First, Netfilter, IPTables are huge subjects that requires lots of time and practice to master it and i don’t claim to be a master of this art. Hence, this post is targeted towards those people who subscribe to a Virtual Private Server (VPS) plan and need to secure their instance against unwanted intruders.
Even though Netfilter and IPTABLES are pretty involved subjects, it turns out that for filtering out unwanted packets it is pretty straight forward, at least in my case.
Before venturing into IPTABLE configuration, i would like to provide few links that i referred to setup my firewall rules.
IPTABLE Tutorial
A Neat write up on securing Cent OS
Example Filter Script
Here is the filter rule that I use. The filter rule must be in /etc/sysconfig/iptables for CentOS. i have tested it on CentOS only.
Save the file
To be safe make the file readable only by root
Now restart iptables service as follows in CentOS. This should be similar in other flavours as well.
Test it out
Enabling TCP WRAPPERS TO Add Another Layer of Security
Many network applications consults two files named hosts.deny and hosts.allow before granting access to the users who want to use those network applications. In securing linux, it is recommended to add several layers of security. So even if one is compromised, others could hold gaurd. TCP Wrappers is another layer of security against the network intruders.
Any application that consults these two files has the following flow:
Here are the basic rules for hosts.allow
Here are the basic rules for hosts.deny
Saves the files. Now you are set.
Even though Netfilter and IPTABLES are pretty involved subjects, it turns out that for filtering out unwanted packets it is pretty straight forward, at least in my case.
Before venturing into IPTABLE configuration, i would like to provide few links that i referred to setup my firewall rules.
IPTABLE Tutorial
A Neat write up on securing Cent OS
Example Filter Script
Here is the filter rule that I use. The filter rule must be in /etc/sysconfig/iptables for CentOS. i have tested it on CentOS only.
*filter # By Default Drop all incoming and forwarded packets :INPUT DROP [0:0] :FORWARD DROP [0:0] #By default allow all packets that originates from your machine to the outside world :OUTPUT ACCEPT [0:0] #now allow the incoming packets from an established outgoing connection from your machine -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT # Allow required Incoming ports. Here i am allowing packets whose destination port is for # http, https, and SSH -A INPUT -p tcp –dport 80 -j ACCEPT -A INPUT -p tcp –dport 443 -j ACCEPT -A INPUT -p tcp –dport 22 -j ACCEPT # accept from local host. -A INPUT -i lo -j ACCEPT # accept echo requests. This will be good to test whether your server is alive -A INPUT -p icmp –icmp-type ping -j ACCEPT COMMIT |
Save the file
To be safe make the file readable only by root
$chmod 600 /etc/sysconfig/iptables |
Now restart iptables service as follows in CentOS. This should be similar in other flavours as well.
$service iptables restart /* if you are a root*/ OR $sudo service iptables restart /*if you have privilege to gain root permission*/ |
Test it out
Enabling TCP WRAPPERS TO Add Another Layer of Security
Many network applications consults two files named hosts.deny and hosts.allow before granting access to the users who want to use those network applications. In securing linux, it is recommended to add several layers of security. So even if one is compromised, others could hold gaurd. TCP Wrappers is another layer of security against the network intruders.
Any application that consults these two files has the following flow:
- hosts.allow is checked for “service name:connection address” pair match
- If it matches then access is granted.
- if it does not match then hosts.deny is checked. If “service name:connection address” pari matches, then access is denied.
- If it does not match in hosts.deny as well, then access is granted.
Here are the basic rules for hosts.allow
# # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the ‘/usr/sbin/tcpd’ server. # #allow connection from 127.0.0.1 (localhost) to all INET services ALL: 127.0.0.1 #Allow connection from all internet address to sshd service sshd: ALL |
Here are the basic rules for hosts.deny
# hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the ‘/usr/sbin/tcpd’ server. # #Simple Deny access from any address to any service. This is like “Deny first, allow required” #policy ALL: ALL |
Saves the files. Now you are set.