How To Set Up a Firewall Using IP Tables on Ubuntu 12.04

SUBMITTED BY: Guest

DATE: Jan. 10, 2015, 9:31 a.m.

FORMAT: Text only

SIZE: 12.3 kB

Raw Download

HITS: 787

Report
  1. About IP Tables
  3. In order to make a server more secure after the initial set up, Ubuntu ships with Iptables which is the distribution’s default firewall. At the outset, although the Ubuntu firewall is configured, it is set up to allow all incoming and outgoing traffic on a virtual private server. To enable some stronger protection on the server, we can add some basic rules to the IP Table.
  5. The IP table rules come from a series of options that can be combined to create each specific process. Each packet that crossing the firewall is checked by each rule in order. As soon as it matches a rule, the packet follows the associated action, otherwise it proceeds down the line.
  7. Note: This tutorial covers IPv4 security. In Linux, IPv6 security is maintained separately from IPv4. For example, “iptables” only maintains firewall rules for IPv4 addresses but it has an IPv6 counterpart called “ip6tables”, which can be used to maintain firewall rules for IPv6 network addresses.
  9. If your VPS is configured for IPv6, please remember to secure both your IPv4 and IPv6 network interfaces with the appropriate tools. For more information about IPv6 tools, refer to this guide: How To Configure Tools to Use IPv6 on a Linux VPS
  10. IP Table Commands
  12. Although this tutorial will go over a limited amount of commands that would provide a server with some basic security, there are a variety of nuanced and specific cases that can be developed for the IP Table. Below are some of the most useful commands for developing a firewall for your VPS, but keep in mind that this is a short list and there are a variety of other options.
  13. -A: (Append), adds a rule to the IP Tables -L: (List), shows the current rules -m conntrack: allows rules to be based on the current connection state, elaborated in the the --cstate command. --cstate: explains the states that connections can be in, there are 4: New, Related, Established, and Invalid -p: (protocol), refers to the the protocol of the rule or of the packet to check.The specified protocol can be one of tcp, udp, udplite, icmp, esp, ah, sctp or the special keyword "all". --dport: (port), refers to the the port through which the machine connects -j: (jump), this command refers to the action that needs to be taken if something matches a rule perfectly. It translates to one of four possibilities: -ACCEPT: the packet is accepted, and no further rules are processed -REJECT: the packet is rejected, and the sender is notified, and no further rules are processed -DROP: the packet is rejected, but the sender is not notified, and no further rules are processed -LOG: the packet is accepted but logged, and the following rules are processed -I: (Insert), adds a rule between two previous ones -I INPUT 3: inserts a rule into the IP Table to make it the third in the list -v: (verbose), offers more details about a rule
  14. 1
  15. 2
  16. 3
  17. 4
  18. 5
  19. 6
  20. 7
  21. 8
  22. 9
  23. 10
  24. 11
  25. 12
  26. 13
  27. 14
  29. -A: (Append), adds a rule to the IP Tables
  30. -L: (List), shows the current rules
  31. -m conntrack: allows rules to be based on the current connection state, elaborated in the the --cstate command.
  32. --cstate: explains the states that connections can be in, there are 4: New, Related, Established, and Invalid
  33. -p: (protocol), refers to the the protocol of the rule or of the packet to check.The specified protocol can be one of tcp, udp, udplite, icmp, esp, ah, sctp or the special keyword "all".
  34. --dport: (port), refers to the the port through which the machine connects
  35. -j: (jump), this command refers to the action that needs to be taken if something matches a rule perfectly. It translates to one of four possibilities:
  36. -ACCEPT: the packet is accepted, and no further rules are processed
  37. -REJECT: the packet is rejected, and the sender is notified, and no further rules are processed
  38. -DROP: the packet is rejected, but the sender is not notified, and no further rules are processed
  39. -LOG: the packet is accepted but logged, and the following rules are processed
  40. -I: (Insert), adds a rule between two previous ones
  41. -I INPUT 3: inserts a rule into the IP Table to make it the third in the list
  42. -v: (verbose), offers more details about a rule
  44. Creating the IP Table:
  46. If you type in the following, you can see the current rules in the virtual server’s IP Table:
  47. sudo iptables -L
  48. 1
  50. sudo iptables -L
  52. They should look like this:
  53. Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
  54. 1
  55. 2
  56. 3
  57. 4
  58. 5
  59. 6
  60. 7
  61. 8
  63. Chain INPUT (policy ACCEPT)
  64. target prot opt source destination
  66. Chain FORWARD (policy ACCEPT)
  67. target prot opt source destination
  69. Chain OUTPUT (policy ACCEPT)
  70. target prot opt source destination
  72. If you have another set of rules in place or want to start fresh, you can always set the rules back to the default by flushing and deleting all of them:
  73. sudo iptables -F
  74. 1
  76. sudo iptables -F
  78. Additionally, if you want speed up your work with IP Table, you can include -n in the command. This option disables DNS lookups and prevents the command from trying to find the reverse of each IP in the ruleset. You could use this to list rules, as an example:
  79. iptables -L -n
  80. 1
  82. iptables -L -n
  84. A Basic Firewall
  86. As it stands the current rules allow all connections, both incoming and outgoing. There are no security measures in place whatsoever. As we build up the table, keep in mind that as soon as a packet is ACCEPTED, REJECTED, or DROPPED, no further rules are processed. Therefore the rules that come first take priority over later ones.
