Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Iptables Basics
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Iptables Basics

DeorDeor Member
edited June 2012 in General

Just wondering what (if any) basic iptables rules you add when setting up a new VPS?

Comments

  • yomeroyomero Member
    edited June 2012

    Not me :P
    Well, some people does the DROP all policy, and then allow each port one by one. I am too lazy for this xD

  • GaryGary Member

    I do that. Drop all, allow ports serving to the public one by one, and whitelist my own IPs for SSH etc.

  • marrcomarrco Member

    http://www.lowendtalk.com/discussion/comment/77516#Comment_77516

    when running a MySQL bound to public ip address you can add

    -A INPUT -p tcp -s server1address/24 --dport 3306 -j ACCEPT
    -A INPUT -p tcp -s server2address --dport 3306 -j ACCEPT

    and if you don't default to drop/reject consider adding -A INPUT -p tcp --dport 3306 -j DROP

    Thanked by 2djvdorp Deor
  • PhilPhil Member

    @Gary said: I do that. Drop all, allow ports serving to the public one by one, and whitelist my own IPs for SSH etc.

    So do I.

    @Deor, you may find some interesting sample rules here: http://www.thegeekstuff.com/2011/06/iptables-rules-examples/

  • apt-get remove iptables

  • @William said: apt-get remove iptables

    Ha,
    yum install iptables

    Any reason why you would be un-installing iptables there William?

    Thanked by 1DeletedUser
  • @onepound said: Any reason why you would be un-installing iptables there William?

    I prefer different software, iptables is not reliable at higher PPS.

  • gbshousegbshouse Member, Host Rep

    @William - which one?

    Thanked by 1DeletedUser
  • @gbshouse said: @William - which one?

    Yeah, I'm interested to hear about this also.

  • pf, along with kfreebsd kernel.

  • MaouniqueMaounique Host Rep, Veteran
    edited June 2012

    @William said: pf, along with kfreebsd kernel.

    Bah, maybe for high bw routers and stuff, it is hardly the case for the regulars here :)
    Personally I dont block anything, I also allow ssh on 22, just make sure software is reasonably up to date and not very new. Running squeeze means both conditions are met with relative ease.
    Better to not have your back-end listen to the internet than having to do iptables to limit access, unless you need to.
    AFAIK, never been rooted on a VPS.
    M
    P.S. Also, another golden rule: keep your surface small, meaning run only what you need to, disable any unnecessary compilers after you used them and dont install if you dont use, for example.

    Thanked by 1marrco
  • DeorDeor Member

    Interesting stuff guys, thanks for the input.

    So my question now is what are the risks of not running a firewall on your VPS that has a public ip address directly on the internet?

    Other than services that we want to use, and therefore have to be exposed, like http and ssh, what else is exposed and potentially vulnerable?

    Think im going to start running some scans against one of my spare VPSs with nessus or something and see what happens.

  • taiprestaipres Member
    edited June 2012

    @Deor said: Interesting stuff guys, thanks for the input.

    So my question now is what are the risks of not running a firewall on your VPS that has a public ip address directly on the internet?

    Other than services that we want to use, and therefore have to be exposed, like http and ssh, what else is exposed and potentially vulnerable?

    Think im going to start running some scans against one of my spare VPSs with nessus or something and see what happens.

    Anything that listens on a port can be a way into your server(or connects out from your server). Other than that nothing :) so my advice is change the default ssh port, install fail2ban, make sure your web server is properly configured/secured, obviously don't run them under root, and make sure everything else is good

  • gbshousegbshouse Member, Host Rep

    Instead of raw iptables you can use ufw.
    I'm to lazy to write custom scripts so I've excel file with all our servers, their IPs and ports and I'm using it to generate firewalls.
    Beside that "less is more" - less potential access methods more secure :)

  • DeorDeor Member

    @gbshouse said: Instead of raw iptables you can use ufw.

    I've mainly used Firehol to configure iptables, but was testing UFW the other day too. Both seem to do a good job, but the problem i had was getting things like PPTPd to work as you need to add specific rules and forwards and i just couldnt get either tool to do it.

    Anyway, its always good to understand a bit more about whats going on behind the tools i think :)

  • efballefball Member

    what else is exposed and potentially vulnerable?

    I run pop, but I firewall it and access it thru ssh.

  • MaouniqueMaounique Host Rep, Veteran
    edited June 2012

    @efball said: I run pop, but I firewall it and access it thru ssh.

    Could always make it listen to lo only, then.
    M

  • @Deor said: Other than services that we want to use, and therefore have to be exposed, like http and ssh, what else is exposed and potentially vulnerable?

    Think im going to start running some scans against one of my spare VPSs with nessus or something and see what happens.

    Listening TCP ports:

    netstat -ltn

    And UDP ports:

    netstat -lun

    "0.0.0.0" means listening on all interfaces, including your public one.

    For services that only you access, use iptables to restrict access to a specific IP or IPs or network range with iptables.

    # Restricted access to port 1234
    -A INPUT -p tcp -s 192.168.1.10  --dport 1234 -j ACCEPT
    -A INPUT -p tcp -s 172.21.5.0/24 --dport 1234 -j ACCEPT
    -A INPUT -p tcp -s 172.22.0.0/16 --dport 1234 -j ACCEPT
    -A INPUT -p tcp -s 172.23.0.0/16 --dport 1234 -j ACCEPT
    -A INPUT -p tcp --dport 1234 -j DROP
    Thanked by 1Deor
  • DeorDeor Member

    @sleddog said: Listening TCP ports:

    netstat -ltn

    And UDP ports:

    netstat -lun

    Nice, thanks mate :)

  • DeorDeor Member

    @Maounique said: Could always make it listen to lo only, then.

    And i guess you could do that with any service like exim and mysql. Nice tip

  • efballefball Member

    Could always make it listen to lo only

    Not for services (pop) run from inetd :(

Sign In or Register to comment.