Security

Firewall / IPtables / UFW

Written by LukeS on .

IP tables and ufw can be used to allow access to your servers ports. If you have a webserver running then you will need to allow port 80 (standard http port) to enable people access to your website.

Please note, these are standard ports and can vary.

 

CentOS – iptables

iptables -L will list the current iptables rule

iptables -nL will list the current iptable rules and their port number

Allowing http (port 80)

iptables -I INPUT 1 -p tcp –dport 80 -j ACCEPT

The above rule adds itself to the top of your rule list using the -I INUPT 1. It means ‘input’ this rule to position 1. Alternatively you can change the number 1 to any number you wish (expect a number that exceeds your list length)

iptables -A INPUT -p tcp –dport 80 -j ACCEPT

The above rule opens port 80 like before however the -A appends the rule to the bottom of the list of rules.

Allowing mysql (3306) – this rule allows mysql to be accessed remotely, you do not need this rule for local access or for your website to access your db.

iptables -I INPUT 1 -p tcp –dport 3306 -j ACCEPT

 

It is VERY important to remember to save your iptables once you add new rules. Failure to save the rules means that they will all be lost if the server is restarted. This can mean that you are unable to access your server if you have changed the default ssh port and the rule is lost. BE CAREFUL

To save iptable rules use:

service ipables save

This should write the rules to /etc/sysconfig/iptables

 

Blocking a specific IP address:

BLOCK_THIS_IP=”x.x.x.x”

iptables -I INPUT 1 -s “$block this ip” -j DROP

 

Dropping/Deleting rules:

To drop an iptables rule you will need to know the number of the in the list, you can either count the lines or use your normal command with –line-numbers after. E.g: iptables -nL –line-numbers

Once you know the line number you can delete the rule using:

iptables -D INPUT #

Replace the # with the rule number you would like to drop

 

Iptable policies

 

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

 

SSH Rules:

Allow ssh from a specific network:

iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

 

mysql

Allow mysql from a specific network:

iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

 

Help prevent a DDos:

iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
  • -m limit: This uses the limit iptables extension
  • –limit 25/minute: This limits only maximum of 25 connection per minute. Change this value based on your specific requirement
  • –limit-burst 100: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level

 

Ubuntu – ufw (uncomplicated firewall)

Ufw is a lot easier to use AND the rules are automatically saved when you enter them

ufw status this will show the current rules

ufw allow 80 this will allow http

ufw allow 443 this allows ssl traffic

ufw allow 3306 will allow mysql access remotely

 

 

 

Please see fail2ban guide for information on whitelisting and blacklisting IP addresses to your server.