0
I am installing a fresh new VPS (from linode.com, if that matters) with Ubuntu 16.04 LTS. I wrote the following script for iptables:
#!/bin/sh
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP
This script should only allow 22, 80 and 443. It also allows outgoing DNS resolves.
I created and named this script iptables.sh
as root and put it in /etc/network/if-pre-up.d
. I did also chmod +x
.
Now, after reboot, this script does not seem to be applied. I verified this by executing iptables -S
, which gives:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
How do I progress from here? I am quite stuck right now.
update
I have no idea why, but after renaming uptables.sh
to iptables
, I cannot log in into my server anymore after a reboot. This makes me think that now the script is actually executed (and when it has .sh
file extension not, why?) during boot and there is an error in my script. I am so confused.
"I cannot log in into my server anymore after a reboot". I think the line
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 22,80,443…
should use--sports
, because inOUTPUT
you want to allow response from port 22 etc. Notice UDP/53 hasdport
/sport
rules corresponding to each other, notdport
/dport
norsport
/sport
. – Kamil Maciorowski – 2017-11-20T21:32:14.830Oh, ofcourse! I will try again, THANKS A LOT for that tip. – Dave Teezo – 2017-11-20T21:33:56.240
This not working :(. I updated the script in my question, so its clears what my current version is. – Dave Teezo – 2017-11-20T21:40:45.187
Are you sure the interface is
– Kamil Maciorowski – 2017-11-20T21:48:37.030eth0
? Modern Ubuntu may use something likeenpXsY
. Why is my network interface named enp0s25 instead of eth0?It's indeed
eth0
in my case. I verified by runningifconfig
, which giveseth0
andlo
. – Dave Teezo – 2017-11-20T21:50:44.243I've found this about
state
module: "ESTABLISHED
meaning that the packet is associated with a connection which has seen packets in both directions,NEW
meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions". This suggests you should useNEW,ESTABLISHED
instead of loneESTABLISHED
. I have no practical experience with this though, I may be very wrong. – Kamil Maciorowski – 2017-11-20T22:00:24.843I wll try that out! – Dave Teezo – 2017-11-20T22:01:45.253
The way I see it, your question is "why is (was) the script not applied?" My attempts in comments to solve the other issue (that manifested itself after the script was renamed and applied) were out of courtesy, because there's not a single question about it; it's a separate problem for sure. Now there's an "answer" that tries to fix your
iptables
commands without addressing the explicit question; in my opinion this is formally wrong. Before I downvote the answer, please state clearly whether the question is still "why was the script not applied?" or "how to make my firewall sane?" – Kamil Maciorowski – 2017-11-20T23:59:29.803You are absolutely right, my question was mainly about getting my script to do something. That has been solved. I should open a new issues for questions regarding the actual content/sanity of my rules. THANKS for your help! – Dave Teezo – 2017-11-21T08:48:54.830