Now I write some rules, for hardening iptables. From default policy “accept” everything to “drop” everything except something I want to accept. This setup was made on Server Ubuntu 18.04.2 LTS.<\/p>\n\n\n\n
This post is related to and made from sites: <\/p>\n\n\n\n
https:\/\/help.ubuntu.com\/community\/IptablesHowTo<\/p>
https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-set-up-a-firewall-using-iptables-on-ubuntu-14-0<\/p><\/blockquote>\n\n\n\n
By default, we can see, that everything is allowed:<\/p>\n\n\n\n
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination <\/pre>\n\n\n\nSo we start with allowing established sessions to receive traffic:<\/p>\n\n\n\n
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT<\/pre>\n\n\n\n-A INPUT<\/strong>: The
-A<\/code> flag appends<\/em> a rule to the end of a chain. This is the portion of the command that tells iptables that we wish to add a new rule, that we want that rule added to the end of the chain, and that the chain we want to operate on is the INPUT chain.<\/p><\/blockquote>\n\n\n\nAnd now, we can allow specific port or service, which we want to allow:<\/p>\n\n\n\n
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport http -j ACCEPT
iptables -A INPUT -p tcp --dport https -j ACCEPT<\/pre>\n\n\n\nAnd now, we block everything else commint to us:<\/p>\n\n\n\n
iptables -A INPUT -j DROP<\/pre>\n\n\n\nNow we can see our input chain in firewall:<\/p>\n\n\n\n
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
DROP all -- anywhere anywhere <\/pre>\n\n\n\nNow we must add some rule for loopback. because we block it now. If we add it right now with above command, we add it at the end of chain (after drop all). So all traffic will be blocked. We must add it at the begining of this chain:<\/p>\n\n\n\n
iptables -I INPUT 1 -i lo -j ACCEPT<\/pre>\n\n\n\n-I INPUT 1<\/strong>: The
-I<\/code> flag tells iptables to insert<\/em> a rule. This is different than the-A<\/code> flag which appends a rule to the end. The-I<\/code> flag takes a chain and the rule position where you want to insert the new rule.<\/p>-i lo<\/strong>: This component of the rule matches if the interface that the packet is using is the “lo” interface. The “lo” interface is another name for the loopback device. This means that any packet using that interface to communicate (packets generated on our server, for our server) should be accepted.<\/p><\/blockquote>\n\n\n\n
And now we can see it:<\/p>\n\n\n\n
iptables -L
\nChain INPUT (policy ACCEPT)
\ntarget prot opt source destination
\nACCEPT all -- anywhere anywhere
\nACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
\nACCEPT tcp -- anywhere anywhere tcp dpt:ssh
\nACCEPT tcp -- anywhere anywhere tcp dpt:http
\nACCEPT tcp -- anywhere anywhere tcp dpt:https
\nDROP all -- anywhere anywhere <\/pre>\n\n\n\nThe first and the last lines looks very similar, so use the variable -v (verbose) os -S (list rules). See<\/p>\n\n\n\n
iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
287 46814 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
211 45230 DROP all -- any any anywhere anywhere <\/pre>\n\n\n\niptables -S
\n-P INPUT ACCEPT
\n-P FORWARD ACCEPT
\n-P OUTPUT ACCEPT
\n-A INPUT -i lo -j ACCEPT
\n-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
\n-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
\n-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
\n-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
\n-A INPUT -j DROP<\/pre>\n\n\n\nNow we have five rules to ACCEPT packets, which we want. The we have the sixth rule for DROP all another packets. <\/p>\n\n\n\n
The policy DROP everything can be done by two ways. We have the first way (Default policy of chain is ACCEPT everything. Our five rules catch certain packets and at the end we have the sixth rule to DROP all packet which catch all other remain packets). In case of breaking firewall, or accidentally flush our rules, we still can connect to our server (by default chain policy ACCEPT).<\/p>\n\n\n\n
The second way is set default chain policy to DROP, and set our five rules first. So if packets are catch by one of this rules, is ACCEPTed. Then it is DROPPEd by default. There is a possibility, that if we flush our firewall rules, we never reach our server from network because the default chain policy is DROP. So first, we need the rules like above mentioned except the DROP rule. And then, at the end, change the default chain policy by command:<\/p>\n\n\n\n
iptables -P INPUT DROP\n<\/pre>\n\n\n\nAnd now look at this way of firewall:<\/p>\n\n\n\n
iptables -S
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<\/pre>\n\n\n\nSo we can see, that we DROP all packet, we want and ACCEPT packets we want. It can be done by this two ways. So pick one, which you want. I prefer the second way, because I have another access to server (via console-keyboard connected directly to server). So if something go wrong, I am still be able to connect it.<\/p>\n\n\n\n
So if you choose the first way, you must add others rules before the DROP rule, because it will be matched by this rule. Like the loopback rule, you must insert it somewhere before the DROP rules. See the lines:<\/p>\n\n\n\n
iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
2 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
3 ACCEPT tcp -- anywhere anywhere tcp dpt:http
4 ACCEPT tcp -- anywhere anywhere tcp dpt:https
5 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
6 DROP all -- anywhere anywhere<\/pre>\n\n\n\nAnd now we can add another rule somewhere in the middle:<\/p>\n\n\n\n
iptables -I INPUT 6 -p tcp --dport 5666 -j ACCEPT<\/pre>\n\n\n\nAnd we see it:<\/p>\n\n\n\n
iptables -L --line-numbers
\nChain INPUT (policy ACCEPT)
\nnum target prot opt source destination
\n1 ACCEPT all -- anywhere anywhere
\n2 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
\n3 ACCEPT tcp -- anywhere anywhere tcp dpt:http
\n4 ACCEPT tcp -- anywhere anywhere tcp dpt:https
\n5 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
\n6 ACCEPT tcp -- anywhere anywhere tcp dpt:nrpe
\n7 DROP all -- anywhere anywhere<\/pre>\n\n\n\nFor save this rules and set it persistant after reboot, I use package:<\/p>\n\n\n\n
apt-get install iptables-persistent<\/pre>\n\n\n\nDuring installation you will be asked for some questions, like save this rules for permanent use and load next boot. If you haven’t yet, never mind. You can do it later with this:<\/p>\n\n\n\n
iptables-save -c > \/etc\/iptables\/rules.v4<\/pre>\n\n\n\n<\/p>\n ","protected":false},"excerpt":{"rendered":"
Now I write some rules, for hardening iptables. From default policy “accept” everything to “drop” everything except something I want to accept. This setup was made on Server Ubuntu 18.04.2 LTS. This post is related to and made from sites: https:\/\/help.ubuntu.com\/community\/IptablesHowTo https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-set-up-a-firewall-using-iptables-on-ubuntu-14-0 By default, we can see, that everything is allowed: iptables -L Chain INPUT … Continue reading Hardening iptables from “ACCEPT all” to “DROP all”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[107,106,103,104,105,35,60],"class_list":["post-453","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-accept","tag-drop","tag-firewall","tag-iptables","tag-security","tag-server","tag-ubuntu"],"_links":{"self":[{"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/posts\/453","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=453"}],"version-history":[{"count":10,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/posts\/453\/revisions"}],"predecessor-version":[{"id":466,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/posts\/453\/revisions\/466"}],"wp:attachment":[{"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=453"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=453"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=453"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}