best IPTABLES configuration?

4 posts / 0 new
Last post
#1 Fri, 12/04/2009 - 03:05
FOBioPatel

best IPTABLES configuration?

I have installed the Virtualmin GPL on Ubuntu 8.04 and CentOS 5.4. CentOS 5.4 had IPTABLES enabled by default, and I have disabled it.

I don't think either Ubuntu 8.04 or CentOS 5.4 have any IPTABLES rules defined at the moment.

Should I be worried about enabling IPTABLES for additional security? If so, can someone please give me a quick HOW-TO on configuring either via command line or via the Virtualmin or Webmin GUI?

Off the bat I think I need:

  1. ports 80 and 443 for web pages serving via HTTP and HTTPS
  2. port 21 and a series of tcp ports for FTP (passive mode) so that I can upload stuff to the server with my favorite FTP client
  3. port 22 for SSH access which can be modified for more security.
  4. port 3306 for MySQL database server - I don't think I will ever need this though...
  5. NO IDEA WHAT I NEED - for DNS. I have configured Ubuntu 8.04 as the Master and CentOS 5.4 as the Slave, and it is working at the moment quite nicely.
  6. Ports 10000 - 10010 so Fast RPC calls can be made between the two servers.

I know I can list my existing IPTABLES with this command:

iptables -L

And that these below will accomplish # 1 through # 4 above.

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 8001,8002,8003,8004,8005,8006,8007,8008,8009,8010 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT

How do I apply these rules the "right way" using Virtualmin or in the CLI (command line), and what do I need to append to these rules to allow Virtualmin (10000 to 10010) and DNS (ports??) to work...

Fri, 12/04/2009 - 08:15
andreychek

Should I be worried about enabling IPTABLES for additional security?

I've been occasionally known to go out of my way to not give a straight answer.

Which leads me to this response -- maybe, it depends on your circumstances, how important security is to you, and what exactly you're protecting :-)

Iptables adds another layer of security. I tend to prefer security in layers, and iptables is something I opt to use on servers I manage.

It's simpler to set them up on new servers, rather than live servers, as there's always the possibility that, when messing with firewall rules, you could lock yourself out of the box :-)

A few notes:

port 3306 for MySQL database server - I don't think I will ever need this though...

Most folks don't need to access MySQL remotely, and can safely keep it blocked off from the outside world.

NO IDEA WHAT I NEED - for DNS. I have configured Ubuntu 8.04 as the Master and CentOS 5.4 as the Slave, and it is working at the moment quite nicely.

You'll probably want to enable port 53, both TCP and UDP.

Also, I don't see anything in there for email, as well as email checking protocols such as POP/IMAP -- are you hosting that elsewhere?

Now, regarding how to add all the rules -- there's a good article on the CentOS wiki that goes into that:

http://wiki.centos.org/HowTos/Network/IPTables

Essentially, though, if you were to run all the commands you've listed above, you can run "/etc/init.d/iptables save" to save your iptables setup for next time your system reboots.

I hope that helps!

-Eric

Fri, 12/04/2009 - 10:23
FOBioPatel

Eric,

Fantastic response! Can you please do me a huge favor and correct the below chunk to include rules that will allow POP3, IMAP, SMTP, ports 10000 through 10010 for Virtualmin, and DNS 53 UDP & TCP. I suspect that is all I am missing.

I have included the iptables save line from your previous post so these settings can be retained on the reboot.

Here is my partially correct chunk which I plan on running in CLI as root, and would be eternally grateful if you could correct:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 8001,8002,8003,8004,8005,8006,8007,8008,8009,8010 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT
/etc/init.d/iptables save
Fri, 12/04/2009 - 11:30
ronald
ronald's picture

this is mine.


*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -o eth0 -j LOG  --log-level 7 --log-prefix BANDWIDTH_OUT:
-A FORWARD -i eth0 -j LOG  --log-level 7 --log-prefix BANDWIDTH_IN:
-A OUTPUT -o eth0 -j LOG  --log-level 7 --log-prefix BANDWIDTH_OUT:
-A INPUT -i eth0 -j LOG  --log-level 7 --log-prefix BANDWIDTH_IN:
-A INPUT -i eth1 -j LOG  --log-level 7 --log-prefix BANDWIDTH_IN:
-A INPUT -p tcp -m tcp --dport ftp -j ACCEPT
-A INPUT -p udp -m udp --dport ftp -j ACCEPT
-A INPUT -p udp -m udp --dport ftp-data -j ACCEPT
-A INPUT -p tcp -m tcp --dport ftp-data -j ACCEPT
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
-A INPUT -p tcp -m tcp --dport smtp -j ACCEPT
-A INPUT -p udp -m udp --dport domain -j ACCEPT
-A INPUT -p tcp -m tcp --dport domain -j ACCEPT
-A INPUT -p tcp -m tcp --dport http -j ACCEPT
-A INPUT -p tcp -m tcp --dport pop3 -j ACCEPT
-A FORWARD -o eth1 -j LOG  --log-level 7 --log-prefix BANDWIDTH_OUT:
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 1111 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 5080 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A INPUT -p tcp -m tcp --dport imap -j ACCEPT
-A INPUT -p tcp -m tcp --dport https -j ACCEPT
-A FORWARD -i eth1 -j LOG  --log-level 7 --log-prefix BANDWIDTH_IN:
-A FORWARD -j RH-Firewall-1-INPUT
-A OUTPUT -o eth1 -j LOG  --log-level 7 --log-prefix BANDWIDTH_OUT:
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 10001:10011 --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport imaps -j ACCEPT
-A INPUT -p tcp -m tcp --dport pop3s -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 0 -j REJECT
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
Topic locked