Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
info:hosting:basics:firewalls [2018/01/09 10:32]
Thibmo 		info:hosting:basics:firewalls [2018/01/10 11:28] (current)
Thibmo
Line 1: Line 1:
 ====== Firewall Basics ====== ====== Firewall Basics ======
-{{page>​disclaimer_widget}}+{{page>:disclaimer_widget&​noheader&​nofooter&​noeditbtn}}
 This topic will contain some information about firewalls and how to set them up.\\ This topic will contain some information about firewalls and how to set them up.\\
 +The trick with firewalls is to block everything by default, and only allow the traffic that you wish to handle.
 +
 +On this page we will provide samples based on Linux'​s IPTables, as this is what's commonly used for Linux webservers.
 +
 +<WRAP center round important>​
 +To follow this example you are required to login as user root.\\
 +If you don't have the password of the root user you can use __//​sudo//​__ instead.
 +</​WRAP>​
 +
 +
 +===== Creating A Persistent Rule File =====
 +**Debian/​Ubuntu:​**
 +  - Create a new empty file: <code bash>​touch /​etc/​iptables.up.rules</​code>​
 +  - Edit your interface configuration file: <code bash>​nano /​etc/​network/​interfaces</​code>​
 +  - Append your main interface with the following rule: <code bash> ​       post-up iptables-restore < /​etc/​iptables.up.rules</​code>​
 +
 +===== Default Set Of Rules =====
 +**Debian/​Ubuntu:​**
 +  - Edit your firewall configuration file: <code bash>​nano /​etc/​iptables.up.rules</​code>​
 +  - Set the file's contents to: <code bash>​*filter
 +:FORWARD ACCEPT [0:0]
 +:INPUT DROP [0:0]
 +:OUTPUT ACCEPT [0:0]
 +# Accept Established
 +-A INPUT -m state --state ESTABLISHED -j ACCEPT
 +# Accept Related
 +-A INPUT -m state --state RELATED -j ACCEPT
 +# Accept DNS return
 +-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
 +# Accept ICMP 0
 +-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
 +# Accept ICMP 3
 +-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
 +# Accept ICMP 4
 +-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
 +# Accept ICMP 8
 +-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
 +# Accept ICMP 11
 +-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
 +# Accept ICMP 12
 +-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
 +# Accept FTP(S)
 +-A INPUT -p tcp -m tcp --dport 20:21 -j REJECT
 +# Accept SSH To Host
 +-A INPUT -p tcp -m tcp -d <Host main IP address> --dport 22 -j ACCEPT
 +# Accept IDENT
 +-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
 +# Drop sensitive ports
 +-A INPUT -p tcp -m tcp --dport 2049:2050 -j DROP
 +# Drop sensitive ports
 +-A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP
 +# Drop sensitive ports
 +-A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP
 +
 +COMMIT
 +*nat
 +:OUTPUT ACCEPT [0:0]
 +:​POSTROUTING ACCEPT [0:0]
 +:PREROUTING ACCEPT [0:0]
 +:INPUT ACCEPT [0:0]
 +COMMIT
 +*mangle
 +:​POSTROUTING ACCEPT [0:0]
 +:PREROUTING ACCEPT [0:0]
 +:FORWARD ACCEPT [0:0]
 +:OUTPUT ACCEPT [0:0]
 +:INPUT ACCEPT [0:0]
 +COMMIT
 +</​code>​
 +
 +===== Adding more rules =====
 +There are plenty of tutorials out there.\\
 +Here a few examples:\\
 +[[https://​www.thegeekstuff.com/​2011/​06/​iptables-rules-examples|thegeekstuff.com]]\\
 +[[https://​www.digitalocean.com/​community/​tutorials/​iptables-essentials-common-firewall-rules-and-commands|digitalocean.com]]
 +
 +For this configuration file you need to truncate both __//​sudo//​__ and __//​iptables//​__ from the start of the command.\\
 +To apply these new rules you need to perform one of the following tasks:
 +  * Reload your network stack: <code bash>​iptables -F; service networking restart</​code>​
 +  * Restore the config directly: <code bash>​iptables -F; iptables-restore < /​etc/​iptables.up.rules</​code>​