809 -j ACCEPT -A INPUT -s 199.165.0.0/16 -p tcp -m tcp --dport 7809 -j ACCEPT -A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 7809 -j ACCEPT -A INPUT -s 0.0.0.0/0 -p tcp --dport 7809 -j DROP -A INPUT -s 137.229.0.0/16 -p udp -m udp -j ACCEPT # Allow SSH connections # Access controlled through sshd configuration and jail2ban usage # The -dport number should be the same port number you set in sshd_config # -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Log iptables denied calls (disabled once I saw what all was getting blocked) ##-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Drop all other inbound - default deny unless explicitly allowed policy -A INPUT -j DROP -A FORWARD -j DROP COMMIT
Those are our rules. Then, need to tell the computer to run them at boot up:
sudo nano /etc/network/if-pre-up.d/firewall
Add the following to that file:
#!/bin/sh /sbin/iptables-restore < /etc/iptables.firewall.rules
Next, make sure it is executable:
sudo chmod +x /etc/network/if-pre-up.d/firewall
Should be golden.