What is iptables?
A simple wiki definition goes as “iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.”
It is a tool that allows sysadmins to manipulate linux kernel firewall for security. I have used iptables to secure webserver from any anomaliies that may occur from intruders.
Before proceeding to the iptables firewall, Please follow the basic server configuration which consists of basic security configs.
Linux Server Configuration Best Practices
Basic rules, only open port 22 (ssh), 80 (http) and 443 (https)
You can write a similar script to run during boot up of the server.
iptables -F
iptables -A INPUT -i lo -p all -j ACCEPT iptables -A OUTPUT -o lo -p all -j ACCEPT iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptabels -A INPUT -P tcp --dport 443 -j ACCEPT iptables -P INPUT DROP
This example will close all the ports except ssh and www ports. However, this script will not block brute force attacks. Lets move forward and add some more rules that will only permite a certain number of connections to the server from some specific IPs.
Stop brute force attacks
Add these lines after the rules above.
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 --hitcount 2 -j DROP iptables -P INPUT DROP
Lets verify now and run # sudo iptables -L
This is the output
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 600 hit_count: 2 name: DEFAULT side: source
tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: DEFAULT side: source
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere
anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT tcp -- anywhere anywhere tcp dpt:https Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere
The first two rules we got from iptables -L command is the main tricky part.
This line:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
Starts a table with each IP that starts a connection to ss
h port.
And this one:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \ --update --seconds 600 --hitcount 2 -j DROP
Counts the number of connections that IP makes to our server in time frame of 600 seconds, if the number of connections passed 2 (hit count). The server will not accept any more connections from that IP for 600 seconds.
You can change the values as necessary.
For port 80 and 443, Add the rules below:
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 60/minute --limit -burst 5 -j ACCEPT iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m limit --limit 60/minute --limit -burst 5 -j ACCEPT
Make it automatic
In Debian/Ubuntu run:
sudo /etc/init.d/iptables save
In Arch Linux run:
sudo /etc/rc.d/iptables save
And add iptables to the daemons part in the /etc/rc.conf file.
Logging the connections
If you want to keep a log of the failed connections add the rule:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 --hitcount 2 -j LOG
You can see the logs you just enabled In the /var/log/messages or /var/log/iptables.log depending on your Linux distribution
Nice practical example for iptables firewall. Thanks!
Just wondering if there is a graphical interface for it.
Regards,
where to get the iptables application?
It is installed in any linux by default.
Thanks, Iris Pereira for kijush.com.np