8

Possible Duplicate:
Why should I firewall servers?

I have a small server with WEB + FTP. I checked the ports and only 80 + 21 are opened.

So, now the question is, do I really need iptables? These two ports must be opened to everyone, and the others are already closed. I don't think a person could open the ports without a root control(from outside the server). So, is iptables useful for me?

Dail
  • 81
  • 1
  • Related question: [Why should I firewall servers?](http://serverfault.com/questions/201298/why-should-i-firewall-servers). – Steven Monday May 02 '11 at 05:03

4 Answers4

10

If I understand your question, you don't have any iptables rules and is asking if you really need it if the only open ports you have are the ones from active running services, is it correct?

Short answer: yes you should have a working iptables ruleset on your server, even if the only open ports are the services you want to run there. Also remember to mantain the rules and add/remove services that are added or removed from the server.

Long, exemplified answer: Theoretically you would not need it, but security is about making the attacker's life harder. Suppose that your webserver has a script that with a bug in it, and someone exploits that bug and injects a remote shell server (even a simple netcat will do). If the server doesn't have a firewall on its front or locally blocking connections, the attacker will be able to connect to that exploited shell. If you add correct and working iptables rules, the attacker will not be able to connect (because iptables blocked any traffic not on ports you allowed).

Even if you have a firewall in front of your servers, a basic iptables script is a good practice, as I said, your job is to add layers of security (Defense in depth) so if one layer fails, others will still be up to delay the attack.

coredump
  • 12,573
  • 2
  • 34
  • 53
  • 2
    Most people think about ingress rules when considering iptables, but make sure to not forget egress rules as well. – EEAA May 02 '11 at 02:17
4

No, you don't need to have iptables rules.

However, you will want to have them for several reasons:

  • Make it harder for people to do a portscanning
  • Detect bruteforcing attempts
  • Filter against attacks

See my Community Wiki, "IPTables Tips & Tricks". You might find some inspiration there.

pepoluan
  • 4,918
  • 3
  • 43
  • 71
2

Yes. At the very least, it will open port 20 appropriately so that active FTP will work. Aside from that, it will prevent connections to hostile programs that start a server on your machine.

Ignacio Vazquez-Abrams
  • 45,019
  • 5
  • 78
  • 84
2

Iptables should always be running on all public facing servers even if there is a vendor firewall between you and the internet. The key thing to remember with all computer security is that every system can be exploited unless it is powered off. With that in mind you are trying to put barriers in the way of any attacker.

As coredump mentioned in his reply Iptables can help prevent a user space exploit program from running on a high port from accepting connections. It is also possible to prevent your host from talking to specific network segments should you need to with the OUTPUT chain. In addition you can prevent many TCP attacks from being run on your system by using the state module and only allowing related packets by default, then only allowing "new" packets to your web and ftp server.

Red Tux
  • 2,074
  • 13
  • 14