Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
info:hosting:basics:firewalls [2018/01/09 10:35] Thibmo |
info:hosting:basics:firewalls [2018/01/10 11:28] Thibmo |
||
---|---|---|---|
Line 2: | Line 2: | ||
{{page>:disclaimer_widget&noheader&nofooter&noeditbtn}} | {{page>:disclaimer_widget&noheader&nofooter&noeditbtn}} | ||
This topic will contain some information about firewalls and how to set them up.\\ | This topic will contain some information about firewalls and how to set them up.\\ | ||
+ | The trick with firewalls is to block everything by default, and only allow the traffic that you wish to handle. | ||
+ | |||
+ | On this page we will provide samples based on Linux's IPTables, as this is what's commonly used for Linux webservers. | ||
+ | |||
+ | <WRAP center round important> | ||
+ | To follow this example you are required to login as user root.\\ | ||
+ | If you don't have the password of the root user you can use __//sudo//__ instead. | ||
+ | </WRAP> | ||
+ | |||
+ | |||
+ | ===== Creating A Persistent Rule File ===== | ||
+ | **Debian/Ubuntu:** | ||
+ | - Create a new empty file: <code bash>touch /etc/iptables.up.rules</code> | ||
+ | - Edit your interface configuration file: <code bash>nano /etc/network/interfaces</code> | ||
+ | - Append your main interface with the following rule: <code bash> post-up iptables-restore < /etc/iptables.up.rules</code> | ||
+ | |||
+ | ===== Default Set Of Rules ===== | ||
+ | **Debian/Ubuntu:** | ||
+ | - Edit your firewall configuration file: <code bash>nano /etc/iptables.up.rules</code> | ||
+ | - Set the file's contents to: <code bash>*filter | ||
+ | :FORWARD ACCEPT [0:0] | ||
+ | :INPUT DROP [0:0] | ||
+ | :OUTPUT ACCEPT [0:0] | ||
+ | # Accept Established | ||
+ | -A INPUT -m state --state ESTABLISHED -j ACCEPT | ||
+ | # Accept Related | ||
+ | -A INPUT -m state --state RELATED -j ACCEPT | ||
+ | # Accept DNS return | ||
+ | -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT | ||
+ | # Accept ICMP 0 | ||
+ | -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT | ||
+ | # Accept ICMP 3 | ||
+ | -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT | ||
+ | # Accept ICMP 4 | ||
+ | -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT | ||
+ | # Accept ICMP 8 | ||
+ | -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | ||
+ | # Accept ICMP 11 | ||
+ | -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT | ||
+ | # Accept ICMP 12 | ||
+ | -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT | ||
+ | # Accept FTP(S) | ||
+ | -A INPUT -p tcp -m tcp --dport 20:21 -j REJECT | ||
+ | # Accept SSH To Host | ||
+ | -A INPUT -p tcp -m tcp -d <Host main IP address> --dport 22 -j ACCEPT | ||
+ | # Accept IDENT | ||
+ | -A INPUT -p tcp -m tcp --dport 113 -j ACCEPT | ||
+ | # Drop sensitive ports | ||
+ | -A INPUT -p tcp -m tcp --dport 2049:2050 -j DROP | ||
+ | # Drop sensitive ports | ||
+ | -A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP | ||
+ | # Drop sensitive ports | ||
+ | -A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP | ||
+ | |||
+ | COMMIT | ||
+ | *nat | ||
+ | :OUTPUT ACCEPT [0:0] | ||
+ | :POSTROUTING ACCEPT [0:0] | ||
+ | :PREROUTING ACCEPT [0:0] | ||
+ | :INPUT ACCEPT [0:0] | ||
+ | COMMIT | ||
+ | *mangle | ||
+ | :POSTROUTING ACCEPT [0:0] | ||
+ | :PREROUTING ACCEPT [0:0] | ||
+ | :FORWARD ACCEPT [0:0] | ||
+ | :OUTPUT ACCEPT [0:0] | ||
+ | :INPUT ACCEPT [0:0] | ||
+ | COMMIT | ||
+ | </code> | ||
+ | |||
+ | ===== Adding more rules ===== | ||
+ | There are plenty of tutorials out there.\\ | ||
+ | Here a few examples:\\ | ||
+ | [[https://www.thegeekstuff.com/2011/06/iptables-rules-examples|thegeekstuff.com]]\\ | ||
+ | [[https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands|digitalocean.com]] | ||
+ | |||
+ | For this configuration file you need to truncate both __//sudo//__ and __//iptables//__ from the start of the command.\\ | ||
+ | To apply these new rules you need to perform one of the following tasks: | ||
+ | * Reload your network stack: <code bash>iptables -F; service networking restart</code> | ||
+ | * Restore the config directly: <code bash>iptables -F; iptables-restore < /etc/iptables.up.rules</code> | ||