Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
info:hosting:basics:firewalls [2018/01/09 10:35]
Thibmo 		info:hosting:basics:firewalls [2018/01/09 13:34]
Thibmo
Line 2: Line 2:
 {{page>:​disclaimer_widget&​noheader&​nofooter&​noeditbtn}} {{page>:​disclaimer_widget&​noheader&​nofooter&​noeditbtn}}
 This topic will contain some information about firewalls and how to set them up.\\ This topic will contain some information about firewalls and how to set them up.\\
 +The trick with firewalls is to block everything by default, and only allow the traffic that you wish to handle.
 +
 +On this page we will provide samples based on Linux'​s IPTables, as this is what's commonly used for Linux webservers.
 +
 +<WRAP center round important>​
 +To follow this example you are required to login as user root.\\
 +If you don't have the password of the root user you can use __//​sudo//​__ instead.
 +</​WRAP>​
 +
 +
 +===== Creating A Persistent Rule File =====
 +**Debian/​Ubuntu:​**
 +  - Create a new empty file: <code bash>​touch /​etc/​iptables.up.rules</​code>​
 +  - Edit your interface configuration file: <code bash>​nano /​etc/​network/​interfaces</​code>​
 +  - Append your main interface with the following rule: <code bash> ​       post-up iptables-restore < /​etc/​iptables.up.rules</​code>​
 +
 +===== Default Set Of Rules =====
 +**Debian/​Ubuntu:​**
 +  - Edit your firewall configuration file: <code bash>​nano /​etc/​iptables.up.rules</​code>​
 +  - Set the file's contents to: <code bash>​*filter
 +:OUTPUT ACCEPT [0:0]
 +:INPUT DROP [0:0]
 +:FORWARD ACCEPT [0:0]
 +# Accept ACK
 +-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
 +# Accept Established
 +-A INPUT -m state --state ESTABLISHED -j ACCEPT
 +# Accept Related
 +-A INPUT -m state --state RELATED -j ACCEPT
 +# Accept DNS return
 +-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
 +# Accept ICMP 0
 +-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
 +# Accept ICMP 3
 +-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
 +# Accept ICMP 4
 +-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
 +# Accept ICMP 8
 +-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
 +# Accept ICMP 11
 +-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
 +# Accept ICMP 12
 +-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
 +# Accept SSH To Host
 +-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
 +# Accept IDENT
 +-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
 +# Drop sensitive ports
 +-A INPUT -p tcp -m tcp --dport 2049:2050 -j DROP
 +# Drop sensitive ports
 +-A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP
 +# Drop sensitive ports
 +-A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP
 +COMMIT
 +
 +*nat
 +:OUTPUT ACCEPT [0:0]
 +:​POSTROUTING ACCEPT [0:0]
 +:PREROUTING ACCEPT [0:0]
 +:INPUT ACCEPT [0:0]
 +COMMIT
 +
 +*mangle
 +:​POSTROUTING ACCEPT [0:0]
 +:PREROUTING ACCEPT [0:0]
 +:FORWARD ACCEPT [0:0]
 +:OUTPUT ACCEPT [0:0]
 +:INPUT ACCEPT [0:0]
 +COMMIT
 +</​code>​
 +
 +===== Adding more rules =====
 +There are plenty of tutorials out there.\\
 +Here a few examples:\\
 +[[https://​www.thegeekstuff.com/​2011/​06/​iptables-rules-examples|thegeekstuff.com]]\\
 +[[https://​www.digitalocean.com/​community/​tutorials/​iptables-essentials-common-firewall-rules-and-commands|digitalocean.com]]
 +
 +For this configuration file you need to truncate both __//​sudo//​__ and __//​iptables//​__ from the start of the command.\\
 +To apply these new rules you need to perform one of the following tasks:
 +  * Reload your network stack: <code bash>​iptables -F; service networking restart</​code>​
 +  * Restore the config directly: <code bash>​iptables -F; iptables-restore < /​etc/​iptables.up.rules</​code>​