iptables Debian 8.5 Ubuntu 14.04

Question

i am starting to build a web server for a project at work and i am going from the bottom to the top. After reading a lot - watching some you tube videos etc , i came up to a script - or better a procedure to apply some starter iptables rules for a Debian 8.5 or Ubuntu 14.04 lts server.

I would love to show you the code here and get some recommendations and replies from you if i am doing something wrong or what do i have to add more so i can make the firewall act better.

My questions are:

1: Is script and procedure ok?

2: Since i am blocking by default everything on OUTPUT chain but i am leaving some ports on ACCEPT will i have any problem regarding updating my server?

3: What other implementations do i have to apply so the iptables perform better like dropping port scanners etc?

Thanks a lot for your time .

Here is the code we create with the name firewall.sh :

#!/bin/sh

#We flush all the previous rules we had in iptables
iptables -F

#Policies - We need to DROP everything
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

#Established Connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Loopback Authorization
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#Ping Enable
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

#SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT

#HTTP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

We need to make this script to run when server reboots:

sudo mv firewall.sh /etc/init.d
cd /etc/init.d
sudo mv firewall.sh firewall
sudo chmod +x firewall
sudo update-rc.d firewall defaults

It's not a very smart idea to drop dns requests... – Ipor Sircer Sep 09 '16 at 13:51 — Ipor Sircer, Sep 09 '16 at 13:51

score 0 · Accepted Answer · answered Sep 09 '16 at 14:12

0

The script is ok to add rules... I wouldn't call it each time you start the system. If you are wanting these rules to persist after a reboot, I would recommend using iptables-persistent. You can install this by running the below command:

sudo apt-get install iptables-persistent

For established connections, you may simply use this:

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Also, you have the ability to add multiple ports for the tcp protocol within a single line if you wish, however the way you are doing it now will work just fine. For example:

sudo iptables -A INPUT -p tcp -m multiport --dports 80,443,8080:8082,26900 -j ACCEPT sudo iptables -A OUTPUT -p tcp -m multiport --sports 80,443,8080:8082,26900 -j ACCEPT

I would also look at opening port 53 for dns as your looks could fail for updating packages depending on your repo settings. I use this:

sudo iptables -A INPUT -p udp --dport 53 --dport 1024:65535 -j ACCEPT sudo iptables -A OUTPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT

answered Sep 09 '16 at 14:12

NGX

71
5

Really appreciate your reply , so if i got it correctly , – Cloud063 Sep 09 '16 at 14:16
Really appreciate your reply , so if i got it correctly ,i can remove iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT and replace them with the single line iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT – Cloud063 Sep 09 '16 at 14:18
And what about ip6tables? Shouldn't i do something about it or i can leave those iptables as it is ? – Cloud063 Sep 09 '16 at 14:20
Yes, you can replace both rules with the single rule. Regarding ip6tables, it would depend on the system you are running. A lot of virtual machines do not have access to that due to kernel restrictions, and if you do have access unless you are using ipv6 I would simply disable it. – NGX Sep 09 '16 at 14:51
Any practical idea how to disable it ? sysctl.conf has already ipv6 disabled , but sudo apt-get install iptables-persistent asks for ipv6. Again thanks for the fast reply. – Cloud063 Sep 09 '16 at 15:00
To disable ipv6, you have to open `/etc/sysctl.conf` using any text editor and insert the following lines at the end: `net.ipv6.conf.all.disable_ipv6 = 1` `net.ipv6.conf.default.disable_ipv6 = 1` `net.ipv6.conf.lo.disable_ipv6 = 1` If ipv6 is still not disabled, then the problem is that sysctl.conf is still not activated. To solve this, open a terminal (Ctrl+Alt+T) and type the command, `sudo sysctl -p` – NGX Sep 09 '16 at 15:03
You will see this in the terminal: `net.ipv6.conf.all.disable_ipv6 = 1` `net.ipv6.conf.default.disable_ipv6 = 1` `net.ipv6.conf.lo.disable_ipv6 = 1` After that, if you run: `cat /proc/sys/net/ipv6/conf/all/disable_ipv6` It will report: `1` If you see `1`, ipv6 has been successfully disabled. – NGX Sep 09 '16 at 15:04

iptables Debian 8.5 Ubuntu 14.04

1 Answers1