Help with IP tables script

Help with IP tables script

Hi,

I received couple of spam abuse reports from my VPS related to email spam (even though I don't have any email setupon my account). Now I'm goin to reinstall CentOS and I was thinking about some iptables to keep only open those ports related to http, https and ssh

I don't need any other ports open and I guess that would help my VPS to be more secure. This are the rules I thought to have on my iptables:

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

What do you think guys? Is it good? Does it have some contradictions?

PS: I'm a noob

Thanks

Comments

  • teknolaizteknolaiz Member
    edited November 2015

    Why not set all policies to DROP and only ACCEPT all you need (established, related, lo, 80, 443 and ssh port)?

    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP
    iptables -I INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    ...anything else you need...
    

    Default policies are ususally ACCEPT and this means it allows everything that was not DROP'ed with iptables rules. While the DROP policies DROP everything unless it was allowed with iptables.

    I'm on vacation in Belize.

  • Thank you @Hidden_Refuge

    I dont know anything about iptables although I have been reading trying to understand. That's why I came here asking for help, hehehe

    Will it be ok if I only use the lines that you posted?

    I know there are a lot of possibles iptables configuration but as I'm a total noob I prefer to keep open the most basic ones to have the websites running and ssh working.

    thanks a lot

  • You can use the rules you have in your post. They seem ok.

    It was just my personal suggestion to set policies to DROP and then open everything you need. I see that you followed some Digitalocean guide, right? Should be OK I think :) .

    I'm on vacation in Belize.

    Thanked by 1tittooo7
  • tittooo7 said: Will it be ok if I only use the lines that you posted?

    You need to make output rules also if you set the OUTPUT policy to drop, else you will be locked out of your server. You may want to set a rule to accept your dns server also.

  • tittooo7tittooo7 Member
    edited November 2015

    @Hidden_Refuge yes I used this digital ocean guide: www.lowendtalk.com/discussion/68516/help-with-ip-tables-script#latest But I didn't add this 2 lines as my websites and ssh stopped working after that: iptables -P OUTPUT ACCEPT iptables -P INPUT DROP

    But it could be because I touched something else that I shouldn't....

    @grillmaster so what else would need to be added or removed to the iptables lines that I wrote on the OP?

    thanks a lot in advance

  • tittooo7 said: so what else would need to be added or removed to the iptables lines that I wrote on the OP?

    Its better to understand what you are doing, then copying random rules from the internet, but this should get you started.

    iptables -I INPUT -m state --state INVALID -j DROP
    iptables -A OUTPUT -i lo -j ACCEPT
    iptables -A OUTPUT ! -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
    iptables -A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
    iptables -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
    

    Accept connections to and from your DNS servers. Open /etc/resolv.conf to see your DNS, then make rules to accept those IP addresses for INPUT and OUTPUT. For example:

    iptables -A OUTPUT -d 8.8.8.8 -j ACCEPT
    iptables -A INPUT -s 8.8.8.8 -j ACCEPT
    

    then set your policies to drop

    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP
    

    You should also do one of the following - Change your ssh port to a random number, such as 10573. Or restrict access, so only certain ip's or ip ranges can connect to port 22.

  • tittooo7tittooo7 Member
    edited November 2015

    Thank you @grillmaster . It's really appreciated Could you please help me to understand the difference between some lines that I wrote in the OP and the oens that you suggest?

    1- Difference between this lines that I have: iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

    and this one that you suggest:

    iptables -I INPUT -m state --state INVALID -j DROP

    2- Difference between this line that I have:

    iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    and this one that you suggest:

    iptables -A OUTPUT ! -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

    3- And the following lines that I had them as OUTPUT, but you suggest me to have them as INPUT. What would be the difference? Should I have both (output & input)? iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT

  • In iptables, any rule for INPUT only applies to connections going in to the server, OUTPUT rules apply to connections leaving your server to some external destination.

    tittooo7 said: iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

    This drops incoming TCP null packets - commonly used in spoofing attacks

    tittooo7 said: iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

    All new incoming TCP connections should be a SYN packet. This drops it if it is not.

    tittooo7 said: iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

    This drops incoming christmas tree packets, which are commonly used in DOS attacks.

    tittooo7 said: iptables -I INPUT -m state --state INVALID -j DROP

    All incoming connections are classified into 3 states - New, established or related, otherwise they are considered invalid. Your server is saying I don't know why I received this packet, it's invalid, so we drop it.

    tittooo7 said: 2- Difference between this line that I have:

    iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    and this one that you suggest:

    iptables -A OUTPUT ! -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

    These are essentially the same rule, only one is for incoming connections (INPUT) and one is for outgoing connections (OUTPUT). I added this "! -p udp" to exclude UDP packets from the rule, because you don't need to use UDP for your needs. You can remove that part if you need outgoing UDP.

    tittooo7 said: 3- And the following lines that I had them as OUTPUT, but you suggest me to have them as INPUT. What would be the difference? Should I have both (output & input)? iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT

    Again, you need INPUT rules for incoming packets and OUTPUT rules for outgoing packets. Else, you can set the OUTPUT policy to accept, which will let anything leave your server. If you want to stop your server from sending mail, it is probably best to leave the OUTPUT policy to drop. Otherwise you would need to block all the outgoing ports commonly used to send mail.

  • Thank you @grillmaster I kind of get an idea but I still struggle to understand when some lines could be a contradiction or just a duplication, lol

    Then, should I use only the lines that you initially posted here: http://www.lowendtalk.com/discussion/comment/1383032/#Comment_1383032 Or a combination of the lines that you posted & the ones I posted in the OP?

  • tittooo7 said: Or a combination of the lines that you posted & the ones I posted in the OP?

    yes use them all

Sign In or Register to comment.