1
1
I've newly got a CentOS server from Linode.com which I'm using as an Apache web server with the LAMP stack.
I notice that the firewall is enabled by default but doesn't seem to have any active rules.
What should I do in this case?
Should I block all traffic then selectively allow only port 80 and 443 for my web server?
Are there any "firewall templates" or essential firewall rule guides out there?
WackGet
Posted 2013-05-02T03:33:21.457
Reputation: 366
2
You should block all & selectively allow which ports you need to. Luckily, if you accidentally lock yourself out, you can access your Linode via the Lish console to flush any errant firewall rules.
Here are some of the firewall configurations I regularly use:
Allowing SSH, HTTP, HTTPS
iptables -A INPUT -p tcp -m multiport --destination-ports 22,80,443 -j ACCEPT
iptables -A INPUT -s 127.0.0.1/24 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
If you need to allow FTP, include port 21 (for passive connections you may need to define an additional port range I use 21000-21100:
iptables -A INPUT -p tcp -m multiport --destination-ports 21,22,80,443,21000:21100 -j ACCEPT
iptables -A INPUT -s 127.0.0.1/24 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
For some reason, I have also found I'm unable to send mail using sendmail, exim, etc unless I open up port 25 (your mail config typically would be setup to only accept email being sent from the local server):
iptables -A INPUT -p tcp -m multiport --destination-ports 21,22,25,80,443,21000:21100 -j ACCEPT
iptables -A INPUT -s 127.0.0.1/24 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
In order to flush your rules to start over without locking yourself out, use the following set of commands:
iptables -P FORWARD ACCEPT
iptables -P INPUT ACCEPT
iptables -F
To view your current firewall rules & statistics, you can use the following command:
iptables -L -nv
Also don't forget to save your rules & make sure IPTables starts up on reboot.
mattw
Posted 2013-05-02T03:33:21.457
Reputation: 581
1
If you block all traffic, the box will go dead in a heartbeat (at least to you).
Research which ports you need for the services you are using (as well as the services you aren't but which are still essential, such as BIND)
The common essential ports for a server are:
22 TCP (SSH, but you should change this)
21 TCP (FTP, but this is insecure. Use SFTP on the SSH port.)
80, 443 TCP (HTTP/S)
53 UDP (DNS)
# use iptables -A INPUT -p (udp|tcp) --dport=$PORT -j ACCEPT
You should block common attack vectors with your firewall too, such as SYN flooding (TCP's handshake is SYN-SYN-ACK, with the latter SYN being a combination) Block unestablished connections that try to SYN-ACK, but accept established ones.
/sbin/iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
Also, do not block ping (ICMP). You cannot be pinged to death through ICMP; it would be far more effective to use TCP, and you have port 80 and 443 open.
# Allow ICMP
/sbin/iptables -A INPUT -i eth0 -p icmp -j ACCEPT
Once you have all of the services you need, block all of the remaining traffic. You should also consider having complete access on localhost if you have full access to your box and you know what is running on it.
/sbin/iptables -A INPUT -i lo -j ACCEPT
And if you have IPv6, do not forget to do the same as the above with ip6tables. Nearly everyone forgets this for some reason.
Amelia
Posted 2013-05-02T03:33:21.457
Reputation: 166