3

Helly guys ! :-) .

I need a (several?) advice(s) from you about my iptables setup. I'm pretty new to iptables, and this is the first time I configure a server with iptables ONLY as a firewall (we don't have money nor time to set a "true" firewall upfront).

I'd like to connect to my server via SSH from only specific.location.com.

Therefore, I set up the following rules in INPUT :

target      in     out     source                       destination
ACCEPT      lo     any     localhost                    anywhere
ACCEPT      any    any     specific.location.com        myserver.local    tcp dpt:ssh

My default policies are :

INPUT DROP
FORWARD DROP
OUTPUT ACCEPT

With this first configuration, I was able to connect to my server, but unable to reach outside (like google.com), and the connection was very slow.

I understood that my firewall didn't have any rule including the state "ESTABLISHED" from a packet. Indeed, I guess my packets were able to get out, but weren't allowed to come back...

So I added this rule :

target      in     out     source                       destination
ACCEPT      any    any     anywhere                     anywhere           state ESTABLISHED

Now all works like a charm, I can access outside from the server, the connection is very fast like before, and I can only access my server in SSH from specific.location.com !

My only question is that I need your advices, is that a clean configuration ? I don't find any example like this in internet, so I'm quite wondering...

Or did I just make a HUGE security fault ?!

Thanks for your help guys :-)

Xavier Lucas
  • 12,815
  • 2
  • 44
  • 50
iptablewnew
  • 33
  • 4
  • 3
    Using iptables on a dedicated machine like that _is_ a true firewall. – Wesley Feb 27 '15 at 15:27
  • Yeah i feel it was quite hard to say that when I wrote this... I didn't mean that actually, I mean that usually, I used to work with Cisco, fortigates and so, and never really used iptables in a production environment ;-) – iptablewnew Feb 27 '15 at 15:29
  • iptables is a true firewall (like pf would be for BSD firewalls). Your rules are perfectly fine since packets accepted in the ESTABLSIHED state will either be replies to an open input port or replies to outgoing traffic initiated by the server himself. – Xavier Lucas Feb 28 '15 at 20:07
  • Thanks Xavier, that's exactly this point I wasn't sure about. – iptablewnew Mar 05 '15 at 15:54

1 Answers1

6

Canonically, that ESTABLISHED rule is actually RELATED,ESTABLISHED. It won't affect SSH or HTTP(S), though—the difference is that RELATED also encompasses what are technically new connections, but are related to an existing one, as in FTP data channel communications or ICMP echo replies.

Overall, what you have done here is just fine.

BMDan
  • 7,129
  • 2
  • 22
  • 34