Difference between revisions of "IP Tables Firewall Example"

From IARC 207 Wiki
Jump to navigation Jump to search
imported>Bob
(Created page with "From here but then I expanded a bit for my needs (and dropped the block china part):</br> https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-...")
 
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
From here but then I expanded a bit for my needs (and dropped the block china part):</br>
+
From here but then I expanded a bit for my needs (and dropped the block china part):
https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-iptables</br>
+
*https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-iptables
 +
 
 +
I'm still learning how this all goes together however... and one thing. for some reason here, flushing the iptables rules rather than restarting the computer locks you out.  It must be something I don't have quite right so watch out for that when configuring and testing.  As far as I can tell though, this rule set is a good base and my intention is that it restricts access to just the UAF domain for the radio as well as ssh.<br>
 +
What is set up to do:
 +
* Allow http & https to UAF domain
 +
* Allow ser2net port access to UAF domain
 +
* Allow SSH access from anywhere
 +
** I go back and forth on this.  I think for serial servers that it's probably legit to assume that they will only be accessed from UAF and ssh access could be limited accordingly.
  
I'm still learning how this all goes together however... and one thing. for some reason here, flushing the iptables rules rather than restarting the computer locks you out.  It must be something I don't have quite right so watch out for that when configuring and testing.  As far as I can tell though, this rule set is a good base and my intention is that it restricts access to just the UAF domain for the radio as well as ssh.
 
  
  
Line 30: Line 36:
 
-A OUTPUT -j ACCEPT
 
-A OUTPUT -j ACCEPT
  
#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
+
#  Allow HTTP and HTTPS connections from UAF (the normal ports for websites and SSL).
#-A INPUT -p tcp --dport 80 -j ACCEPT
+
-A INPUT -s 137.229.0.0/16  -p tcp -m tcp --dport 80 -j ACCEPT
#-A INPUT -p tcp --dport 443 -j ACCEPT
+
-A INPUT -s 199.165.0.0/16  -p tcp -m tcp --dport 80 -j ACCEPT
 +
-A INPUT -s 137.229.0.0/16  -p tcp -m tcp --dport 443 -j ACCEPT
 +
-A INPUT -s 199.165.0.0/16  -p tcp -m tcp --dport 443 -j ACCEPT
  
 +
# Allow Ser2net connections from UAF
 
-A INPUT -s 137.229.0.0/16  -p tcp -m tcp --dport 7808 -j ACCEPT
 
-A INPUT -s 137.229.0.0/16  -p tcp -m tcp --dport 7808 -j ACCEPT
 
-A INPUT -s 199.165.0.0/16  -p tcp -m tcp --dport 7808 -j ACCEPT
 
-A INPUT -s 199.165.0.0/16  -p tcp -m tcp --dport 7808 -j ACCEPT
 
-A INPUT -s 127.0.0.0/8  -p tcp -m tcp --dport 7808 -j ACCEPT
 
-A INPUT -s 127.0.0.0/8  -p tcp -m tcp --dport 7808 -j ACCEPT
 +
 +
# I think this drops all others to 7808.
 
-A INPUT -s 0.0.0.0/0 -p tcp --dport 7808 -j DROP
 
-A INPUT -s 0.0.0.0/0 -p tcp --dport 7808 -j DROP
  
 +
# Allow Ser2net connections from UAF
 
-A INPUT -s 137.229.0.0/16  -p tcp -m tcp --dport 7809 -j ACCEPT
 
-A INPUT -s 137.229.0.0/16  -p tcp -m tcp --dport 7809 -j ACCEPT
 +
-A INPUT -s 199.165.0.0/16  -p tcp -m tcp --dport 7809 -j ACCEPT
 
-A INPUT -s 127.0.0.0/8  -p tcp -m tcp --dport 7809 -j ACCEPT
 
-A INPUT -s 127.0.0.0/8  -p tcp -m tcp --dport 7809 -j ACCEPT
 
-A INPUT -s 0.0.0.0/0 -p tcp --dport 7809 -j DROP
 
-A INPUT -s 0.0.0.0/0 -p tcp --dport 7809 -j DROP
Line 47: Line 60:
  
 
#  Allow SSH connections
 
#  Allow SSH connections
#
+
# Access controlled through sshd configuration and jail2ban usage
 
#  The -dport number should be the same port number you set in sshd_config
 
#  The -dport number should be the same port number you set in sshd_config
 
#
 
#

Latest revision as of 11:38, 28 January 2016

From here but then I expanded a bit for my needs (and dropped the block china part):

I'm still learning how this all goes together however... and one thing. for some reason here, flushing the iptables rules rather than restarting the computer locks you out. It must be something I don't have quite right so watch out for that when configuring and testing. As far as I can tell though, this rule set is a good base and my intention is that it restricts access to just the UAF domain for the radio as well as ssh.
What is set up to do:

  • Allow http & https to UAF domain
  • Allow ser2net port access to UAF domain
  • Allow SSH access from anywhere
    • I go back and forth on this. I think for serial servers that it's probably legit to assume that they will only be accessed from UAF and ssh access could be limited accordingly.


Dump the following into /etc/iptables.firewall.rules

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# from Jim:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
-A INPUT -s 137.229.94.2 -d 244.0.0.1 -j ACCEPT
#-A INPUT -s 224.0.0.1 -p udp -m udp -j ACCEPT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from UAF (the normal ports for websites and SSL).
-A INPUT -s 137.229.0.0/16  -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 199.165.0.0/16  -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 137.229.0.0/16  -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 199.165.0.0/16  -p tcp -m tcp --dport 443 -j ACCEPT

# Allow Ser2net connections from UAF
-A INPUT -s 137.229.0.0/16  -p tcp -m tcp --dport 7808 -j ACCEPT
-A INPUT -s 199.165.0.0/16  -p tcp -m tcp --dport 7808 -j ACCEPT
-A INPUT -s 127.0.0.0/8  -p tcp -m tcp --dport 7808 -j ACCEPT

# I think this drops all others to 7808.
-A INPUT -s 0.0.0.0/0 -p tcp --dport 7808 -j DROP

# Allow Ser2net connections from UAF
-A INPUT -s 137.229.0.0/16  -p tcp -m tcp --dport 7809 -j ACCEPT
-A INPUT -s 199.165.0.0/16  -p tcp -m tcp --dport 7809 -j ACCEPT
-A INPUT -s 127.0.0.0/8  -p tcp -m tcp --dport 7809 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -p tcp --dport 7809 -j DROP


-A INPUT -s 137.229.0.0/16 -p udp -m udp -j ACCEPT

#  Allow SSH connections
#  Access controlled through sshd configuration and jail2ban usage
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#  Log iptables denied calls (disabled once I saw what all was getting blocked)
##-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

Those are our rules. Then, need to tell the computer to run them at boot up:

sudo nano /etc/network/if-pre-up.d/firewall

Add the following to that file:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

Next, make sure it is executable:

sudo chmod +x /etc/network/if-pre-up.d/firewall


Should be golden.