  88. While creating the rules, we have to be sure to prevent ourselves from accidentally blocking SSH (the method through which we connected to the server).
  90. To start off, let’s be sure to allow all current connections, all of the connections at the time of making the rule, will stay online:
  91. sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  92. 1
  94. sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  96. We can go ahead and break this down:
  98. -A tells the IP table to append a rule to the table.
  99. INPUT designates this rule as part of the Input chain.
  100. m conntrack followed by the –cstate ESTABLISHED,RELATED guarantees that the result of this rule will only apply to current connections and those related to them are allowed
  101. -j ACCEPT tells the packet to JUMP to accept and the connections are still in place.
  103. After we are assured that all the current connections to the virtual private server can stay up uninterrupted, we can proceed to start blocking off other insecure connections.
  105. Let’s assume that we want to block all incoming traffic, except for those coming in on 2 common ports: 22 for SSH and 80 for web traffic. We proceed by allowing all traffic on the designated ports with the following commands:
  106. sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
  107. 1
  109. sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
  111. sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  112. 1
  114. sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  116. In both of these commands, the -p option stands for the protocol with which the connection is being made, in this case tcp, while the –dport specifies the port through which the packet is being transmitted.
  118. After we have guaranteed that the desirable traffic will make it through the firewall, we can finish up by blocking all remaing traffic from accessing our virtual server. Because this is the last rule in the list, all traffic that matches any of the previous rules in the IP Table will not be affected, and will be treated as we set up previously.
  120. Let’s make a rule to block all of the remaining traffic:
  121. sudo iptables -P INPUT DROP
  122. 1
  124. sudo iptables -P INPUT DROP
  126. With that, we can see what our updated rules look like:
  127. sudo iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:http
  128. 1
  129. 2
  130. 3
  131. 4
  132. 5
  133. 6
  135. sudo iptables -L
  136. Chain INPUT (policy DROP)
  137. target prot opt source destination
  138. ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
  139. ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
  140. ACCEPT tcp -- anywhere anywhere tcp dpt:http
  142. We are almost finished. However, we are missing one more rule. We need to provide our VPS with loopback access. If we were to add the rule now without further qualifiers, it would go to the end of the list and, since it would follow the rule to block all traffic, would never be put into effect.
  144. In order to counter this issue, we need to make this rule first in the list, using the INPUT option :
  145. sudo iptables -I INPUT 1 -i lo -j ACCEPT
  146. 1
  148. sudo iptables -I INPUT 1 -i lo -j ACCEPT
  150. -I INPUT 1 places this rule at the beginning of the table
  151. lo refers to the loopback interface
  152. -j ACCEPT then guarantees that the loopback traffic will be accepted
  154. Now we have finished creating a basic firewall. Your rules should look like this (we can see the details of the iptable by typing -v):
  155. sudo iptables -L -v
  156. 1
  158. sudo iptables -L -v
  160. Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 1289 93442 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 2 212 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 157 packets, 25300 bytes) pkts bytes target prot opt in out source destination
  161. 1
  162. 2
  163. 3
  164. 4
  165. 5
  166. 6
  167. 7
  168. 8
  169. 9
  170. 10
  171. 11
  172. 12
  174. Chain INPUT (policy DROP 0 packets, 0 bytes)
  175. pkts bytes target prot opt in out source destination
  176. 0 0 ACCEPT all -- lo any anywhere anywhere
  177. 1289 93442 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
  178. 2 212 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
  179. 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
  181. Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  182. pkts bytes target prot opt in out source destination
  184. Chain OUTPUT (policy ACCEPT 157 packets, 25300 bytes)
  185. pkts bytes target prot opt in out source destination
  187. However, as soon as the virtual server reboots, the IP tables will be wiped. The next step will go over saving and restoring the IP tables.
  188. Saving IP Tables
  190. Although the IP tables are effective, they will automatically be deleted if the server reboots. To make sure that they remain in effect, we can use a package called IP-Tables persistent.
  192. We can install it using apt-get:
  193. sudo apt-get install iptables-persistent
  194. 1
  196. sudo apt-get install iptables-persistent
  198. During the installation, you will be asked if you want to save the iptable rules to both the IPv4 rules and the IPv6 rules. Say yes to both.
  200. Your rules will then be saved in /etc/iptables/rules.v4 and /etc/iptables/rules.v6.
  202. Once the installation is complete, start iptables-persistent running:
  203. sudo service iptables-persistent start
  204. 1
  206. sudo service iptables-persistent start
  208. After any server reboot, you will see that the rules remain in place.
  209. http://nowquestion.net/questions/how-to-set-up-a-firewall-using-ip-tables-on-ubuntu-12-04
comments powered by Disqus