-1

this is my curreny /etc/sysconfig/iptables file for a webserver that must allow http, ftp and ssh access.

*filter
:INPUT ACCEPT [31395:4050333]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [30540:7083959]
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 11211 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

I'm just starting to learn on how to configure a linux firewall. From what I've read that setup pretty much covers my server's needs. Still, a few questions remain:

  1. Can the security be tighten a little more?

  2. Are the :INPUT ACCEPT and :OUTPUT ACCEPT value ranges ok?

Carlos Santos
  • 43
  • 1
  • 1
  • 11
  • in fact, I just tested, and these settings don't allow me to connect via ftp (if i stop the iptables service, the ftp works fine.) – Carlos Santos Dec 14 '14 at 23:48
  • Look into [Active vs Passive FTP](http://slacksite.com/other/ftp.html) and you might want to define data port range in your ftp server and open that range in iptables. – Mehmet Dec 14 '14 at 23:53
  • 1
    `:INPUT ACCEPT` and `:OUTPUT ACCEPT` value ranges, you mean the number between the brackets? Those are mere counters, you don't have to worry about them. – pepoluan Dec 15 '14 at 00:44
  • @pepoluan thanks. btw, counters of what exactly? – Carlos Santos Dec 15 '14 at 00:54
  • 2
    `[packets:bytes]` that went through that chain. – pepoluan Dec 15 '14 at 00:57
  • 1
    PS: I'd add `-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT` as the first line of the `-A INPUT` set; if not, the line with `--dport 11211` will match only the first packet destined to port 11211. Unless that's what you plan to do, of course. – pepoluan Dec 15 '14 at 00:59

2 Answers2

1

To answer the question "Can the security be tighten a little more", let me refer you to the following community wiki:

iptables Tips & Tricks

pepoluan
  • 4,918
  • 3
  • 43
  • 71
1

I believe the --state NEW in the corresponding entry is superfluous.

Your rules may be more or less secure but there are some things missing that would allow you internet access from the machine at all. Let me show you what I consider a standard setup (not that this could not be found on a thousand sites):

root@gw:~# cat /etc/iptables.up.rules
# Generated by iptables-save v1.4.14 on Sun Nov  2 15:08:43 2014
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [38:2778]
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG --log-prefix "IPTFW "
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sun Nov  2 15:08:43 2014

For SSH access add a rule just like for port 80 right after the port 80 rule.

For FTP access you obviously need the respective ports open, and don't forget to load the necessary kernel modules for FTP connection tracking (on Debian nf_nat_ftp or nf_conntrack_ftp depending on your requirements).

What exactly I am doing here:

  • Allow ping request (ICMP type 8), won't hurt, maybe remove on hosts that should not be visible at first glance
  • Then accept traffic on the loopback interface otherwise some stuff local to the server may stop working.
  • Allow the ports that you'd like people to access, optionally add an incoming interface using the -i parameter in case you have multiple interfaces.
  • Allow all replies to connections requested by the machine itself, otherwise you can never generate any outgoing connection, not even DNS or anything from the machine, very probably getting into trouble with some services.
  • Finally, before rejecting, you should log what will be rejected. I prefer to reject instead of dropping since that is a clear message. Again (like the reasoning with the ping above), if you'd like to be more "stealth" then just drop, but that's of no real use.
  • Don't forget to also set the policy of the INPUT chain to DROP (and make sure you don't lock yourself out while doing that.)
Marki
  • 2,795
  • 3
  • 27
  • 45
  • thanks! im trying these, with the 20 and 21 ports for ftp as well, but ftp is the only service that is not working when i start the iptables. The result is a "connection time out" message. – Andres SK Dec 15 '14 at 05:06
  • You know "not working" is always such generic of a statement. Is the service even running? Are there ACLs defined in the FTP server? ... – Marki Dec 15 '14 at 19:35