All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Help with IP tables script
Hi,
I received couple of spam abuse reports from my VPS related to email spam (even though I don't have any email setupon my account). Now I'm goin to reinstall CentOS and I was thinking about some iptables to keep only open those ports related to http, https and ssh
I don't need any other ports open and I guess that would help my VPS to be more secure.
This are the rules I thought to have on my iptables:
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
What do you think guys? Is it good? Does it have some contradictions?
PS: I'm a noob
Thanks
Comments
Why not set all policies to DROP and only ACCEPT all you need (established, related, lo, 80, 443 and ssh port)?
Default policies are ususally ACCEPT and this means it allows everything that was not DROP'ed with iptables rules. While the DROP policies DROP everything unless it was allowed with iptables.
Thank you @Hidden_Refuge
I dont know anything about iptables although I have been reading trying to understand. That's why I came here asking for help, hehehe
Will it be ok if I only use the lines that you posted?
I know there are a lot of possibles iptables configuration but as I'm a total noob I prefer to keep open the most basic ones to have the websites running and ssh working.
thanks a lot
You can use the rules you have in your post. They seem ok.
It was just my personal suggestion to set policies to DROP and then open everything you need. I see that you followed some Digitalocean guide, right? Should be OK I think .
You need to make output rules also if you set the OUTPUT policy to drop, else you will be locked out of your server. You may want to set a rule to accept your dns server also.
@Hidden_Refuge yes I used this digital ocean guide: www.lowendtalk.com/discussion/68516/help-with-ip-tables-script#latest
But I didn't add this 2 lines as my websites and ssh stopped working after that:
iptables -P OUTPUT ACCEPT iptables -P INPUT DROP
But it could be because I touched something else that I shouldn't....
@grillmaster so what else would need to be added or removed to the iptables lines that I wrote on the OP?
thanks a lot in advance
Its better to understand what you are doing, then copying random rules from the internet, but this should get you started.
Accept connections to and from your DNS servers. Open /etc/resolv.conf to see your DNS, then make rules to accept those IP addresses for INPUT and OUTPUT. For example:
then set your policies to drop
You should also do one of the following - Change your ssh port to a random number, such as 10573. Or restrict access, so only certain ip's or ip ranges can connect to port 22.
Thank you @grillmaster . It's really appreciated
Could you please help me to understand the difference between some lines that I wrote in the OP and the oens that you suggest?
1- Difference between this lines that I have:
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
and this one that you suggest:
iptables -I INPUT -m state --state INVALID -j DROP
2- Difference between this line that I have:
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
and this one that you suggest:
iptables -A OUTPUT ! -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
3- And the following lines that I had them as OUTPUT, but you suggest me to have them as INPUT. What would be the difference? Should I have both (output & input)?
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT
In iptables, any rule for INPUT only applies to connections going in to the server, OUTPUT rules apply to connections leaving your server to some external destination.
This drops incoming TCP null packets - commonly used in spoofing attacks
All new incoming TCP connections should be a SYN packet. This drops it if it is not.
This drops incoming christmas tree packets, which are commonly used in DOS attacks.
All incoming connections are classified into 3 states - New, established or related, otherwise they are considered invalid. Your server is saying I don't know why I received this packet, it's invalid, so we drop it.
These are essentially the same rule, only one is for incoming connections (INPUT) and one is for outgoing connections (OUTPUT). I added this "! -p udp" to exclude UDP packets from the rule, because you don't need to use UDP for your needs. You can remove that part if you need outgoing UDP.
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
Again, you need INPUT rules for incoming packets and OUTPUT rules for outgoing packets. Else, you can set the OUTPUT policy to accept, which will let anything leave your server. If you want to stop your server from sending mail, it is probably best to leave the OUTPUT policy to drop. Otherwise you would need to block all the outgoing ports commonly used to send mail.
Thank you @grillmaster
I kind of get an idea but I still struggle to understand when some lines could be a contradiction or just a duplication, lol
Then, should I use only the lines that you initially posted here: http://www.lowendtalk.com/discussion/comment/1383032/#Comment_1383032
Or a combination of the lines that you posted & the ones I posted in the OP?
yes use them all